Domain Controller time Sync In a VM

Version 2

    I've seen a lot of different configurations for DC time on ESX server  both on this forum and others on the internet. I'm getting somewhat  confused and would like to get some opinions before making any bad  decisions.

    My current setup is 2 Windows 2003 DCs on bare metal. I am looking to  leave the PDC emulator on a bare metal system, promote a third DC on a  virtual machine in EXS 3.5 and demote the second bare metal machine so  that I end up with 2 DCs, one of which is a virtual machine that can be  cloned for disaster recovery and/or testing purposes.

    My concern is the time drift issue that affects virtual machines. I've  seen various opinions but the best that I can figure out after reading http://download3.vmware.com/vmworld/2006/tac9710.pdf is that I should:

    1) set the PDC running on bare metal to sync time with tock.usno.navy.mil by configuring the registry entries:

    HKLM\System\CurrentControlSet\Services\W32Time\Parameters
    Type = NTP
    NtpServer = tock.usno.navy.mil,0x1

    HKLM\System\CurrentControlSet\Services\W32Time\Config
    AnnounceFlags = 5

    Then stop and start the w32time service and force the time update with "w32tm /resync /rediscover"

    2) configure the EXS server as an NTP client syncing to the PDC

    3) configure the second DC running as a Virtual machine to sync with the host ESX server by setting:

    HKLM\System\CurrentControlSet\Services\W32Time\Parameters
    Type = NoSync

    Then setting the "time synchronization between virtual machine and EXS server" option in VMware tools

    My questions are: Am I missing anything? Does anybody have a similar  setup running? Do any of these settings prevent client PCs or member  servers from syncing to the domain controllers? The document I linked to  above says to set the registry entries in the domain controller group  policy but this would put the same settings on all DCs would it not? Can  I do it as manual registry configurations as indicated above?

    Thanks

     


    Hi

    We use the same setup except from step 3.  All our vm's use the AD timesync and NO
    VM Tools sync...

    Works just fine for us for the last 2 years...

     


    I'd go along with Lars. We have the PDC emulator running on metal with  an external sync. All other DC and servers are virtual and take the sync  from the metal PDC. No server uses the VM Tools to to sync time or  takes any other source. Setting the option on all the servers and  clients, except the PDC, is a simple as making sure each server is using  AD time. 

    net time /setsntp


    net time /querysntp > This computer is not currently configured to  use a specific timeserver (+therefore I'll query DNS for a AD  timesource+)


    Make sure you only have one source any everybody talks to that source.  Remember if you have a time drift, so long as everybody is drifting at  the same rate - it's not good - but things will still work. You have  problems when one half of the network is going one way (esx time) and  one half the other (AD time). Keep an eye on your event logs for   W32Time error. Works for me.

     

     

     


    As both the other posters have have stated do not mix time sychronisation. 

    Configure the 2nd DC and all other servers to use the PDC as the time source.


    The only time I would consider the use of ESX time is when I have no  Physical DC's and my ESX Hosts are set to get their time from a NTP  source.  Even, then I would rather have my PDC set to a NTP source and  point all other server to it this way if there is any time drift all  server would suffer the same drift and as perviously stated things would  still work.


    My reasoning for the above is as follows, a misconfiguration of a ESX  host (ie not pointing it at the same NTP server or an NTP communication  failure could result in time drift between ESX hosts, therefore the  posibility of a time jump when DRS or VMotion moves the PDC emulator  could give rise to the risk of time drift.

     

     

     

    Tom Howarth
    VMware Communities User Moderator

     

     

     


    Thanks for your input

    So if I understand what you are saying correctly I should leave all the  default settings on the Virtual Machine DC after I promote it and all  time issues will be fine. It will sync with the PDC emulator often  enough to avoid any time drift problems.

     


    That is correct,

    Please remember to use the helpful or correct buttons if you found any of the information enparted here useful

     

     

     

    Tom Howarth
    VMware Communities User Moderator

     

    This document was generated from the following thread: Domain Controller time - need input