This article describes how to keep the clock of the Passive server synchronized with the Active server in a Neverfail Engine Pair or Trio, using a single script triggered by a Neverfail Periodic Task that runs directly on the Passive node. The script automatically detects which node is currently Active and synchronizes time from it and works for both Pair and Trio topologies. This procedure applies to Neverfail Engine v22 and later, where Periodic Tasks can run on the Passive server.
While a node is Passive, it is intentionally hidden from the domain controller by the Neverfail Packet Filter, so it cannot reach the domain time source and its clock can drift over time. To correct this, the Passive synchronizes its time from the Active server across the Channel connection using the Windows Time service.
So that whichever node is Active can serve time to the Passive over the Channel, enable the Windows Time NTP server on the Primary, Secondary, and (if present) Tertiary. On each server, open an elevated Command Prompt and run:
reg add "HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /v Enabled /t REG_DWORD /d 1 /f
net stop w32time & net start w32time
On the Active server create a file named SyncTimeFromActive.bat with the content below. The script reads the Neverfail registry to determine which node is currently Active, then synchronizes the clock of the Passive node(s) by querying the Active server on its Channel IP:
@echo off
setlocal enabledelayedexpansion
REM Passive node syncs its clock from the Active node over the Channel IP.
set "BASE=HKLM\SOFTWARE\JavaSoft\Prefs\neverfail\current"
REM 1. Local identity: Host = 1 PRIMARY, 2 SECONDARY, 3 TERTIARY
for /f "tokens=3" %%H in ('reg query "HKLM\SYSTEM\CurrentControlSet\Services\NFServerR2\Parameters" /v Host 2^>nul ^| find /i "Host"') do set /a HOSTID=%%H
if "%HOSTID%"=="1" set "MYROLE=/P/R/I/M/A/R/Y"
if "%HOSTID%"=="2" set "MYROLE=/S/E/C/O/N/D/A/R/Y"
if "%HOSTID%"=="3" set "MYROLE=/T/E/R/T/I/A/R/Y"
REM 2. Detect Active node
set "ACTIVE="
for /f "tokens=3" %%A in ('reg query "%BASE%\/Controller" /v "/Active/Server" 2^>nul ^| find /i "Active/Server"') do set "ACTIVE=%%A"
if not defined ACTIVE exit /b 1
REM If I am the Active node, nothing to sync
if /i "%ACTIVE%"=="%MYROLE%" exit /b 0
REM 3. Active node's Channel IP as seen from me: /Comms/Mgr/Hosts[MYROLE] -> /Host/List[ACTIVE]
set "ACTIVEIP="
for /f "tokens=3" %%I in ('reg query "%BASE%\/Comms/Mgr\/Hosts[%MYROLE%]" /v "/Host/List[%ACTIVE%]" 2^>nul ^| find /i "Host/List"') do set "ACTIVEIP=%%I"
if not defined ACTIVEIP exit /b 1
REM 4. Sync local clock from the Active node over the Channel
w32tm /config /manualpeerlist:"%ACTIVEIP%,0x8" /syncfromflags:manual /update
w32tm /resync /rediscover
endlocal
Copy the script into the replicated C:\ProgramData\Neverfail-Protected folder. Because this folder is replicated by default, the script is automatically present and identical on all nodes — no per-server editing is required.
In the Neverfail Advanced Management Client, go to Applications > Tasks and create a new Task:
C:\ProgramData\Neverfail-Protected\SyncTimeFromActive.ps1"Because the Task runs only on the Passive node and the script detects the Active node itself, no role-detection editing or per-server values are needed.
After the Task runs (or trigger it manually), confirm that now time on the Passive server matches the Active server.