Posts

Windows Server 2016 —What’s New in Data Deduplication

Deduplication eliminates the need to repeat data to create a single instance. The creation of the single instance improves storage utility and efficiencies in a network with heavy network transfers.

Some may confuse deduplication with data compression, which identifies repeat data within single files and encodes the redundancy.

In simple terms, deduplication is a continuous process that eliminates excess copies of data; therefore, decreasing storage demands.

Data deduplication applies to Windows Server, the Semi-annual Channel, and Windows Server 2016.

Data deduplication in Windows Server 2016 is a highly optimized, manageable, and flexible process.

Here are the updated and new data deduplication features in Windows Server 2016.

The Updated Features

Here are two of the updated features.

1. Support for Large Volumes

In earlier versions, volumes were partitioned to fit data sizes that are above 10TB.

However, in Windows Server 2016, data deduplication supports volume sizes of up to 64TB.

  • What is the Added Value?

The volumes in Windows Server 2012 R2 had to be appropriately portioned in the correct sizes to ensure optimization demands keep up with the rate of data transfer.

The implication here was that data deduplication could only work on volumes with data of 10TB or less. The performance also depended on existing workloads on write patterns.

  • What is Different?

Windows Server 2012 R2 uses a single thread and an input and an output queue for every volume.

This is to maximize optimization and make sure jobs do not fall behind, which can affect the volume’s overall saving rate. This way, large data sets have to be broken into small volumes.

The volume size depends on the expected partition size; the maximum size is between 6 and 7TB for high volumes and 9 and 10TB for low volumes.

Windows Server 2016 has a new way of working with data deduplication: it runs on more than one thread and uses multiple inputs and outputs for every volume.

This introduces a new routine that was only possible after dividing data into small chunks.

2. Support for Large Files

In earlier versions, any file approaching the 1TB size was not eligible for deduplication.

However, Windows Server 2016 supports files with a maximum size of 1TB.

  • What is the Added Value?

In Windows Server 2012 R2, you cannot deduplicate large files due to reduced performance in the deduplication process queue.

In Windows Server 2016, deduplication of files of up to 1TB is possible.

Consequently, this enables you to save a large volume of work; for example, reduplicating large backup files.

  • What is Different?

Windows Server 2016 deduplication process uses new streaming and mapping structures to improve the deduplication output and its access.

Besides, the process can now be optimized when there is a failure, instead of restarting the entire process. Deduplication affects files with a capacity of 1TB.

The New Features

Here are three of the new features.

1. Support for Nano Servers

Nano servers support is a new feature that is available in any Nano Server Deployment option in Windows Server 2016.

  • What is the Added Value?

Nano servers is a headless deployment in Windows Server 2016 that need a smaller system for tracing resources. It enables quick startups and needs fewer updates and restarts than the Windows Server Core Deployment version.

2. Simple Backup Support

The Windows Server 2012 R2 support Virtualized Backups, like Microsoft Data Protection Manager, after successful manual configurations.

Windows Server 2016 has some new default backups that allow for seamless data deduplication for Virtual backups.

  • What is the Added Value?

For this to happen in earlier versions of the Windows Server, you needed to manually tune deduplication settings, as opposed to Windows Server 2016 that has a simplified process for its Virtualized backup applications.

Server 2016 enables deduplication for each volume, just the same way as the General Purpose File Servers.

3. Support for Clusters Operating System Rolling Upgrade

Data deduplication is capable of supporting the new Cluster OS Rolling Upgrade feature in Windows Server 2016.

  • What is the Added Value?

The failover clusters in Windows Server 2012 R2 can have a mix of nodes that run deduplication alongside nodes that operate Windows Server 2016 versions of deduplication.

This improvement adds full access to the data that is being deduplicated during the rolling upgrade.

Consequently, it allows the gradual rollout of the new version of data deduplication on an existing Windows Server 2012 R2 cluster without experiencing downtimes during the upgrading process.

  • What is Different?

In earlier versions of the Windows Server, a failover cluster required that all nodes in a cluster must be of the same Windows Server version.

However, in Windows Server 2016 version, the rolling upgrades allow clusters to run in mixed modes.

Upgrade and Conversion Options for Windows Server 2016 / 2019

It is always a good idea to start a new Windows Server 2016 / 2019 installation on a new slate. However, in some instances, you may be working on a site that will force you to upgrade from the current installation to the latest version.

The routines described here apply to the server versions of Windows 2016 and 2019. This article describes moving to Windows Server 2016 / 2019 from different lower server platforms.

The path to the new Operating System (OS) depends on the current system and configurations that you are running.

That being the case, the following terms define activities you are likely to encounter when deploying the 2016 Server.

Installation

The simplest way of installing a new OS to work on your hardware, and get a clean installation, demands that you delete the previous Operating System.

Migration

To move system settings to the new Windows Server using a virtual machine is what we call migration. The process also varies depending on the roles and system configurations already running.

Cluster OS Rolling Upgrade

This feature is new in Windows Server 2016, and its role is to make sure the Administrator can upgrade the Operating System of all nodes running Windows Server 2012 R2 to Windows Server 2016, without interfering with the Hyper-V or Scale-Out File Server workloads.

The feature also helps in reducing downtime, which may affect Service Level Agreements.

License Conversion

Some Operating Systems use releases that allow the conversion of one edition to another without so much struggling.

What you need is a simple command issued alongside a license key, and you end doing the license conversion.

Upgrade

When you want to use the latest software that comes with the newer versions, then you have to do an upgrade.

In-place upgrades mean using the same hardware for installing the new Operating System. For example, you can upgrade from evaluation to retail version or from a volume license to an ordinary retail edition.

NOTE 1: An upgrade will work well in virtual machines if you do not need specific OEM hardware drivers.

NOTE 2: Following the Windows Server 2016 release, you can only perform an upgrade on a version installed using the Desktop Experience (not a server core option).

NOTE 3: If you use NIC teaming, disable it before you perform an upgrade; and when the upgrade is complete, re-enable it.

Upgrade Retail Versions of Windows Server to Windows Server 2016 / 2019

Note the following general principles:

  • Upgrading a 32-bit to 64-bit architectures is not possible. Note that all Windows Server 2016 versions are only available in 64-bit.
  • You cannot upgrade from one language to another.
  • If you are running a domain controller, make sure you can handle the task, or read the following article: Upgrade Domain Controllers to Windows Server 2012 R2 and Windows Server 2012.
  • You cannot upgrade from a preview version.
  • You cannot switch from Server Core installation to a Server with a Desktop installation.
  • You cannot upgrade from a Previous Windows Server installation to an evaluation copy of Windows Server.

You can read from the table below that shows a summary of Windows Operating Systems available for upgrade. If you are unable to upgrade your current Windows version, then upgrading to Windows Server 2016 is impossible

Current Windows Edition Possible Upgrade Edition
  • Windows Server 2012 Standard
  • Windows Server 2016 Standard or Datacenter
  • Windows Server 2012 Datacenter
  • Windows Server 2016 Datacenter
  • Windows Server 2012 R2 Standard
  • Windows Server 2016 Standard or Datacenter
  • Windows Server 2012 R2 Datacenter
  • Windows Server 2016 Datacenter
  • Windows Server 2012 R2 Essentials
  • Windows Server 2016 Essentials
  • Windows Storage Server 2012 Standard
  • Windows Storage Server 2016 Standard
  • Windows Storage Server 2012 Workgroup
  • Windows Storage Server 2016 Workgroup
  • Windows Storage Server 2012 R2 Standard
  • Windows Storage Server 2016 Standard
  • Windows Storage Server 2012 R2 Workgroup
  • Windows Storage Server 2016 Workgroup

Per-Server-Role Considerations for Upgrading

It’s important to consider server roles before performing an upgrade.

For example, some server roles are part of the newer Windows versions and may only need additional preparation or actions to get the desired intent.

Converting Current Evaluation Version to Current Retail Version

It is possible to convert the trial version of Windows Server 2016 Standard to a Data 2016 Standard Server or a Datacenter version. The two conversions can be retail versions. You can also convert Windows Server 2016 Datacenter to the retail version.

