Last week, I received a complaint from one of the application support teams that the system time is not in sync with the stock exchange clock. It's known that domain members sync their time with domain controllers but I found there was around 0.8 offset! Does it mean that there was something wrong with the time client running on this server?
No, nothing is wrong. Microsoft can only guarantee a time accuracy within couple of seconds, Reference: support.microsoft.com/kb/939322
After some search, I found out that Microsoft w32time service isn't a full implementation of NTP protocol but rather a low quality implementation of SNTP. This should be enough accuracy to keep Kerberos authentication working as it's forgiving enough to allow up to 5 minutes time difference between the client and the TGT server. By the way, Linux as usual doesn't have this limitation as it comes bundled with NTP client with implements NTP in its latest version 4.
After some search for a reliable NTP client for Windows, I found Meinberg (www.meinberg.de/english/sw/ntp.htm) which gave better resulted than w32time. After that, I knew it is an implementation of old version of NTP 4.2.4 but it's advantage is the installer. I knew about Dave Hart during my search and found he releases new update of the client every 2 or 3 weeks. The latest version while writing this post is 4.2.7p169 (http://davehart.net/ntp/win/x86/). This gives nice results but finally I found what I was looking for, a client that keeps time within less than couple of ms difference with the time server. It's not the latest version but its results are almost unbelievable.
The second challenge was to find a reliable time server. I found about the time server stratum. A time server that sync's its time directly with GPS or radio clock has stratum 1 and that stratum value increments by 1 for each node away from that hardware clock. So by tracing my domain controllers, I got two stratum 1 servers in the local network. I configured ntp.conf with these two servers, sat back and watched the impressive charts illustrated above.
During my search, I came across very useful information about Windows different types of HAL libraries and how they influence system time, recommended registry settings and much more. Instead of copying them, please feel free to visit www.ntp.org.
No, nothing is wrong. Microsoft can only guarantee a time accuracy within couple of seconds, Reference: support.microsoft.com/kb/939322
After some search, I found out that Microsoft w32time service isn't a full implementation of NTP protocol but rather a low quality implementation of SNTP. This should be enough accuracy to keep Kerberos authentication working as it's forgiving enough to allow up to 5 minutes time difference between the client and the TGT server. By the way, Linux as usual doesn't have this limitation as it comes bundled with NTP client with implements NTP in its latest version 4.
After some search for a reliable NTP client for Windows, I found Meinberg (www.meinberg.de/english/sw/ntp.htm) which gave better resulted than w32time. After that, I knew it is an implementation of old version of NTP 4.2.4 but it's advantage is the installer. I knew about Dave Hart during my search and found he releases new update of the client every 2 or 3 weeks. The latest version while writing this post is 4.2.7p169 (http://davehart.net/ntp/win/x86/). This gives nice results but finally I found what I was looking for, a client that keeps time within less than couple of ms difference with the time server. It's not the latest version but its results are almost unbelievable.
The offset today is less than 1 ms !!!
The second challenge was to find a reliable time server. I found about the time server stratum. A time server that sync's its time directly with GPS or radio clock has stratum 1 and that stratum value increments by 1 for each node away from that hardware clock. So by tracing my domain controllers, I got two stratum 1 servers in the local network. I configured ntp.conf with these two servers, sat back and watched the impressive charts illustrated above.
During my search, I came across very useful information about Windows different types of HAL libraries and how they influence system time, recommended registry settings and much more. Instead of copying them, please feel free to visit www.ntp.org.
No comments:
Post a Comment