Time Improvements in Windows Server 2016
Iata ca dupa multi ani au aparut ceva schimbari in serviciul de timp de pe Windows. Si sunt majore din punct de vedere al acuratetii timpului. O scurta prezentare a noutatilor le gasiti un prezentarea de mai jos de pe Channel9:
https://aka.ms/WS2016TimeVideo
Avand in vedere tendinta recenta de a virtualiza aproape tot, se vedea nevoia unor update-uri in acest serviciu si poate si a unor recomandari mai recente, updatate la ultimele scenarii. Incepand cu Windows 2016 si Windows 10 Anniversary Edition, Microsoft se lauda ca aceste sisteme pot sa mentina timpul cu o acuratete de 1ms fata de o sursa stabila si acurata (o sursa de tip Stratum 1).
Discutam de 1ms, ceea ce este enorm, avand in vedere problemele vazute pana acum cu timpul pe sistemele Windows. Daca discutam si de sistemele virtualizate, acolo era o nebunie si mai mare. Serverele cu Windows isi sincronizau timpul cu domain cotnrollerele cand si cand iar daca hostul pe care rulau era foarte aglomerat, atunci ceasul o lua razna si daca nu monitorizai foarte atent infrastructura te trezeai cu o gramada de probleme pe cap.
Tin sa mentionez ca decalajul de timp acceptat de Kerberos by default este de 5 minute, asa ca unii admini poate nu au avut mari probleme. Dar sunt anumite domenii (in special financiar) unde reglemantarile impun o acuratete a sistemelor intre 1 si 50ms.
O comparatie intre setarile default de pe Windows 2016/10 se poate vedea in imaginea de mai jos:
Si inca o veste buna este ca exista deja un guideline despre cum sa imbunatatesti time sync-ul pe Windows 2012R2 si 2008R2:
Mixed OS Environments (Win2012R2 and Win2008R2)
While a pure Windows Server 2016 Domain environment is required for the best accuracy, there are still benefits in a mixed environment. Deploying Windows Server 2016 Hyper-V in a Windows 2012 domain will benefit the guests because of the improvements we mentioned above, but only if the guests are also Windows Server 2016. A Windows Server 2016 PDC, will be able to deliver more accurate time because of the improved algorithms it will be a more stable source. As replacing your PDC might not be an option, you can instead add a Windows Server 2016 DC with the GTIMESERV roll set which would be an upgrade in accuracy for your domain. A Windows Server 2016 DC can deliver better time to downstream time clients, however, it’s only as good as its source NTP time.
Also as stated above, the clock polling and refresh frequencies have been modified with Windows Server 2016. These can be changed manually to your down-level DCs or applied via group policy. While we haven’t tested these configurations, they should behave well in Win2008R2 and Win2012R2 and deliver some benefits.
Versions before Windows Server 2016 had a multiple issues keeping accurate time keeping which resulted in the system time drifting immediately after an adjustment was made. Because of this, obtaining time samples from an accurate NTP source frequently and conditioning the local clock with the data leads to smaller drift in their system clocks in the intra-sampling period, resulting in better time keeping on down-level OS versions. The best observed accuracy was approximately 5 ms when a Windows Server 2012R2 NTP Client, configured with the high-accuracy settings, synchronized its time from an accurate Windows 2016 NTP server.
Textul de mai sus spune ca se poate obtine o acuratete de 5ms pe 2012 si 2008 ceea ce mi se pare extraordinar.
In documentatia oficiala din link-ul de mai jos, gasiti mult mai multe explicatii, exemple si recomandari pentru a imbunatati time sync-ul pe sistemele Windows.