Before making any conversion attempts to the retail version, ensure that your server is running an evaluation version; you can confirm this by following these steps:

  • From the administrator’s command prompt, run
slmgr.vbs /dlv;
  • The evaluation versions will include “EVAL” as the output
  • Open the control panel
  • Then click on System and Security
  • Click on System
  • View the activation status found on the activation area of the System page
  • Click view details, and you will see more information on your Windows Status
  • If your Windows is activated, you will see information showing the remaining time for the evaluation period.

If you are running a retail version, you will see the “Upgrading previous retail versions of Windows Server 2016” message prompting you to upgrade to Windows Server 2016.

In Windows Server 2016 Essentials, the conversion to retail version is possible if you have a retail volume license or OEM key in the command slmgr.vbs

In case you are running an evaluation version of Windows Server 2016 Standard or Windows Server 2016 Datacenter, the following conversions can help you:

  • If the server is a domain controller, it cannot change to the retail version. First, install another domain controller on a server that runs a retail version and remove the AD DS from the domain controller that has the evaluation version.
  • Read the license terms
  • From the administrator’s command prompt, enter this command to get the current edition:
DISM /online /Get-CurrentEdition

Note the edition ID, the abbreviation form of the edition name, and then run the following command:

DISM /online /Set-Edition:<edition ID> /ProductKey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX /AcceptEula

Once you get the ID and product key, the server should restart twice.

You can convert the evaluation version of Windows Server 2016 Standard to the retail version of Windows Server 2016 Datacenter using the same command and product key.

Converting Current Retail Edition to a Different Current Retail Edition

After successful installation of Windows Server 2016, you can run setup to repair the installation using a process called “repair in place” that converts it to a different edition.

In case of Windows Server 2016 Standard, you can convert the system to Windows Server 2016 Datacenter by:

  • From the administrator’s command prompt, use the following command to determine the existing edition:
DISM /online /Get-CurrentEdition
  • Run this command to get the ID of the edition you want to upgrade to:
DISM /online /Get-TargetEditions
  • Note the ID edition, the name of the edition, and then run this command:
DISM /online /Set-Edition:<edition ID> /ProductKey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX /AcceptEula
  • Once you get the ID and product key, the server should restart twice.

Converting Current Retail Version to Current Volume Licensed Version

Once you have Windows Server 2016 running, you can convert it to a retail version, an OEM version, or a volume-licensed version. The edition will not change.

If the starting point was an evaluation version, change it to retail version and then do as follows:

  • From the administrator’s command, run this command:
slmgr /ipk <key>
  • Insert the appropriate volume license, OEM or retail key instead of <key>

Conclusion

Upgrading Windows Server is a complicated process; therefore, Microsoft suggests that you migrate all roles and settings to Windows Server 2016 to avoid costly mistakes.

What’s New in Storage in Windows Server 2019 and 2016

Window Server Edition 2016 and 2019 have new features, which have made it possible to use storage migration capabilities for storing data.

The migration service helps in keeping inventory when moving from one platform to another.

This article will try to explain what is new in the storage systems of Windows Server 2016, Windows Server 2019, and other semiannual releases.

We will start by highlighting some of the key features added in the two server systems.

Managing Storage with Windows Admin Center

The Windows Admin Center is a new feature that runs on Windows Server 2019 and some latest versions of Windows.

It is the central location where an App handles the server functions, clusters, and hyper-converged infrastructure containing storage locations.

The Admin Center does this as part of the new server configurations.

Storage Migration Service

The Storage Migration Service is the latest technology that makes it easy to move servers from old to new server versions.

All the events take place via a graphical interface that displays data on the servers and transfers data and configurations to the new servers; thereafter, it optimally moves old server identities to the new ones, ensuring the settings for apps and users are matched.

Storage Spaces Direct Improvements (Available in Server 2019 only)

Several improvements have been made to Storage Spaces Direct in Server 2019, though they are not available in Windows Server, Semi-Annual channel.

Here are some of the improvements:

1. Deduplication and Compression of ReFS Volume

You will be able to store up to 10X more data on the same storage space using deduplication and compression of the ReFS system.

You only need to turn on this feature, using a single click, on the Windows Admin Center.

The increase in storage sizes, with an option to compress data, amplifies the saving rates.

Furthermore, the multi-threaded post processing feature assists in keeping performance impact low.

However, it supports a volume of up to 64TB and with each file reaching 1TB.

2. Native Support for Persistent Memory

Windows Server 2019 comes with native support for persistent memory.  This allows you to speed up performance for the continuous creation of memory modules, including the Intel Optane DC PM and NVDIMM-N.

You can use persistent memory as your cache to accelerate the active working set or use it as an extra space needed to facilitate low latency.

Of course, you can manage persistent memory the same way you can manage any other storage device in Windows Admin Center or PowerShell.

3. Nested Resiliency for Two-Node Hyper-Converged Infrastructure on the Edges

The all new software resiliency option, inspired by RAID 5 + 1, helps in surviving two hardware failures.

The nested resiliency for the two-node Storage Spaces Direct cluster offers continuous accessible storage for programs and virtual machines, even when one server node fails.

4. Two-Server Cluster Using USB Flash Drive as a Witness

You an use a low-cost USB flash plugged into your router to act as a witness between two servers in a cluster.

If the server is down, the USB will know which of the servers has more data.

5. Improved Windows Admin Center

The opportunity to manage and monitor Storage Spaces Direct with the newly built dashboard lets you create, delete, open, and expand volumes, with a few clicks.

You can follow performances of IOPS and IO latency, from the entire clusters to the individual hard disks and SSDs.

6. Increased Performance Logs Visibility

You can use the built-in history feature to see your server’s resource utilization and performance capabilities.

It has more than 50 counters that automatically collect  memory, computation, storage and network data, and store them in the cluster for a full year.

This feature works without the need to install or configure anything.

7. Scale up to 4PB for Every Cluster

The Windows Server 2019 Storage Spaces Direct feature supports up to 4 petabytes (PB) (4,000 terabytes).

This way, you can get to the level of multi-petabyte scale, which makes sense in media servers for backup and archiving purposes.

Other capacity guides are increased as well; for instance, you can create volumes reaching 64, and not 32.

More so, the clusters can be stitched together into a set to make the scaling that fits within one storage namespace.

8. Accelerated Parity is now 2X Faster

You can now create Storage Spaces Direct Volumes that are part mirror and part parity.

For example, you can mix RAID-1 and RAID -5/6 to harness the advantages of both.

In Windows Server 2019, the performance of mirror accelerated parity is twice that of Windows Server 2016, due to optimizations.

9. Drive Latency Outline Detection

Using proactive monitoring and the built-in outlier detection, which is an inspiration from Microsoft Azure, you can know which drives have abnormal latency.

You can see the failing drives that have been labeled automatically in the PowerShell and Windows Admin Center.

10. Manual Delimiting of Volume Allocations to Increase Fault Tolerance

In Storage Spaces Direct, the Admin can now manually change the limit of volume allocations.

Delimiting is usually done to increase fault tolerance in specific circumstances that consider management  complexities.

Storage Replica

The Storage Replica has the following improvements:

1. Introduction of Storage Replica in Windows Server, Standard Edition

It is now possible to use Storage Replica with Windows Server, Standard Edition, as well as the Datacenter editions.

Running Storage Replica on Windows Server, Standard Edition has the following weaknesses:

  • Storage replica can replicate a single volume and not an unlimited volume number
  • Volume varies with some taking up to 2TB, instead of taking an unlimited size

2. Storage Replica Log Performance Improvements

The Storage Replica comes with improvements that enhance the tracking of logs.

To get the increased performance, all members of the replication group must run Windows Server 2019.

3. Test Failover Improvements

You can mount a temporary snapshot of the replicated storage on destination server for testing or backing up purposes.

4. Windows Admin Center Support

Support for the graphical management of replication is made possible via the Server Manager Tool.

This involves server-to-server replication, cluster-to-cluster, and stretch cluster replication.

5. Miscellaneous Improvements

Storage Replica also has the following improvements:

  • Changes to asynchronous stretch cluster behaviors for automatic failover to take place.
  • Multiple bug fixes

SMB

SMB1 and Guest Authentication Removal

Windows Server does not install the SMB1 client and server by default, while, at the same time, the ability to authenticate guests in SMB2 if off by default.

SMB2/SMB3 Security and Compatibility

More options for security and applications compatibility were added, including disabling opLocks in SMB2+ for old applications.

