MEMBER FEEDBACK TO THIS TIP In general, I do not use time servers on Domino because it can make your logs look inconsistent if the time resets during operation and it is updated by Domino. Personally, I would only resynchronize the time if needed, and then only after shutting Domino down prior to a restart.
In general, I agree. However, there is usually a reason WHY the time drifts on the server. If a server (or other network device) is experiencing a drift of more than one second per 24 hours, there is a bigger issue at hand, such as a faulty timer chip or a failing backup CMOS battery. Typically, in any network environment, a central primary time "standard" should be selected (typically a Windows domain controller) and a secondary slaved to it (similar to a DNS setup); then all other devices that operate (or log data) based on time information can reference these time standards. These devices would be servers, workstations, routers, firewalls, etc.
How often a device should be "synchronized" is largely dependant on the environment. Domino servers do have an issue with time differences (especially single sign-on or SSO), and from a log review and comparison standpoint (for example: cross-referencing firewall logs with Domino logs to determine a possible Web server attack).
I suggest setting your internal primary (and secondary) time standard to sync with an external time standard (at the "Stratum 2" level or greater, such as tick.usno.navy.mil) often enough to keep its daily drift to below 0.5 seconds per 24 hours (as low as every six hours or as much as every 15 minutes). Then sync the internal network to the new internal time standard as often as needed to maintain its time drifts to the same as the primary time standard (<0.5 sec/24 hr).
I could go on and on regarding the whole topic of time and how if affects network devices, but I'll reserve that for another "time."
We've found that an inconsistent log time is more of a problem when you're trying to synchronize events across servers -- so you must use the OS time and keep the OS time synched with a common time source. (It doesn't even have to be one outside your firewall as long as the time is consistent across the enterprise.)
A few years ago we had a virus incident that we were trying to track back to the source. After much examination of logs on several servers we couldn't see how it got into the enterprise. Then we realized a gateway server was 5 minutes out and an e-mail server 3 minutes out the other way -- then everything made sense. Since then, we've been synching each Unix server every hour (so you don't get a sudden time change if you only do it once a week/month). The Windows servers synchronize with the domain controller, and we can now compare firewall events with Domino server logs, HTTP traffic etc. across platforms and across servers. We're now looking at "Incident Managers" that automatically pull all of the real time errors together to evaluate the full scope/impact of a problem -- but without consistent times on all of the servers, the tool's ability to do its job would be limited.
Do you have comments on this Ask the Expert question and response? Let us know.
This was first published in October 2004