I'm running a production web server on Windows Server 2008. On this server I have a database which logs certain user actions, but every now and again I inexplicably get database entries which, according to the record ID and the records immediately before and after, have the wrong time logged against them (7 days+ too old). For example, record ID 1001 will be for Dec 7, 11pm, 1002 will be for Dec 7, 11:01pm, then 1003 will be for Nov 28, 1:38am, then the next will be back on track again. The problem seems to occur in random records (or 2-3 records in a row) and crops up once every few days. This is absolutely baffling because there is only one place in the application that assigns this date/time value and it's simply the system UTC date.
I have been synchronizing the system time to time-a.nist.gov (which I read in another article was a bit more reliable than the default time.windows.com) and it seems to occasionally get out of time anyway (3-4 minutes), but I'm speculating that occasionally the time server has a temporary glitch where the date changes to a drastically wrong value for a short space of time, then changes back. Either that, or the motherboard clock battery is screwed and the reason the time momentarily changes is that the motherboard loses the time and then the time synchronization puts it back again.
Could either of my suspicions be right? Should I turn off time synchronization for a production server? Assigning dates to an event log where the dates are up to 2 weeks prior to the actual date is a severe problem I can't have when the next version of my application is released. Any suggestions or advice would be appreciated.
I'm not sure whether time sync IS the cause of your problem, but rather than disabling time sync altogether, there are some great third-party utilities for doing time sync. My personal favourite is Tardis 2000. One of the features is a 'maximum adjustment' which you could set to a few minutes (I usually use 5 minutes) - this limits the amount that the time can change in one go. In practice though, once Tardis 2000 has locked on to a time source, it measures your system clock's variation and keeps it in sync by fine-tuning the clock frequency! It'll even email you if it loses sync. Very thorough little SNTP utility.
Search your System log for events 520 (the "clock was changed" event). This should tell you who/what and when it is changing the clock. That should at least help you narrow it down.