This also covers the need for signing encryption on every connection from the client.

Data Deduplication

Data Deduplication Supports ReFS

You’ll not need to choose between the advantages of a modern file system with ReFS and Data Deduplication.

Anytime you enable Data Deduplication, enabling ReFS is also possible now.

Data Port API for Optimized Ingress/egress to Deduplicated Volumes

As a developer, you’ll now enjoy the advantages of data deduplication and possibilities of storing data in an efficient manner

File Server Resource Manager

The Windows Server 2019 can prevent the File Resources Manager service from creating a change (USN) journal on storage volumes.

This is to create and conserve more space on every volume; however, it will disable real-time classification.

This is the same effect that takes place in Windows Storage Server, Version 1803.

What’s New in Storage in Windows Server, Version 1709

Server Version 1709 is the first Windows Server release with a Semi-Annual Channel, which is a channel that is fully supported in production for 18 months, with a new version coming in every six months.

Storage Replica

Disaster recovery and protection is an added function of the Storage Replica, which is now expanded to include:

  • Test Failover

You now have an option of mounting the destination storage through a test failover.

You can also mount the snapshots temporarily for both testing and backup purposes.

  • Windows Admin Center Support

Thee is support for the graphical applications that are managing replications. You can access it via the  Server Manager Tool.

Storage Replica also has the following improvements:

  • Changes to asynchronous cluster behaviors to enable automatic failover
  • Multiple bug fixes

What’s New in Storage in Windows Server 2016

1. Storage Spaces Direct

The Storage Spaces Direct feature facilitates the availability and scalability of storage using servers with local storage.

This implies that it’s now possible to deploy and manage software that control storage systems, unlocking the use of new classes of storage devices.

These devices include SATA, SSD, and NVMe disks. Achieving such storage capabilities may not be possible using clustered Storage Spaces with Shared Disks.

What Value Does this Change Add?

Storage Spaces Direct allows service providers and enterprises to use industry standard servers with local storage.

The idea is to build highly available and scalable software-defined storage.

The use of servers with local storage decreases complexity, as it increases scalability and allows the use of storage devices such as SATA solid state disks. This lowers the cost of flash storage or NVMe sold state Disks

Storage Spaces Direct Removes the need to have a shared SAS fabric, which simplifies deployment and configuration.

This means that the server uses the network as the storage fabric while leveraging the SMB3 and SMB Direct (RDMA) for both high speed and low latency, as well as good use of the processing unit.

Adding more servers to the configuration increases storage capacity and input and output performance.

The Windows Server 2016 Storage Spaces Direct works differently, as explained below.

2. Storage Replica

It enables the storage, block-level stretching of failover clusters between sites, as well as the synchronous replication between servers.

Synchronous replication enables mirroring of data in physical sites with consistent volumes to ensure no data is lost at the file system level.

Asynchronous replication may increase the possibility of data loss.

What Value Does this Change Add?

It provides a single vendor disaster recovery solution for both planned and unplanned power loss situations.

You can use SMB3 transport and gain from proven performance, scalability, and reliability.

It will help you to:

  • Stretch Windows failover clusters further
  • Use Microsoft end-to-end software for storage and clustering, such as Hyper-V, Scale-Out File Server, Storage Replica, Storage Spaces, ReFS/ NTFS, and deduplication

It helps in reducing complexity costs by:

  • Being hardware agnostic with no specific requirements for storage configurations like DAS or SAN
  • Allowing for the storage of commodities and network technologies
  • Featuring easy graphical management interface for nodes and clusters through failover cluster manager
  • Including comprehensive and large scale scripting options through the Windows PowerShell
  • Helping in the reduction of downtimes and enhancing  large scale productivity
  • Providing supportability and performance metrics and diagnostic capabilities

What Works Differently

The functionality is new in Windows Server 2016

3. Storage Quality of Service

In Windows Server 2016, you can use the Storage Quality of Service (QoS) feature as a central monitor for end-to-end storage performance and developing management policies using Hyper-V and CSV clusters.

What Value Does this Change Add?

You can change the QoS policies in a CSV and assign one or more virtual disks on Hyper-V machines.

The storage automatically adjusts itself to meet the fluctuating policies and workloads.

This way, each policy can give a minimum reserve or create a maximum to be used when collecting data.

For example, a single virtual hard disk, a tenant, a service or a virtual machine can be used.

You can use Windows PowerShell or WMI to perform the following:

  • Create policies on CSV cluster
  • Assign the policies to virtual hard disks
  • Enumerate policies on the CSV clusters
  • Monitor flow performance and status of the policies

If you have several virtual hard disks sharing the same policy and performance is shared to meet the demands within the policy’s minimum and maximum settings, it means that the policy can manage virtual hard disks and a single or multiple virtual machines that constitute a service owned by a tenant.

What Works Differently

This is a new feature in Windows Server 2016.

The management of minimum reserves and monitoring the flow of all virtual disks over a cluster using a single command and central policy-based management are not possible in the previous Server releases.

4. Data Deduplication

Function

New or Updated

Description

Support large volumes

Updated Before Windows Server 2016, you had to specify sizes. Anything above 10TB did not qualify for deduplication. Server 2016 supports deduplication sizes of up to 64TB

Large file support

Updated Before Windows Server 2016, files with 1TB could not deduplicate. Server 2016 supports deduplication of files up to 1TB.

Nano Server Support

New Deduplication is available and fully supported for Server 2016

Simple Backup Support

New Windows Server 2012 R2 supported Virtual backups using the Microsoft’s Data Protection Manager. Windows Server 2016 simple backup is possible and is seamless

Cluster OS Rolling Upgrades Support

New Deduplication supports Cluster OS Rolling Upgrade and is available in Windows Server 2016

5. SMB Hardening Improvements for SYSVOL and NETLOGON Connections

Windows 10 and Windows Server 2016 client connections to the Active Directory Domain Service, the SYSVOL, and NETLOGON now all share domain controllers that require SMB signing and authentication via Kerberos.

What Value Does this Change Add?

It reduces the possibility of man-in-the-middle attacks

What Works Differently?

If the SMB and mutual authentication are not available, Windows 10 or Server 2016 will not access the domain-based Group Policy Scripts.

It is also good to note that the registry values of the settings are not present by default; the hardening rules will apply until a new policy change comes in through Group Policy or any relevant registry values.

6. Work Folders Improvements

The added changes to notifications are there when the Work Folder server is running on Windows Server 2016, and the Work Folder is on a client running Windows 10.

What Value Does this Change Add?

In Windows Server 2012 R2, when the changes in files are synchronized to the Work Folder, clients will get notified of the impending changes and wait for at least 10 minutes for the update to materialize.

When running Windows Server 2016, the Work Folders will immediately notify the Windows 10 client, and the synchronization changes take effect immediately.

What Works Differently

This is a new feature in Windows 2016.

For this feature to work, the client accessing the Work Folders must be a Windows 10.

In case you are using older clients, or if the Work Folder is on Windows Server 2012 R2, the client will poll every 10 minutes for any new changes.

7. ReFS Improvements

The ReFS (Resilient File System) offers support for large scale data storage allocation with varying workloads, reliability, resiliency, and scalability.

What Values Does this Change Add?

ReFS brings in the following improvements:

  • Implementing new storage tiers that help in delivering fast performance and increased capacity
  • Multipling resiliency on the same virtual disk through mirroring and parity tiers
  • Enhancing responsiveness to drifting working sets
  • Introducing a block of cloning and improvements to VM operations such as vhdx checkpoint merge operations
  • Helping in the recovery of leaked storage and keeping them from being corrupted

What Works Differently?

These functionalities are new in Windows Server 2016.

Conclusion

With so many features available in Windows Server 2019, this article covered the fully supported features.

At the time of writing this post, some features were partially supported in earlier versions but are getting full support in the latest Server versions.

From this read, you can see that Windows Server 2019 is a good upgrade experience.

How to Set Accurate Time for Windows Server 2016

Accurate Time For Windows Server 2016

It is important for Windows Server 2016 to maintain an accuracy of 1ms in sync with the UTC time. This is because new algorithms and periodic time checks are obtained from a valid UTC server.

The Windows time service is a component that uses a plugin for the client and server for synchronization.

