1

I have 2 clustered Windows Server 2008 R2 Server under the same domain controller.

However, as weird it might be, both of them have different time (for seconds), when I have to reboot them for maintenance I have to manually adjust time on both servers. When looking at the NTP Server by using net time /querysntp both clients point to the same time server.

What would be your suggestions/tips in order to get the time properly sync in the servers? They're critical for operation and heavy time-based for the applications they used.

ErikE
  • 4,676
  • 1
  • 19
  • 25
eDk
  • 11
  • 2
  • I had the same issue once and failed to keep time in sync with the AD. But then I came up with some script (powershell) and put it in Task Scheduler and execute every 5 minutes or so. The script will monitor the current time as well as AD time and once it finds any difference, it will automatically change the time. – serverstackqns Aug 13 '15 at 05:38
  • Are there any events in the event log? Perhaps the time server is not functioning correctly. – john Aug 13 '15 at 06:01
  • Also, are these virtual machines? – john Aug 13 '15 at 06:01
  • What's the time discrepancy between the two? Are they both configured to sync with the domain hierarchy? They should be if they're domain members but have you verified that? – joeqwerty Aug 13 '15 at 06:27
  • If they are virtual machines, the hypervisor may have time synchronization enabled, which syncs the VM time to the host time and this may be incorrect. – Josh Vazquez Aug 13 '15 at 08:20
  • Thank you all for your answers! Those are not virtual servers, they both point to the same Ntp server and they are under the same domain controller! The discrepancy is about 5secs.. – eDk Aug 14 '15 at 04:59

2 Answers2

0

The goals of Microsoft when creating their time implementation do not include accuracy at the level of seconds. The implementation explicitly does not support time sensitive applications, even if configured correctly:

We do not guarantee and we do not support the accuracy of the W32Time service between nodes on a network. The W32Time service is not a full-featured NTP solution that meets time-sensitive application needs. The W32Time service is primarily designed to do the following:

  • Make the Kerberos version 5 authentication protocol work.
  • Provide loose sync time for client computers.

The W32Time service cannot reliably maintain sync time to the range of one to two seconds. Such tolerances are outside the design specification of the W32Time service.

There are alternative implementations with better accuracy. You may wish to take a look at ntp for Windows or ptpd just to indicate two possibilities.

You do not write if the system is virtualized or physical. If virtualized the keeping of time requires additional considerations, as seen here and here for example.

ErikE
  • 4,676
  • 1
  • 19
  • 25
  • Thank you foe your answer, it helped go clarify things, also they are not virtual servers :( – eDk Aug 14 '15 at 05:01
0

edit - for Windows 10 or Server 2016 devices there is now a definitive, native solution available - see this answer

Depending on HOW time-critical your applications are, one option could be to configure NT5DS rather than NTP, if these two domain member servers are not currently using NT5DS.

Considering your issues are on the order of seconds, this may not help. But before you head out to install another solution, it may be worth investigating. If it's still too slow, see ErikE's answer.

We were having issues with our Domain Controllers at two sites being nearly 3 minutes out of sync. Kerberos was still functional, but some ancillary applications using AD authentication were not. The issue was that two DC's were set to NTP (pulling from the SAME time source) and the rest were set to NT5DS. Setting one DC to NT5DS (leaving one authoritative domain time source) resolved this issue.

On restarting their time services, all remaining DC's and member servers fell in line to the minute (didn't check to the seconds, since we didn't need it) with the single DC now acting as the domain time source (& pulling via NTP from a higher stratum source)

This allows the (tenuous) inference that NT5DS may do a better job keeping times between servers in the same domain consistent than NTP does.

To configure a domain member server with NT5DS:

w32tm /config /syncfromflags:domhier /update

Then restart the time service:

net stop w32time && net start w32time
Bruno
  • 281
  • 1
  • 10
  • I appreciate your time to respond this answer! I wasnt aware of NT5DS solution though the issue is by seconds probably wouldn consider installing it. Do you have any idea/script that would *Fix* the time properly? Cheers – eDk Aug 14 '15 at 05:04