set your server to sync to NTP by running these commands.w32tm /config /syncfromflags:MANUAL /manualpeerlist:pool.ntp.org /reliable:yes /update net stop w32time && net start w32time
So I’m in the process of (re)setting up my lab, using a pair of multi-proc servers running Hyper-V to host my VMs. These will be member servers, which would normally get their time from a PDC in their domain. Of course, DCs normally need to get their time from a reliable time source, but as VMs, mine would get their time from the host servers on which they run. I could have changed the DCs of course, but instead opted to make those physical systems more reliable. That’s what this post is all about.
The Windows Time Service (w32time) in Windows 2016 is much more precise than in previous versions of Windows, with millisecond precision to support real-time requirements, as opposed to the five-minute drift that Kerberos in Windows can tolerate by default. You can use the w32tm command to query, and to set, parameters.
To check the w32time settings on a server, run this command.
w32tm /query /status
As you can see, the default settings show that the server, being a member of the domain, is getting its time from the DC. It’s using SNTP, considers the domain controller a stratum 3 server (actually, that’s how the DC advertises itself,) polls every 128 seconds (2^7), considers the latency on the network to be around 4/10,000ths of a second, and is reasonably precise compared to the hardware clock.
But as mentioned above, the DC is actually getting it’s time from the Hyper-V host, so this won’t really be reliable at all.
I need better, especially since that bit about a radio clock is bollocks! Since I want to get this host to sync from NTP, I need to point it to an Internet time service and declare that to be both reliable, and to use it as an update source.
w32tm /config /syncfromflags:MANUAL /manualpeerlist:pool.ntp.org /reliable:yes /update
So here we set it to manually update, using pool.ntp.org, which we are saying is reliable. Pool.ntp.org is maintained as a pool of stratum 4 servers which can provide reliable time, certainly to within the milliseconds accuracy. If you need more, go buy a GPS or atomic clock!
Now we want to restart the w32time service so it reads in the new settings.
net stop w32time && net start w32time
Then we want to wait a moment before it picks up on them. I suggest getting a refill of coffee before you take the next step, which is to again query your w32time configuration.
Here we can see that we’re syncing to 18.104.22.168, which is one of the DNSRR ip.addrs for pool.ntp.org (they will switch amongst hundreds of participating servers) and that we’re syncing every 64 seconds. Our latency this time is about 7/100ths of a second, which makes sense given that server is not on the same LAN as the DC was. The DC will sync its clock to the Hyper-V host, and every other domain member will sync to that.
And in the spirit of the old incarnation of Retrohack, here’s a little video to get your mind in the right frame for working with time.
Feel free to follow me on Twitter if this, or future posts, may be of interest to you!