Windows has two built-in client time providers that link with the third party plugins.

One of the providers uses the Network Time Protocol (NTP) or the Microsoft Network Time Protocol (MS-NTP) to manage the synchronizations to the nearest server.

Windows has a habit of picking the best provider if the two are available.

This article will discuss the three main elements that relate to an accurate time system in Windows Server 2016:

  • Measurements
  • Improvements
  • Best practices

Domain Hierarchy

Computers that are members of a domain use the NTP protocol that authenticates to a time reference in relating to security and authenticity.

The domain computers synchronize with the master clock that is controlled by domain hierarchy and the scoring system.

A typical domain has hierarchical stratum layers where each Domain Controller (DC) refers to the parent DC with accurate time.

The hierarchy revolves around the Primary Domain Controller (PDC) or a DC with the root forest, or a DC with a Good Time Server for the Domain (GTIMESERV) flag.

Standalone computers use the time.windows.com service. The name resolution takes place when the Domain Name Service resolves to a time owned by a Microsoft resource.

Like any other remotely located time references, network outages do not allow synchronization to take place. Paths that are not symmetrical in a network reduce time accuracy.

Hyper-V guests have at least two windows time providers; therefore, it is possible to observe different behaviors with either the domain or the standalone.

NOTE: stratum refers to a concept in both the NTP and the Hyper-V providers. Each has a value indicating clock location in the hierarchy. Stratum 1 is for high-level clock, and stratum 0 is for hardware. Stratum 2 servers communicate to stratum 1 servers, stratum 3 to stratum 2, and the cycle continues. The lower strata show clocks that are more accurate with the possibility of finding errors. The command line tool w32tm (W32time) takes time from stratum 15 and below.

Factors Critical For Accurate Time

1. Solid Source Clock

The original source of the clock needs to be stable and accurate at all times. This implies that during the installation of the Global Positioning Service (GPS) pointing to stratum 1, you should take #3 into consideration.

Therefore, if the source clock shows stability, then the entire configuration will have a constant time.

Securing the original source time means that a malicious person will not be able to expose the domain to time-based threats.

2. Stable Client Clock

A stable client takes the natural drift of the oscillator to make sure that it is containable. The NTP uses multiple samples to condition the local clocks on standalone to stay on course.

If the time oscillation on the client computers is not stable, there will be fluctuations between adjustments leading to malfunctioning of the clock.

Some machines may require hardware updates for proper functioning.

3. Symmetrical NTP Communication

The NTP connection should be symmetrical at all times because the NTP uses calculation adjustments to set time as per the symmetry levels.

If the NTP request takes longer than the expected time on its return, time accuracy is affected. You may note that the path could change due to changes in topology or routing of packets through different interfaces.

The battery-powered devices may use different strategies, which in some cases require that the device be updating every second.

Such a setting consumes more power and can interfere with power saving modes. Some battery run devices have some power settings that can interfere with the running of other applications and hence interfere with the W32time functions.

Mobile devices are never 100% accurate, especially if you look at the various environmental factors that interfere with the clock accuracy. Therefore, battery-operated devices should not have high time accuracy settings.

Why is Time Important

A typical case in a Windows environment is the operation of the Kerberos that needs at least 5 minutes accuracy between the clients and servers.

Other instances that require time include:

  • Government regulations, for example, the United States of America uses 50ms for FINRA, and the EU uses 1ms ESMA or MiFID II.
  • Cryptography
  • Distributed systems like the databases
  • Block chain framework for bitcoin
  • Distributed logs and threat analysis
  • AD replication
  • The Payment Card Industry (PCI)
  • The Time Improvements for Windows Server 2016
  • Windows Time Service and NTP

The algorithm used in Windows Server 2016 has greatly improved the local clock when synchronizing with the UTC. The NTP has four values to calculate the time offset based on timestamps of client requests or responses and server requests and responses.

The modern network environment has too much congestion and related factors that affect the free flow of communication.

Windows Server 2016 uses different algorithms to cancel out the disturbances. Besides, the source used in Windows for time references uses improved Application Programming Interface (API) with the best time resolution, giving an accuracy of 1ms.

Hyper-V

Windows 2016 Server made some improvements that include accurate VM start and VM restore. The change gives us an accuracy of 10µs of the host with a root mean square (RMS) of 50µs for a machine carrying a 75% load.

Moreover, the stratum level at the host sends to guests more transparently. Earlier hosts would be fixed at stratum 2, regardless of its accuracy and the changes in Windows Server 2016 the host reports at stratum 1, which gives better timing for the virtual machines.

Domains created in Windows 2016 Server will find time to be more accurate because the time does not default to the host and that is the reason behind manually disabling the Hyper-V time provider settings in Windows joining a Windows 2012R2 and below.

Monitoring

Counters tracking the performance counters are now part of the Windows Server 2016, they allow for monitoring, troubleshooting, and baselining time accuracy.

The counters include:

a. Computed Time Offset

This feature indicates the absolute time between the system clock and the chosen time source in microseconds. The time updates whenever a new valid sample is available. Clock accuracy is traced using the performance counter that has an interval of 256 seconds or less.

b. Clock Frequency Adjustment

This adjustment indicates the time set by the local W32Time measured in parts per billion. The counter is important when it comes to visualizing actions taken by W32time.

c. NTP Roundtrip Delay

NTP Roundtrip Delay is the time taken during the transmission of a request to the NTP server and when the response is valid.

This counter helps in characterizing the delays experienced by the NTP client. If the roundtrip is large or varies, it can lead to noise, especially when the NTP computes time, thereby affecting time accuracy.

d. NTP Client Source Count

The source count parameter holds the number of clients and unique IP addresses of servers that are responding to client requests. The number may be large or small compared to active peers.

e. NTP Server Incoming Requests

A representation of the number of requests received by the NTP server indicated as request per second.

f. NTP Server Outgoing Responses

A representation of the number of answered requests by the NTP server indicated as responses per second.

The first three show the target scenarios for troubleshooting accuracy issues. The last three cover NTP server scenarios, which help to determine the load and setting a base for the current performance.

Configuration Updates per Environment

The following is a description that changes the default configurations between Windows 2016 and earlier versions.

The settings for Windows Server 2016 and Windows 10 build 14393 are now taking unique settings.

Role

Settings

Server 2016

Windows 10

Servers 12 and 08 and Windows 10

Standalone or a Nano Server

    
 

Time server

time.windows.com

N/a

time.windows.com

 

Poling frequency

64-1024 seconds

N/a

Once a week

 

Clock update frequency

Once a second

N/a

Once a hour

Standalone Client

    
 

Time server

N/a

time.windows.com

time.windows.com

 

Polling frequency

N/a

Once a day

Once a week

 

Clock update frequency

N/a

Once a day

Once a week

Domain Controller

    
 

Time server

PDC/GTIMESERV

N/a

PDC/GTIMESERV

 

Polling frequency

64 to 1024 seconds

N/a

1024 to 32768 seconds

 

Clock update frequency

Once a day

N/a

Once a week

Domain Member Server

    
 

Time server

DC

N/a

DC

 

Polling frequency

64 to 1024 seconds

N/a

1024 to 32768 seconds

 

Clock update frequency

Once a second

N/a

Once every 5 minutes

Domain Member Client

    
 

Time server

N/a

DC

DC

 

Polling frequency

N/a

1024 to 32768 seconds

1024 to 32768 seconds

 

Clock update frequency

N/a

Once every 5 minutes

Once every 5 minutes

Hyper-V Guest

    
 

Time server

Chooses the best alternative based on host stratum and time on the server

Chooses the best alternative based on host stratum and time server

Defaults to host

 

Polling frequency

Based on the role above

Based on the role above

Based on the role above

 

Clock update frequency

Based on the role above

Based on the role above

Based on the role above

Impact of Increased Polling and Clock Update Frequency

To get the most accurate time, the defaults for polling frequencies and clock updates will give you the ability to make adjustments more frequently.

The adjustments lead to more UDP and NTP traffic that will in no way affect the broadband links.

Battery devices do not store the time when turned off, and when turned on, it may lead to frequent time adjustments. Increasing the polling frequency will lead to instability, and the device will use more power.

Domain controllers should have less interference after multiple effects of increasing updates from NTP clients and AD domain. NTP does not require many resources compared to other protocols.

