Solved: ESXi time sync with windows 2008 pdc role fails

Dready · ‎10-26-2010

Hello,

I've set up my ESXi hosts to sync their time with my (physical) windows 2008 domain controller.

This DC holds the PDC role for the domain.

Time sync on the host is set up on ip address, but it doesn't work. The host doesn't sync the time.

When a vm boots, it first sync the time with the host and after a few minutes it re-syncs with the dc.

How do I get the host to sync with my DC ??

ThX,

Harry

FranckRookie · ‎10-26-2010

Hi Harry,

You may need to enable NTP server feature on your PDC Emulator first (must disabled by default). You can have a look at the following blog to find how to do it.

Never use NTP within a VM if it is part of a domain. Active Directory has its own time management mechanism.

Hope it helps.

Regards

Franck

View solution in original post

bulletprooffool · ‎10-26-2010

to get an ESX host to sync woith the DC, sleect the ESX host in the VC -> Click on the 'configuration' tab -> Under Software, select 'time Configuration' -> Select Properties - > Select NTP client options -> NTP Settings -> Specifiy DC IP address -> restart NTP service on the ESX host

details for setting up NTP on an R" host can be found here:

http://bchavez.bitarmory.com/archive/2009/12/21/how-to-setup-a-windows-2008-r2-sntp-ntp-server.aspx

Lastly, configure your VMs to use the NTP host as a source and all should be peachy.

One day I will virtualise myself . . .

FranckRookie · ‎10-26-2010

Hi Harry,

You may need to enable NTP server feature on your PDC Emulator first (must disabled by default). You can have a look at the following blog to find how to do it.

Never use NTP within a VM if it is part of a domain. Active Directory has its own time management mechanism.

Hope it helps.

Regards

Franck

bulletprooffool · ‎10-26-2010

Franck - I disagree with your statement about NTP and AD time management.

Working in a banking environement with time sensitive transactions happneing all the time we have very quickly learnt that AD time management is not accurate enough for critical machines. We don't use NTP either, but third party tools .

AD time management is simply cleverly disguised NTP anyway - with time sources being autimatically being selected (DCs)

One day I will virtualise myself . . .

FranckRookie · ‎10-26-2010

So you need to get round AD time sync. You are right, it should be better than MS solution, but you have to do that on all machines. The problem arises when you have a mixed configuration, usually physical machines with MS time and VMs using NTP, ESX or any other time source. You need to be consistent across your Windows systems.

I have never had such a configuration but it is very interesting to know it works fine for you.

Thanks for the information Alan.

Regards

Franck

Dready · ‎10-27-2010

Thanks everyone for replying.

Problem was with the DC holding the PDC role.

The time service was set to ntp.pool.org but only one ip was allowed thru the firewall.

When the dns resolving changed the ip address, requests were blocked.

The time service "stopped advertising as a good time source", preventing ESX hosts to sync their time.

After opening up the firewall (and restarting the vmware agents )all worked fine !

All

ESXi time sync with windows 2008 pdc role fails