Keeping an eye on the clock with time servers

Understanding the Windows Time Service is crucial for your Active Directory environment to work properly. That’s why I recently updated one of my most widely read articles called Configuring the Windows Time Service to bring it up to date for the latest version of the Windows Server operating system. The Windows Time service (W32Time) service is crucial to the correct functioning of Active Directory as it synchronizes clocks within a forest so applications and services can function properly. Time synchronization ensures the security of Kerberos authentication within an Active Directory environment, and for best operation you should use the Network Time Protocol (NTP) to synchronize your forest’s internal time to either an NTP appliance or one of the reliable time servers available on the Internet. My article goes into some detail concerning how to do this, but for greater understanding I thought it might be worthwhile if I talked with someone who has had to deal with this in a real-life enterprise environment. Andrew Perchaluk is a senior systems administrator at the University of Manitoba in Winnipeg, Canada, and has been working in the information technology industry for almost 20 years. He is a husband, father, and dog lover, and he enjoys sharing his experiences with others in the IT pro community. For more information about Andrew see his LinkedIn profile and you can also follow him on Twitter. In the interview that now follows I’ve asked Andrew about various considerations involving network time servers and how to properly implement them for enterprise Active Directory environments.

Network time servers: Are you doing it right?

MITCH: Andrew, why are time servers important for an enterprise?

ANDREW: Proper time on IT systems is essential and when time is off this can present all sorts of issues from operational failure to data loss and legal liability.

MITCH: I understand that you recently had an issue with time servers in your environment. Can you describe for us what happened?

ANDREW: Sure. Recently I revisited the topic of time servers when one of our two Stratum 1 NTP appliances kicked the bucket. Our appliances were over 10 years old and while the easy solution might have been to just replace these appliances, I asked myself is this absolutely necessary? There were a couple of options: replace the appliances or move to using Internet time pools.

MITCH: What did your time server environment look like at the time the problem occurred?

ANDREW: Basically, we had two Stratum 1 time appliances with GPS antennas. We also had four Stratum 2 virtual servers. We pointed our Stratum 2 servers to the Stratum 1 servers, and we pointed our internal servers and network equipment at the Stratum 2 servers. Here’s a diagram to illustrate the configuration of our time server hierarchy at the time the problem occurred:

MITCH: Fascinating. What did you do to resolve the problem?

ANDREW: Well, we decided to go with four Stratum 2 virtual servers pointing at reliable internet time servers, as this second diagram illustrates:

In implementing this change we had a few different options to choose from. For example, pool.ntp.org has time servers located around the world such as ca.pool.ntp.org in Canada, us.pool.ntp.org in the USA, and so on. Then there are other Internet time servers one can choose like time.google.com, time.nist.gov, tic.nrc.ca, toc.nrc.ca, and so on. And since all our NTP client servers were already pointing at the four internal Stratum 2 servers there was no impact from making this change to our time server hierarchy.

MITCH: So you retired your two Stratum 1 time appliances entirely?

ANDREW: Yes.

MITCH: Is that then the approach that you would recommend for all enterprises to follow for ensuring time consistency in their Active Directory environments?

ANDREW: It depends. Some industries may have much stricter time requirements and Stratum 1 time appliances might still be necessary for these. Examples of such industries might include financial companies, power utilities, or market traders.

MITCH: What would you say would be the main advantages of using the approach you’re now using for your environment?

ANDREW: There are several possible advantages. With the option we finally decided to implement you can achieve an architecture that includes the following features and benefits:

• Availability & Robustness — Having multiple NTP virtual servers with multiple reliable Internet time pools.
• Politeness — Kind consideration for the hosting organization of external time sources, that is, less load for them. Only a few hosts will be requesting time as opposed to thousands of servers from all over the place.
• Performance — Limiting external NTP network traffic to the four hosts results in better overall performance.
• Security — Limiting NTP network traffic externally to a few hardened hosts means better security as well.
• Common time for all machines — All servers will agree on correct time since they’re all synchronizing within the same time server hierarchy.

MITCH: Do you have any useful reference links you can suggest for readers who want to learn more about time servers and the Network Time Protocol?

ANDREW: Sure! You might want to check out the following articles and sites:

Network Time Protocol — This Wikipedia article gives a good overall view of what the Network Time Protocol is all about and how it works.

NTP Pool Project — The pool.ntp.org project is a big virtual cluster of timeservers providing reliable easy to use NTP service that’s currently being used by millions or tens of millions of systems around the world.

Google Public NTP — Google Public NTP is a free, global time service that you can use to synchronize to Google’s fleet of atomic clocks in their datacenters located around the world.

MITCH: Thanks very much Andrew for sharing your expertise with us and giving us some of your valuable time.

ANDREW: You’re welcome!

Photo credit: Pixabay