Timekeeping best practices for Windows, including NTP

Taken from http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1318

Timekeeping best practices for Windows, including NTP (1318)

Solution

For achieving accurate timekeeping in Windows guest operating systems, there are two main issues to consider: correctly configuring time synchronization and avoiding excessive CPU and memory overcommitment. Time synchronization utilities are necessary to correct time drift introduced by hardware time drift and guest operating system timekeeping imprecision. Excessive overcommitment can cause timekeeping drift at rates that are uncorrectable by time synchronization utilities. This best practices document covers time synchronization recommendations.

Time Synchronization

Use either w32time or NTP as the primary time synchronization utility. w32time is the time synchronization utility that ships with Windows. NTP (the Network Time Protocol daemon) is available for Windows through a variety of 3rd party ports to Windows.

 

Windows Version	Recommended Time Sync Utility
Windows 2008	w32time or NTP
Windows Vista	w32time or NTP
Windows 2003	w32time or NTP
Windows XP	NTP
Windows 2000	NTP

Configuring w32time

When using w32time, there are a number of configuration parameters that can be changed. The table below describes the relevant parameters and gives a recommended value. All of the parameters are stored in the registry. Some of them can also be modified via the w32tm utility instead of directly editing the registry. This best practices guide covers running w32time in NTP mode. w32time can also use the windows domain hierarchy as time servers, which is not covered in this best practices guide.

After changing w32time's settings it is necessary to restart w32time. Either reboot the virtual machine, run net stop w32time && net start w32time from the command line, or stop and start the w32time service. After restarting the w32time service, run the command w32tm /resync to force w32time to resync the time.

 

Key	Details
HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\ Services\W32Time\ TimeProviders\NtpClient\ SpecialPollInterval	Recommended Value: 900 Type: REG_DWORD Description: This parameter controls how often w32time will poll the time server to check whether time on the client needs to be corrected. The parameter is specified as number of seconds to wait between polling. The recommended value of 900 specifies that the time server should be polled once every 15 minutes.
HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\ Services\W32Time\Parameters\ NtpServer	Recommended Value: 1.pool.ntp.org,0x1 2.pool.ntp.org,0x1 3.pool.ntp.org,0x1 Type: REG_SZ Description: This parameter specifies the time servers to use. It is specified as a string of space separated servers. Specifying ",0x1" after the server name indicates that the server should be contacted at the frequency specified by the SpecialPollInterval setting. Note: Modify the recommended value to point to the ntp servers available in your environment. w32tm Command: w32tm /config "/manualpeerlist: 1.pool.ntp.org,0x1 2.pool.ntp.org,0x1 3.pool.ntp.org,0x1" Note: Modify the command to use the ntp servers available in your environment.
HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\ Services\W32Time\Parameters\ Type	Recommended Value: NTP Type: REG_SZ Description: This parameter specifies the mode that w32time should use. A value of NT5DS indicates that w32time should use the Windows domain hierarchy as its time servers rather than the NTP servers specified in the NtpServer key. w32tm Command: w32tm /config /syncfromflags: MANUAL

VMware Tools Time Synchronization and Configuration

When using w32time or NTP in the guest, disable VMware Tools periodic time synchronization.

To disable VMware Tools periodic time sync, use one of these options:

• Set tools.syncTime = "0" in the configuration file ( .vmx file) of the virtual machine.
  
  OR
  
• Deselect Time synchronization between the virtual machine and the host operating system in the VMware Tools toolbox GUI of the guest operating system.
  
  OR
  
• Run the VMwareService.exe -cmd "vmx.set_option synctime 1 0" command in the guest operating system. VMwareService.exe is typically installed in C:\Program Files\VMware\VMware Tools.

These options do not disable one-time synchronizations done by VMware Tools for events such as tools startup, taking a snapshot, resuming from a snapshot, resuming from suspend, or VMotion. These events synchronize time in the guest operating system with time in the host operating system even if VMware Tools periodic time sync is disabled, so it is important to make sure that the host operating system's time is correct. For more information about ESX 4/ESXi 4 or Workstation 7, see Timekeeping in VMware Virtual Machines. For vSphere 5, Workstation 8 or Fusion 4, seehttp://www.vmware.com/vmtn/resources/238.

To ensure the host operating system’s time is correct for VMware ACE, VMware Fusion, VMware GSX Server, VMware Player, VMware Server, and VMware Workstation run time synchronization software such as NTP or w32time in the host. For VMware ESX, run NTP in the service console. For VMware ESXi, run NTP on the VMkernel.

Necessary Patches

Time runs too fast in a Windows virtual machine when the Multimedia Timer interface is used (1005953) describes a known issue that may cause problems when running Windows in a virtual machine. This issue is addressed in recent VMware products. The table below specifies the actions required to ensure that you are using a product version that contains the fix:

 

Product	Action
ESX 3.5 and later	No action required
ESX 3.0.3	Ensure patch ESX303-200910401-BG is applied
ESX 3.0.2	Ensure patch ESX-1002087 is applied
ESX 3.0.1	Ensure patch ESX-1002082 is applied
ESX 3.0.0	Ensure patch ESX-1002081 is applied
ESX 2.5.x and earlier	Upgrade to ESX 3.0.0 or later
Fusion 2.0 and later	No action required
Fusion 1.x	Upgrade to Fusion 2.0 or later
Player 2.0 and later	No action required
Player 1.x	Upgrade to Player 2.0 or later
Workstation 6.0 and later	No action required
Workstation 5.x	Upgrade to Workstation 6.0 or later