You can reach the limits of the domain functionality before getting a warning, indicating increased settings in Windows Server 2016.

The AD does not use secure NTP, which does not synchronize time accurately but will increase the clients two strata away from the PDC.

You can reserve at least 100NTP requests per second for every core. If you have a domain with 4 CPUs each, the total NTP should be serving 1,600 NTP requests per second.

As you set up the recommendations, ensure you have a large dependency on the processor speeds and loads. Administrators should conduct all baseline tests onsite.

If your DCs are running on sizeable CPU load of more than 40%, the system is likely to generate some noise when NTP is responding to requests, which may impair domain time accuracy.

Time Accuracy Measurements

Methodology

Different tools can be used to gauge the time and accuracy of Windows Server 2016.

The techniques are applicable when taking measurements and tuning the environment to determine if the test outcome meet the set requirements.

The domain source clock has two precision NTP servers and GPS hardware.

Some of these tests need a highly accurate and reliable clock source as a reference point adding to your domain clock source.

Here are four different methods for measuring accuracy in physical and virtual machines:

  • Take the reading of the local clock conditioned by a w32tm and reference it against a test machine with a separate GPS hardware.
  • Measure pings coming from the NTP server to its clients using the “stripchart” of the W32tm utility
  • Measure pings from the client to the NTP server using “stripchart” of the W32tm utility.
  • Measure the Hyper-V output from the host to the guests using the Time Stamp Counter (TSC). After getting the difference of the host and client time in the VM, use the TSC to estimate the host time from the guest. We also consider the use of TSV clock to factor out delays and the API latency.

Topology

For comparison purposes, testing both the Windows Server 2012R2 and Windows Server 2016 based on topology is sensible.

The topologies have two physical Hyper-V hosts that point to a 2016 Server with a GPS hardware installed. Each of these hosts runs at least three domains joining the Windows guests, taking the arrangement shown in the diagrams below.

TOPOLOGY 1. Image Source

The lines on the diagram indicate time hierarchy and the transport or protocol used.

TOPOLOGY 2. Image Source

Graphical Results Overview

The following graph is a representation of the time accuracy between two members of a domain. Every graph shows both Windows Server 2012R2 and 2016 outcome.

The accuracy was a measurement taken from the guest machine in comparison to the host. The graphical data shown indicate both the best and worst case scenarios.

TOPOLOGY 3. Image Source

Performance of the Root Domain PDC

The root PDC synchronizes with the Hyper-V host using a VMIC that is present in Windows Server 2016 GPS hardware, which shows stability and accuracy. This is critical because a 1ms accuracy is needed.

Performance of the Child Domain Client

The child domain client is attached to a Child Domain PDC for sending communication to the Root PDC. Its timing should also be within the 1ms accuracy.

Long Distance Test

Long distance test could involve comparing a single virtual network hop to 6 physical network hops on Windows Server 2016.

Increasing network hops mean increasing latency and extending time differences. The 1ms accuracy may negatively change, which demonstrates a symmetrical network.

Do not forget that every network is different and measurements taken depend on varying environmental factors.

Best Practices for Accurate Timekeeping

1. Solid Source Clock

The machine timing is as good as its source clock. To achieve the 1ms accuracy, a GPS hardware or time appliance should be installed to refer to the master source clock.

The default time.windows.com may not give an accurate or stable local time source. Also, as you move away from the source clock, you are bound to lose time.

2. Hardware GPS Options

The different hardware solutions that offer accurate time depend on GPS antennas. Use of radio and dial-up modem solutions is also accepted. The hardware options connect through PCIe or USB ports.

Different options give varying time accuracy and the final time depends on the environment.

Environmental factors that interfere with accuracy depends on GPS availability, network stability, the PC hardware and network load.

3. Domain and Time Synchronization

Computers in a domain use the domain hierarchy to determine the machine to be used as a source for time synchronization.

Every domain member will look for a machine to sync with and save it as its source. Every domain member will follow a different route that leads to its source time. The PDC in the Forest Root should be the default source clock for all machines in the domain.

Here is a list of how roles in the domain find their original time source.

  • Domain Controller with PDC role

This is the machine with authority on time source for the domain. Most of the time, its issues are accurate and must synchronize with the DC in the parent domain–with exceptional cases where GTIMESERV role is active.

  • Other Domain Controller

This will take the role of a time source for clients and member servers in the domain. A DC synchronizes with the PDC of its domain or any DC in the parent domain.

  • Clients or Member Servers

This type of machine will synchronize with any DC or PDC within its domain or picks any DC or PDC in the parent domain.

When sourcing for the original clock, the scoring system is used to identify the best time source. Scoring takes into account the reliable time source based on the relative location, which happens only once when the time service starts.

To fine-tune time synchronization, add good timeservers in a specific location and avoid redundancy.

Mixed Operating System Environments (Windows 2012 R2 and Windows 2008 R2)

In a pure Windows Server 2016 domain environment, you need to have the best time accuracy.

Deploying a Windows Server 2016 Hyper-V in a Windows 2012 domain will be more beneficial to the guests because of the improvements made in Server 2016.

A Windows Server 2016 PDC delivers accurate time due to the positive changes to its algorithms, which also acts as a credible source.

You may not have an option of replacing the PDC, but you can add a Windows Server 2016 DC with the GTIMESERV flag as one way of upgrading time accurately for the domain.

Windows Server 2016 DC delivers better time to lower clients, but it’s always good to use it as a source NTP time.

As already stated above, clock polling and refresh frequencies are modified in Windows Server 2016.

You can also change the settings manually to match the down-level DCs or make the changes using the group policy.

Versions that came prior to Windows Server 2016 have a problem with keeping accurate time since their systems drift immediately you make a change.

Obtaining samples from accurate NTP sources and conditioning the clock leads to small changes in system clock, ensuring better time keeping on the low-level OS versions.

In some cases involving the guest domain controllers, samples from the Hyper-V TimeSync is capable of disrupting time synchronization. However, for Server 2016, it should no longer be an issue when the guest machines run on Server 2016 Hyper-V hosts.

You can use the following registry keys to disable the Hyper-V TimeSync service from giving samples to w32time:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider

“Enabled”=dword:00000000

Allow Linux to Use Hyper-V Host Time

For guest machines using Linux and run the Hyper-V, it is normal for clients to use the NTP Daemon for time synchronization against the NTP servers.

If the Linux distribution supports version 4 TimeSync protocol with an enabled TimeSync integration on the guest, then synchronization will take place against the host time. Enabling both methods will lead to inconsistency.

Administrators are advised to synchronize against the host time by disabling the NTP time synchronization by using any of the following methods:

  • Disabling NTP servers in the ntp.conf file
  • Disabling the NTP Daemon

In this particular configuration, the Time Server Parameter is usually the host, and it should poll at a frequency of 5 seconds, which is the same as the Clock Update Frequency.

Exclusive synchronization over NTP demands that you disable the TimeSync integration service in the guest machine.

NOTE: Linux accurate timing support must have a feature supported in the latest upstream Linux Kernels. As at now, it is not available across most Linux distros.

Specify Local Reliable Time Service Using the GTIMESERV

The GTIMESERV allows you to specify one or more domain controllers as the accurate source clocks.

For example, you can use a specific domain controller with a GPS hardware and flag it as GTIMESERV to make sure that your domain references to a clock based on a GPS hardware.

TIMESERV is a Domain Services Flag that indicates whether the machine is authoritative and can be changed if the DC loses connection.

When the connection is lost, the DC returns the “Unknown Stratum” error when you query via the NTP. After several attempts, the DC will log System Event Time Service Event 36.

