1

I need some help getting NTP set up correctly on our Windows domain.

We have 2 physical servers:

Physical Server 1 Domain Controller (DC1)

Physical Server 2 (Hyper-V Host) Data 1 (also a Domain Controller), Exchange1

I have connected to each server and run the w32tm /query /source command and below is the output. The reason for doing this is that some servers are the correct time (according to Google), some servers are behind by around 40 seconds, and some computers are behind by around 40 seconds.

Here are the findings:

Physical Server 1 (DC1) Local CMOS clock

Physical Server 2 (Hyper-V Host) Data1.corp.local

Data1 VM IC Time Synchronisation Provider

Exchange1 VM IC Time Synchronisation Provider

So the physical server DC1 is using Local CMOS clock, the 2 virtual machines are using VM IC Time Synchronisation Provider, but the Hyper-V host is using a virtual machine.

I'm guessing this isn't correct. What is the best course of action here to solve the time differences?

Update

Thanks for the answers. So I ran

w32tm /config /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org" /syncfromflags:manual /reliable:yes /update

on the Domain Controller holding that role according to

dsquery server -hasfsmo pdc.

How do I now tell the other physical server (and thus virtual machines) and computers to use that server? I checked the other servers and a computer and the time is still wrong.

SMW
  • 129
  • 2
  • 4
  • 10
  • 4
    Everything in the domain should use the domain controller holding the PDC emulator role as their time source. – Tim Brigham Mar 17 '15 at 18:37
  • @TimBrigham So set the Hyper-V host server and all Hyper-V virtual servers all to use the other physical server? – SMW Mar 17 '15 at 18:38
  • No, the DC holding the PDC emulator FSMO role should be synced up to a reliable time source. All other computers on the domain should sync up to the DC holding the PDC emulator FSMO role. On another note, you generally want to disable host/guest clock synchronization for this reason. – HopelessN00b Mar 17 '15 at 18:44
  • 5
    A Hyper-V host that is also a DC? That's a paddlin' – Ryan Ries Mar 17 '15 at 18:47
  • Thanks. I've set up the server holding the PDC role, but I updated the question. Can you check it out? – SMW Mar 17 '15 at 19:47

1 Answers1

1

By default, Member Servers and Clients should use NTDS as their time source. As mentioned above, this is provided by a thread of the PDC Emulator's AD-DS role. The PDC Emulator should sync to at least two - preferably three - reliable time sources (RTSs). I say two, as it's possible for the PDC Emulator to drop its own "reliable time source" flag if it somehow drifts away from a single source. NTP relies on comparing time sources to decide what's good and what's not. I've seen this happen when a single Internet-based clock went offline in a small POC lab environment.

Consider using Group Policy to enforce your time configuration. Also agree with not using the time provider with Hyper-V, or VMware Tools in VMware.

Simon Catlin
  • 5,232
  • 3
  • 17
  • 20
  • The general recommendation for NTP is to use *four* upstreams, so you always have a quorum even if one fails. This is why the NTP pool project provides the hostnames [0123].pool.ntp.org. Two upstream time servers is actually worse than one or zero; that is the reason four servers are recommended (so that the two-server case becomes very unlikely). – rmalayter Mar 17 '15 at 22:40
  • I've set up 4 but I'm still stuck (see update). – SMW Mar 18 '15 at 09:44
  • Do you use Group Policy at all? If so, check/modify your Default Computer Policy. Can't remember the exact path, but it's under Computer Configuration ... Administrative Templates ... ... Windows Time . Here, you can enable the settings, and enforce "NTDS5" time. – Simon Catlin Mar 18 '15 at 20:15
  • @SMW On each of the computers that needs its clock updated, you probably need to run w32tm to force a resync. "w32tm /resync /rediscover /nowait" should work, but check the flags for the version on your machines. "w32tm /?" will explain the options. – John Hubert Mar 20 '15 at 23:08