Fix: Why Your NTP-Synced Servers are Still Jumping Through Time

on


 Problem: My Windows environment uses an on-premises Domain Controller (DC) as the NTP source. While the DC maintains the correct time, several member servers intermittently jump to an incorrect date/time, then snap back to the correct time. I need to identify the root cause of these sudden, temporary offsets and why they bypass the established NTP hierarchy.





Before checking other troubleshooting steps, check below options.


Are your servers running in vCenter/Hyper-V? If yes, then follow the steps below to stop time synchronization between the host and client servers. 


VMware (ESXi / Workstation)

In VMware, time synchronization is primarily managed via VMware Tools. You can disable it through the graphical interface
 

Using the vSphere Client / Workstation UI

  1. Shut down the virtual machine.

  2. Right-click the VM and select Edit Settings.

  3. Navigate to the VM Options tab.

  4. Expand the VMware Tools section.

  5. Uncheck the box labeled Synchronize guest time with host.



Microsoft Hyper-V

Hyper-V manages time through its Integration Services. This can be adjusted at the VM settings level.


Using Hyper-V Manager

  1. Open Hyper-V Manager.

  2. Right-click the specific virtual machine and select Settings.

  3. In the left sidebar, under the Management section, click on Integration Services.

  4. In the list of services on the right, uncheck Time synchronization.

  5. Click Apply or OK.



Even after disabling host-to-guest time synchronization in the hypervisor, the Windows servers are still experiencing intermittent clock offsets. The system time fluctuates unexpectedly before the NTP client eventually triggers a resync to the authoritative source. We need to identify why the host is still forcing a clock update during specific events.



Now, what is the next step you are missing????????  








Microsoft recommends disabling the Secure Time Seeding (STS) feature on all Windows Server 2016 and later versions, especially for servers hosting time-sensitive or critical workloads.


What is STS?

Secure Time Seeding is a mechanism that uses metadata from outbound SSL/TLS connections to determine the approximate current time. Its original purpose was to correct massive system clock errors that might prevent SSL/TLS from functioning (since certificates require a valid time to be verified).


Why Microsoft Recommends Disabling It

  • Incompatibility Issues: Administrators have reported "time jumps" in which the system clock suddenly advances by days, weeks, or even years.

  • Performance Jumps: These jumps are often transient and followed by a brief period of incorrect time before the system corrects itself, but even a few seconds of incorrect time can disrupt Active Directory, database logs, and security protocols.

  • Default Change: Due to these reliability issues, Microsoft has disabled STS by default starting with Windows Server 2025.



How to Disable STS

A reboot is required after applying these changes for them to take effect.


Option 1: Group Policy (Domain Wide)


  1. Navigate to: Computer Configuration > Administrative Templates > System > Windows Time Service.

  2. Open Global Configuration Settings.

  3. Set UtilizeSslTimeData to 0 (Disabled).


Option 2: Registry (Local Server)

  1. Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config

  2. Value Name: UtilizeSslTimeData

  3. Value Type: REG_DWORD

  4. Value: 0




Command Line Shortcut:

DOS
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config" 




We should start by testing this on a small group of servers before
implementing it globally. I’m happy to walk you through the GPO
enforcement steps if needed. If I see a lot of questions in the comments,
I’ll dedicate an entire follow-up post to the step-by-step configuration!


Thanks.






Comments

Post a Comment