When configuring a DC as your GTIMESERV, use the following command:

w32tm /config /manualpeerlist:”master_clock1,0x8 master_clock2,0x8” /syncfromflags:manual /reliable:yes /update

If the DC has a GPS hardware, use the following steps to disable the NTP client and enable the NTP server:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32time\TimeProviders\NtpClient /v Enabled /t REG_DWORD /d 0 /f

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32time\TimeProviders\NtpServer /v Enabled /t REG_DWORD /d 1 /f

Then, restart Windows Time Service

net stop w32time && net start w32time

Finally, tell network hosts that this machine has a reliable time source using this command:

w32tm /config /reliable:yes /update

Confirm the changes, run the following commands, which indicate the results as shown:

w32tm /query /configuration

Value

Expected Setting

AnnounceFlags

5 (Local)

NtpServer

(Local)

DIIName

C:\WINDOWS\SYSTEM32\w32time.DLL (Local)

Enabled

1 (Local)

NtpClient

(Local)

w32tm /query /status /verbose

Value

Expected Setting

Stratum

1 (primary reference – syncd by radio clock)

ReferenceId

0x4C4F434C (source name: “LOCAL”)

Source

Local CMOS Clock

Phrase Offset

0.0000000s

Server Role

576 (Reliable Time Service)

Windows Server 2016 on 3rd party Virtual Platforms

The virtualization of Windows means that the time responsibility defaults to the Hypervisor.

However, new members of the domain need to be synchronized with the Domain Controller for the AD to work effectively. The best that you can do is to disable time virtualization between guests and 3rd party virtual platforms.

Discover the Hierarchy

The chain of time hierarchy to the master clock is dynamic and non-negotiated. You must query the status of a specific machine to get its time source. This analysis helps in troubleshooting issues relating to synchronizations.

If you are ready to troubleshoot, find the time source by using the w32tm command:

w32tm /query /status

The output will be the source. Finding the source is the initial step in time hierarchy.

The next thing to do is to use the source entry and /Stripchart parameter to find the next time source.

w32tm /stripchart /computer:MySourceEntry /packetinfo /samples:1

The command below gives a list of domain controllers found in a specific domain and relays the results that you can use to determine each partner. The command also includes machines with manual configurations.

w32tm /monitor /domain:my_domain

You can use the list to trace the results through the domain and know their hierarchy and time offset at each step.

If you mark the point where time offset increases, you can get to know the cause of incorrect time.

Using Group Policy

Group policy is used to accomplish strict accuracy by making sure clients are assigned specific NTP servers. Clients can control how down-level OS should work when virtualized.

Look at the following list of all possible scenarios and relevant Group Policy settings:

  • Virtualized Domains

To gain control over the Virtualized Domain Controllers in Windows 2012 R2, disable the registry entry corresponding to the virtual domain controllers.

You may not want to disable the PDC entry because in most cases, Hyper-V host delivers a stable time source. The entry to the registry requires that you restart the w32time service after making changes.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider]

“Enabled”=dword:00000000

  • Accuracy Sensitive Loads

For any workload that is sensitive to time accuracy, ensure that the group machines are set to use the NTP servers and any related time settings like update frequency and polling.

This is a task handled by a domain, but if you want to have more control, target specific machines to point to the master clock

Group Policy Setting

New Value

NtpServer

ClockMasterName,0x8

MinPollInterval

6-64 seconds

MaxPollInterval

6 seconds

UpdateInterval

100 to once per second

EventLogFlags

3 – All special time logging

NOTE: The NtpServer and EventLogFlags are located on the System\Windows Time Service\Time Providers, if you follow the Configure Windows NTP Client Settings. The other three are under the System\Windows Time Service, if you follow the Global Configuration Settings

Remote Accuracy Sensitive Loads Remote

For systems running on the branch domains, such as the Retail and Payment Credit Industry (PCI), Windows will use the current site data and DC Locator to search the local DC, unless you have a manual NTP time source configured.

In such an environment, you need 1 second accuracy with the option of using the w32time services to move the clock backwards.

If you can meet the requirements, use the table below to create a policy.

Group Policy Settings

New Value

MaxAllowedPhaseOffset

1, if more than on second, set clock to correct time.

The MaxAllowedPhaseOffset is a setting you will find under System\Windows Time Service using global Configuration settings.

Azure and Windows IaaS Consideration

  • Azure Virtual Machine: Active Directory Domain Services

If you have Azure VM running Active Directory Domain Services as part of the existing configuration in a Domain Forest, then the TimeSync (VMIC) should not be running.

Disabling VMIC allows all DCs in both physical and virtual forests to use a single time sync hierarchy.

  • Azure Virtual Machine: Domain –Joined Machine

If you have a host whose domain links to an existing Active Directory Forest, whether virtual or physical, the best you can do is to disable TimeSync for the guest and make sure the W32Time is set to synchronize with the Domain Controller.

  • Azure Virtual Machine: Standalone Workgroup Machine

If your Azure is not part of a domain and it is not a Domain Controller, you can keep the default time configuration and let the VM synchronize with the host.

Windows Applications that Require Accurate Time

Stamp API

Programs or applications that need time accuracy in line with the UTC should use the GetSystemTimePreciseAsFileTime API to get the time as defined by Windows Time Service.

UDP Performance

An application that uses UDP to communicate during network transactions should minimize latency. You have the registry options to use when configuring different ports. Note that any changes to the registry should be restricted to system administrators.

Windows Server 2012 and Windows Server 2008 need a Hotfix to avoid datagram losses.

Update Network Drivers

Some network cards have updates that help improve performance and buffering of UDP packets.

Logging for System Auditors

Time tracing regulation may force you to comply by archiving the w32tm logs, performance monitors, and event logs. Later, these records may be used to confirm your compliance at a specific time in the past.

You can use the following to indicate time accuracy:

  • Clock accuracy using the computed time offset counter
  • Clock source looking for “peer response from” in the w32tm event logs
  • Clock condition status using the w32tm logs to validate the occurrence of “ClockDispl Discipline:*SKEW*TIME*.”

Event Logging

An event log can give you a complete story in the information it stores. If you filter out the Time-Server logs, you will discover the influences that have changed the time. Group policy can affect the events of the logs.

W32time Debug Logging

Use the command utility w32tm to enable audit logs. The logs will show clock updates as well as the source clock.

Restarting the service enables new logging.

Performance Monitor

The Windows Server 2016 Time service counters can collect the logging information that auditor’s need. You can log the data locally or remotely by recording the machine’s Time Offset and Round Trip Delays.

Like any other counter, you can create remote monitors and alerts using the System Center Operations Manager. You can set an alert for any change of accuracy when it happens.

Windows Traceability Example

Using sample log files from the w32tm utility, you can validate two pieces of information where the Windows Time Service conditions the first log file at a given time.

151802 20:18:32.9821765s – ClockDispln Discipline: *SKEW*TIME* – PhCRR:223 CR:156250 UI:100 phcT:65 KPhO:14307

151802 20:18:33.9898460s – ClockDispln Discipline: *SKEW*TIME* – PhCRR:1 CR:156250 UI:100 phcT:64 KPhO:41

151802 20:18:44.1090410s – ClockDispln Discipline: *SKEW*TIME* – PhCRR:1 CR:156250 UI:100 phcT:65 KPhO:38

All the messages that start with “ClockDisplin Discipline” are enough proof that your system is interacting with the system clock via the w32time.

The next step is to find the last report before the time change to get the source computer that is the current reference clock.

Like in the example below, we have the Ipv4 address of 10.197.216.105 as the reference clock. Another reference could point to the computer name or the VMIC provider.

151802 20:18:54.6531515s – Response from peer 10.197.216.105,0×8 (ntp.m|0x8|0.0.0.0:123->10.197.216.105:123), ofs: +00.0012218s

Now that the first section is valid, investigate the log file on the reference time source using the same steps.

This will give you a physical clock such as the GPS or a known time source like the National Institute of Standards and Technology (NIST). If the clock is a GPS hardware, then manufacturer logs may be required.

Network Considerations

The NTP protocol algorithm depends on the network symmetry, making it difficult to predict the type of accuracies needed for certain environments.

You an use the Performance Monitor and new Windows Time Counters for Windows Server 2016 to create baselines.

The Precision Time Protocol (PTP) and the Network Time Protocol (NTP) are the two that you can use to gauge accurate time.

If clients are not part of a domain, Windows use the Simple NTP by default. Clients found within a Windows domain use the secure NTP protocol, also referred to as MS-SNTP, which help in leveraging domain communication, consequently giving an advantage over Authenticated NTP.

Reliable Hardware Clock (RTC)

Windows will not step time unless some conditions are beyond the norm. The implication is that the w32tm changes the frequency at regular intervals while relying on the Clock Update Frequency Settings, which is 1 second on Windows Server 2016.

It will move the frequency if it is behind, and vice versa when it is ahead of time.

