I've seen a lot of different configurations for DC time on ESX server both on this forum and others on the internet. I'm getting somewhat confused and would like to get some opinions before making any bad decisions.
My current setup is 2 Windows 2003 DCs on bare metal. I am looking to leave the PDC emulator on a bare metal system, promote a third DC on a virtual machine in EXS 3.5 and demote the second bare metal machine so that I end up with 2 DCs, one of which is a virtual machine that can be cloned for disaster recovery and/or testing purposes.
My concern is the time drift issue that affects virtual machines. I've seen various opinions but the best that I can figure out after reading http://download3.vmware.com/vmworld/2006/tac9710.pdf is that I should:
1) set the PDC running on bare metal to sync time with tock.usno.navy.mil by configuring the registry entries:
Type = NTP
NtpServer = tock.usno.navy.mil,0x1
AnnounceFlags = 5
Then stop and start the w32time service and force the time update with "w32tm /resync /rediscover"
2) configure the EXS server as an NTP client syncing to the PDC
3) configure the second DC running as a Virtual machine to sync with the host ESX server by setting:
Type = NoSync
Then setting the "time synchronization between virtual machine and EXS server" option in VMware tools
My questions are: Am I missing anything? Does anybody have a similar setup running? Do any of these settings prevent client PCs or member servers from syncing to the domain controllers? The document I linked to above says to set the registry entries in the domain controller group policy but this would put the same settings on all DCs would it not? Can I do it as manual registry configurations as indicated above?
We use the same setup except from step 3. All our vm's use the AD timesync and NO
VM Tools sync...
Works just fine for us for the last 2 years...
I'd go along with Lars. We have the PDC emulator running on metal with an external sync. All other DC and servers are virtual and take the sync from the metal PDC. No server uses the VM Tools to to sync time or takes any other source. Setting the option on all the servers and clients, except the PDC, is a simple as making sure each server is using AD time.
net time /setsntp
net time /querysntp > This computer is not currently configured to use a specific timeserver (+therefore I'll query DNS for a AD timesource+)
Make sure you only have one source any everybody talks to that source. Remember if you have a time drift, so long as everybody is drifting at the same rate - it's not good - but things will still work. You have problems when one half of the network is going one way (esx time) and one half the other (AD time). Keep an eye on your event logs for W32Time error. Works for me.
As both the other posters have have stated do not mix time sychronisation.
Configure the 2nd DC and all other servers to use the PDC as the time source.
The only time I would consider the use of ESX time is when I have no Physical DC's and my ESX Hosts are set to get their time from a NTP source. Even, then I would rather have my PDC set to a NTP source and point all other server to it this way if there is any time drift all server would suffer the same drift and as perviously stated things would still work.
My reasoning for the above is as follows, a misconfiguration of a ESX host (ie not pointing it at the same NTP server or an NTP communication failure could result in time drift between ESX hosts, therefore the posibility of a time jump when DRS or VMotion moves the PDC emulator could give rise to the risk of time drift.
VMware Communities User Moderator
Thanks for your input
So if I understand what you are saying correctly I should leave all the default settings on the Virtual Machine DC after I promote it and all time issues will be fine. It will sync with the PDC emulator often enough to avoid any time drift problems.
That is correct,
Please remember to use the helpful or correct buttons if you found any of the information enparted here useful
VMware Communities User Moderator
This document was generated from the following thread: Domain Controller time - need input