 

Additional Information

Note:

• If the virtual machine is attached to a domain, but the host machine is not, the virtual machine synchronizes time with the domain controller irrespective of the options selected in tools. This prevents login issues if the virtual machine's time is significantly different than the domain controller. You must adjust the time of the domain controller or remove the virtual machine from the domain controller to maintain a specific time within the virtual machine.
• If the windows virtual machine is not on the domain, run this command to ensure that the Windows and the Domain Controller time are in sync after a reboot:
  sc triggerinfo w32time start/networkon stop/networkoff

For information regarding setting up an NTP server on an ESX host see Guide to configure NTP on ESX servers(1003063).

 

For more information on configuring an authoritative time server in Windows, see these Microsoft Knowledge Base articles:

• Windows 2000 – 216734
• Windows XP – 314054
• Windows Server – 816042 
  Note: The preceding links were available as of September 10, 2010. If you find the links to be broken, provide feedback on the article and a VMware employee will update the article as necessary.

For information on Linux systems see Timekeeping best practices for Linux guests (1006427). 

Issues connecting a VPN between Juniper SSG and Sonicwall

I was trying to connect a VPN between a Juniper SSG and Sonicwall firewall.

Phase 1 came up ok but I kept getting this message:
Received a notification message for DOI 0 18 INVALID-ID-INFORMATION.

Juniper support says this usually means there is a mismatch in the proxy id or the phase 2 proposal. I confirmed with screenshots that both matched on the other side. I logged a call with Juniper and found we needed to set a further option "Local ID". This was because my Juniper is behind a NAT. It is behind another firewall. We need to fill in the local ID with the public IP address of the Juniper. This was strange because I have other VPNs with other vendors (Cisco/Juniper) and this option is not filled in yet the VPNs work. It may be a specific issue related to Juniper <-> Sonicwall VPNs.

GUI
The setting can be found under VPNs -> AutoKey Advanced -> Gateway
Edit the gateway that is having the issue -> Advanced -> Local ID
Fill in the Public IP address of YOUR firewall

CLI
set ike gateway "GWName-12-34-56-789" address 12.34.56.789 Main local-id "200.100.100.100" outgoing-interface "ethernet0/2" preshare "*********" proposal "pre-g2-3des-sha-86400"

investigating RAM, CPU or disk space alerts on linux servers

First establish what is alerting, RAM CPU or disk usage and connect to the server.

If the alert is for RAM usage

Connect to the server and run the "top" command (type "top" and press enter)

Top is similar to taskmgr on windows.

Press Shift and M to sort the processes by highest mem usage

The command "free -m" can also be useful for seeing how much memory is used/free.

You can see which process is using up all the memory. What user is running the process. You may need to contact the customer, application or DB team to find out if this is expected and what the next step should be.

If the alert is for CPU usage

Connect to the server and run the "top" command (like taskmgr on windows)

Press Shift and P to sort the processes by highest CPU usage

You can see which process is using up all the CPU. What user is running the process. You may need to contact the customer, application or DB team to find out if this is expected and what the next step should be.

If the alert is for disk space usage

Connect to the server and run the "df -h" command.

This will show you the percent usage on each partition/mount

To get further infromation on reads/writes to that partition run

"vmstat -p /mount/point" for example "vmstat -p /dev/sda2"

If we run the "df -h" command and we discover that /home is at 95% usage. We can see what is using up all the space by using the du command. First "cd /home". You can use the following du command:

"du -sm * | sort -nr | head -10" this will give the results in MB, sort them with the largest at the top and only show the top 10 results.

You can contact the owners of large files and ask them if they are required. You may find that log files grow to a large size or backup files are building up. Best practice is to set up a script to remove old files.

Before assigning to N&S you should complete the steps above. With the information provided you should be able to resolve the tag. If not take screen shots of your output and attach them to the tag.

More on using the top command

press shift P - sorts processes by highest CPU usage
press shift M - sort processes by highest Mem usage
press u type a username and press enter - shows only processes for that username (press u and enter to bring them all back)
press r and enter the PID to re-nice a process - sets a process to a higher or lower priority (be careful)
press shift R - this will sort by PID (shift R again to change it back)
press c - shows full command that was used to launch the process
press k and enter the PID - will kill the selected process (be careful)
press q - will quit the top application

Script to list largest directory or files

Just copy the script below onto the server you want to check

It will give you the top 10 directories and then the top files in those directories

You may need to make it executable

#!/bin/bash
# This will give the user back a listing of the largest files/dirs on the system

# make some tempfiles
mktemp1="/tmp/mktemp1"

# get overall 10 largest dirs
du -sm /* |sort -nr |head > $mktemp1

echo "Directory size listings for " $(hostname -s)
echo "Run date: "$(date)
echo "All sizes on left are in MB"
echo " "
echo "/ dir size list"
cat $mktemp1
echo " "

# for the largest 5 of the above get the sizes in them
top5=$(head -5 $mktemp1 |awk -F " " '{print $2}')

for dir in $top5
do
        echo $dir dir size list
        du -sm $dir/* |sort -nr |head
        echo " "
done

rm $mktemp1
exit 0