This reason explains why you need to have acceptable results during the baseline test. If what you get for the “Computed Time Offset” is not stable, then you may have to verify the status of the firmware.

Troubleshooting Time Accuracy and NTP

The Discovering Hierarchy section gave us an understanding of the source and inaccurate time.

You need to look for time offset to identify the point where the divergence takes place from its NTP Sources. Once you can trace the hierarchy of time, you need to focus on the divergent system to gather more information in determining the issues causing all these inconsistencies.

Here are some tools that you can use:

System event logs

  • Enable logging:

w32tm logs – w32tm /debug /enable /file:C:\Windows\Temp\w32time-test.log /size:10000000 /entries:0-300

w32Time Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time

  • Local network interfaces
  • Performance counters
  • W32tm /stripchart /computer:UpstreamClockSource
  • PING UpstreamClockSource (gauging latency and understanding the number of hops to source)

Tacert UpstreamClockSource

Problem

Symptoms

Resolution

Local TSC unstable

Use perfmon-Physical computer- Sync clock stable clock

Update firmware or try an alternative hard to confirm that it does display the same issue

Network latency

W32tm stripchart displays the RoundTripDelay exceeding 10ms. Use Tracert to find where the latency thrives

Locate a nearby source clock for time. Install a source clock on the same domain segment or point to one that is geographically closer. Domain environment needs a client with the GtimerServ role.

Unable to reliably reach the NTP source

W32tm /stripchart gives “request time out”

NTP source unresponsive

NTP Source is not responsive

Check Perfmon counters for NTP client Source Count, NTP server outgoing responses, and NTP Server Incoming Requests. Determine the outcome with your baseline tests results

Use server performance counters to determine change in load or if there is any network congestion

Domain Controller not using the most accurate clock

Changes in topology or a recently added master clock

w32tm /resync /rediscover

Clients Clocks are drifting

Time-Service event 36 in System event log or you see a text log with the following description: “NTP Client Time Source Count” going from 1 to 10

Identify errors in the upstream source and query if it may be experiencing performance issues

Baselining Time

Baseline tests are important because they give you an understanding of the expected performance accuracy of the network.

You can use the output to detect problems on your Windows Server 2016 in the future. The first thing to baseline is the root PDC or any machine with the role of GTIMESRV.

Every PDC in the forest should have a baseline test results. Eventually, you need to pick DCs that are critical and get their baseline results too.

It is important to baseline Windows 2016 and 2012 R2 using the w32tm /stripchart as a comparison tool. If you use two similar machines, you can compare their results and make comprehensive analysis.

Using the performance counters, you can collect all information for at least one week to give you enough references when accounting for various network time issues.

If you have more figures for comparison, you’ll gain enough confidence that your time accuracy is stable.

NTP Server Redundancy

A manual NTP server configuration in a non-domain network means that you should have a good redundancy measure to get better accuracy when other components are also stable.

On the other hand, if your topology does not have a good design and other resources are not stable, it’ll lead to poor accuracy levels. Take caution to limit timeservers’ w32time to 10.

Leap Seconds

The climatic and geological activities on planet earth lead to varying rotation periods. In an ideal scenario, the rotation varies every two years by one second.

When the atomic time grows, there will be a correction of a second up or down called the leap second. When doing the correction, it never exceeds 0.9 seconds. The correction is always announced six months before time.

Before Windows Server 2016, the Microsoft Time Service did not account for the leap seconds and relied on external time service to handle the adjustments.

The changes made to Windows Server 2016, Microsoft is working on a suitable solution to handle the leap second.

Secure Time Seeding

W32time in Windows Server 2016 includes the Secure Time Seeding Feature that determines the approximate current time of the outgoing Secure Sockets Layer Connection (SSL). The value helps in correcting gross errors on the local system clock.

You can decide not to use the Secure Time Seeding feature and use the default configurations, instead.

If you intend to disable the feature, use the following steps:

  • Set the UtilizeSSLTimeData registry value to 0 using the command below:

reg add KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32time\Config /v UtilizeSslTimeData /t REG_DWORD /d 0 /f

  • If the machine does not detect any changes and does not ask for a reboot, notify the W32time service about the changes. This will stop enforcing time monitoring based on data coming from the SSL connections.

W32tm.exe /config /update

  • Rebooting the machine activates the settings immediately and directs the machine to stop collecting data from SSL connections.

For the above setting to be effective on the entire domain, set the UtilizeSSLTimeData value in W32time using the Group Policy Setting to 0, and make the setting public.

The moment the setting is picked by a Group Policy Client, the W32time service gets the notification and stops enforcing and monitoring SSL time data.

If the domain has some portable laptops or tablets, you can exclude them from the policy change because when they lose battery power, they will need to re-access the Secure Time Seeding feature to acquire the current time.

Conclusion

The latest developments in the world of Microsoft Windows Server 2016 means that you can now get the most accurate time on your network once you observe some conditions.

The Windows Time Service (W32Time) main work is to give your machine time, regardless of whether it is a standalone or part of a network environment.

The primary use of time in a Windows Server 2016 environment is to make sure that there is enough security for Kerberos authentication.

The W32Time makes it almost impossible to have replay attacks in an Active Directory or when running Virtual Machines on Hyper-V hosts.

Quota Management in Windows Server 2016

Quota management is a valuable feature that enables users to restrict the storage capacity of shared resources in Windows Server 2016. If you create quotas, you will limit the space allocated to a volume or a folder—allowing you to practice capacity management conveniently.

Quota Management in Windows Server 2016

To set quotas in Windows Server 2016, you’ll need to use a tool called File Server Resource Manager (FSRM). This tool assists in managing and organising data kept on file servers.

The File Server Resource Manager tool consists of the following five features.

  • File classification infrastructure—this feature allows you to organise files and implement policies.
  • File management tasks—it enables you to implement conditional policies or tasks.
  • Quota management—it assists you to restrict the space available on shared folders.
  • File screening management—it allows you to limit the type of files that users can keep. For example, you can set a file screen to prevent users from creating MP3 files on the files server.
  • Storage reports—with this feature, you can generate reports to understand trends in disk utilisation and how data is organised, which enables you to spot unauthorised activities.

In this article, we are going to talk about the quota management feature in FSRM.

Setting up File Server Resource Manager

We need to install the File Server Resource Manager tool before using it for quota management.

A quick way to complete its setup is through the GUI server manager.

Here are the steps for installing the tool.

1. Start by logging into the Windows Server 2016. Then, on the Server Manager’s dashboard, click on “Manage” and select “Add Roles and Features”.

2. On the “Before You Begin” screen click “Next”.

3. Select “Role-based or feature-based installation” and click “Next”.

4. Select your destination server and click “Next”.

5. On the “Select Server roles” dashboard, expand “File and Storage Services” and “File and iSCSI Services”.

Then, select “File Server Resource Manager” and click “Next”.

6. On the window that pops up, Click the “Add Features” button to incorporate the required features.

Click “Next”.

7. If you do not need to add any extra features, just leave the default settings and click “Next”.

8. Confirm the installation selections and Click “Install” to start the process.

9. After the installation process is complete, click the “Close” button.

10. You can now access the File Server Resource Manager from the administrative interface and use it to create quotas.

Creating Quotas Using FSRM

As earlier mentioned, quota management enables you to set restrictions and define the extent of space available for users in the server. For example, you can limit all users to a maximum of 5GB on a shared folder. As such, the users cannot add data to the folder that exceeds 5GB.

You can also configure the File Server Resource Manager tool to be sending notifications whenever the specified usage limit is reached. For example, you can specify that an email is to be sent if 85% of the space has been consumed.

Creating quotas using the FSRM tool is a two-step process:

  • Create a template
  • Create a quota

a) Create a template

Before setting quotas, you need to either create a quota template or choose a default template already available on the File Server Resource Manager tool.

It is recommended that you create quotas solely from templates. This way, you can easily manage your quotas by making changes to the templates rather than the individual quotas. The one central location for managing quotas eases the enactment of storage policy rules.

Here are the steps for creating a quota template.

1. Under the “Quota Management” Section, right-click the “Quota Templates” button and go for “Create Quota Template”.

2. On the window that pops up, enter the Template name and the space limit. If you choose the “Hard quota” option, users will be unable to surpass the specified limit. A hard quota is good for controlling the amount of data allowed on a folder or a disk.

On the other hand, if you select the “Soft quota” option, users will be able to exceed the allocated limit. A soft quota is mostly used for monitoring space usage and producing notifications.

3. Lastly, to set notification thresholds, press the “Add” button. On the window that pops up, input your notification specifications.

You can specify that an email is to be sent, an entry is to be made to the event log, a command is to be run, or a report is to be generated. For example, you can state that whenever usage reaches 85%, send an email message to the administrator.

Thereafter, click “OK” to complete creating the quota template.

b) Create a quota

After setting up the quota template or using a default quota template, you need to create the quota.

Here are the steps for creating a quota.

1. On the File Server Resource Manager’s dashboard, right-click on “Quotas” and go for “Create Quota”.

2. On the “Create Quota” window, in the “Quota path” section, browse the path to the volume or folder that the storage capacity restriction will be applied.

Then, choose either the “Create quota on path” or the “Auto apply template and create quota…” option.

If you select the first option, quota will only be applied to the primary folder. For example, if you limit the parent folder to only 5GB, then the other subfolders will share the space specified in the main folder.

On the other hand, if you choose the second option, then the quota will also be applied to the subfolders. For example, if you restrict the main folder to 5GB, then the subfolders will also have individual quotas of 5GB each.

Subsequently, on the “Derive properties from this quota template” option, choose the template you created previously.

If satisfied with the quota properties, click “Create”.

After you’ve created the quota, you can see it on the File Server Resource Manager’s dashboard. Thereafter, you’ll be able to limit the amount of space allowed on your shared resources.

We hope this article has cleared things up.

Do you want to learn about NTFS Permissions, Share Permissions, and how to use them?

Grab your free course HERE!

Prevent Unauthorized Access to Sensitive Windows Folders!

Get your free edition of the easiest and fastest NTFS Permission Reporter now!

Optimizing File Server Performance in Windows Server 2016

If you have a file server system in your company, you may want to tune some parameters and settings to enhance its performance.

For example, you may want the highest possible throughput on your server to meet the growing workload needs.

This article gives a set of guidelines that you can implement to optimize the file server settings in Windows Server 2016 and benefit from optimized performance.

How to Optimize File Server Performance

1. Choose a Proper Hardware

Foremost, you should go for a good hardware that will sufficiently support your performance incremental efforts. If the hardware cannot meet the expected file server load, the software adjustments may not yield significant fruits.

Here are some important hardware parameters you should optimise.

  • Response times
  • Growth expectations
  • Loading factors—such as average load and peak load
  • Capacity level

2. Optimise SMB Parameters

The Server Message Block (SMB) protocol is included into the Windows Server to enhance the sharing of files and other resources across the network.

The latest version available on Windows Server 2016 is 3.1.1, and it comes with several helpful features you can optimise to get the most of it.

Here are some tips on how to optimise the various SMB parameters.

a) Practice the “least privilege” principle

You can practice the principle of least privilege by limiting access to some services or features. If a file server or a file client do not need any feature, just disable it. Period.

Some of the features you can disable include:

  • SMB signing
  • SMB encryption
  • NTFS encryption
  • File system filters
  • Client-side caching
  • Scheduled tasks
  • IPSEC

By the way, check out our FolderSecurityViewer to analyze and report NTFS permissions. Download the Free Edition now!

b) Configure power management mode

A constant high workload will reduce the speed and performance of your server. Therefore, for a comfortable working experience, you should make sure that the configurations for any BIOS as well as operating system power management is done correctly.

For example, this may consist of High Performance mode or even modified C-State. To avoid any bottlenecks, remember to install the most up-to-date, robust, and quickest storage and networking device drivers.

c) Follow file copying best practices

Users usually copy files from one location to the other on file servers. There are some best practices you can follow to enhance the speed of transferring files.

Windows has numerous utilities you can run on the command prompt and conveniently transfer files. For example, the recommended ones are Robocopy and Xcopy.

If using Robocopy, it’s advisable to include the /mt option to quickly copy and transfer several small files. It is also advisable to use the /log option to lessen console output by enabling redirection to NUL device or to a file.

If using Xcopy, you can significantly increase performance by including the /q option (which lowers CPU overhead) and /k option (which lowers network traffic) to your present parameters.

d) Practice SMB performance tuning

It is important to note that the performance of a file server will largely depend on the parameters set on the SMB protocol. If the parameters are well tuned, the file server performance can greatly improve.

Here is a table giving some of the registry settings that can influence the operation of the SMB file servers, together with some recommended practices.

ParameterRegistry SettingsRecommendations
Smb2CreditsMin

and

Smb2CreditsMax
HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\Smb2CreditsMin

 

HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\Smb2CreditsMax

The defaults are 512 and 8192 correspondingly.

 

Check SMB Client Shares\Credit Stalls /Sec to observe any problems with credits.

Additional
CriticalWorkerThreads
HKLM\System\CurrentControlSet\Control\Session Manager\Executive\
AdditionalCritical
WorkerThreads
The default is 0. You could raise the value if the quantity of cache manager dirty data is consuming a larger percentage of memory.
MaxThreadsPerQueueHKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\MaxThreadsPerQueueThe default is 20. In case the SMB2 work queues are increasing significantly, raise the value.
AsynchronousCreditsHKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\MaxThreadsPerQueueThe default is 512. In case a big quantity of concurrent asynchronous SMB commands is needed, raise the value.

Here is an example of how the settings can be applied to achieve optimum file server performance on Windows Server 2016.

Note that the settings are not suited for all computing situations, and you should assess the effect of every individual settings before using them.

ParameterValueDefault
AdditionalCritical
WorkerThreads
640
MaxThreadsPerQueue6420

3. Optimise NFS Parameters

The Network File System (NFS) model available in Windows Server 2016 is important for enabling client-server communications in mixed Windows and UNIX environments.

Here is a table giving some of the registry settings that can influence the operation of the NFS file servers, together with some recommended practices.

ParameterRegistry SettingsRecommendations
OptimalReadsHKLM\System\CurrentControlSet\Services\NfsServer\Parameters\OptimalReadsThe default is 0. Before making any changes to the setting, evaluate its effect on system file cache grow.
RdWrNfsHandleLifeTimeHKLM\System\CurrentControlSet\Services\NfsServer\Parameters\RdWrNfsHandleLifeTimeThe default is 5. Appropriately set it to ensure optimal control of the lifetime of NFS cache.
CacheAdd
FromCreateAndMkDir
HKLM\System\CurrentControlSet\Services\NfsServer\Parameters
\CacheAdd
From
CreateAndMkDir
The default is 1. Adjust the value to 0 to deactivate the inclusion of entries to the cache in CREATE and MKDIR directories.
MaxConcurrent
ConnectionsPerIp
HKEY_LOCAL_MACHINE
\System\CurrentControlSet\Services\Rpcxdr\Parameters
\MaxConcurrentConnections
PerIp
The default is 16. Raise it to the highest value of 8192 to increase the number of connections for every IP address.

4. Uninstall Unused and Redundant Features

Windows Server 2016 has dozens of logging, monitoring, and debugging tools, most of which you may not find useful.

The amount of space available on the server is critical and allowing unused and redundant tools to just sit there is not doing any justice to your server.

On a regular basis, you should visit the “Service Control Manager” section and remove services and features that do not add value to your file server.

You should uninstall any utility or application that you find not useful, and your file server performance will greatly improve.

For example, you should always deactivate the DOS 8.3 short file names. For backward compatibility, your Windows Server 2016 may contain the DOS 8.3 file names, especially if you upgraded your server from an older version of Windows.

These days, the 8.3 short file name is unnecessary, and they do not add any value to the operation of the file servers. Therefore, disabling this feature will provide some additional speed to your Windows Server 2016.

References

Microsoft. (2017). Performance tuning for SMB file servers. Retrieved from https://docs.microsoft.com/en-us/windows-server/administration/performance-tuning/role/file-server/smb-file-server

Apachelounge. (2017). Performance tuning guidelines for Windows Server 2016. Retrieved from https://www.apachelounge.com/download/contr/Perf-tun-srv-2016.pdf

Prevent Unauthorized Access to Sensitive Windows Folders!

Get your free edition of the easiest and fastest NTFS Permission Reporter now!