VMware Cloud Community
littlebox
Contributor
Contributor

NTP Server options

We are using a test ESXi 5.1 environment that consists of 3 hosts with vCenter running as a VM (Win2008).

Our environment has no internet connectivity and there are no servers on the network other than the esx hosts.

I would like to be able to synchronize my host clocks automatically but am not sure which option is best given my enviroinment.

Option A - Use the vcenter VM as the NTP server. Based on what I have read so far this is not a good idea. I tried it anyway and set the NTP server for all hosts to the vcenter IP and set the group policy permissions for NTP on the Win2008 guest OS. I also enabled the client and started the services. This did not work.

Option B - Use one of the hosts as the NTP server. I tried adding the IP address of host 1 as the NTP server on hosts 2 & 3 but that did not work either.

I am pretty new to ESX so I likely missed settings when I tried both options above.  I have no Linux experience so any how-to advice using the GUI would be really helpful.

Is there better option other than the two above?

Reply
0 Kudos
6 Replies
Josh26
Virtuoso
Virtuoso

Option A - Use the vcenter VM as the NTP server

Likely this didn't work because when Windows says "Time Server" it doesn't mean NTP. I have the following process documented to make this work:

#Setup an upstream - from command line

w32tm /config /syncfromflags:manual /manualpeerlist:0.oceania.pool.ntp.org,1.oceania.pool.ntp.org

w32tm /config /reliable:yes

w32tm /config /update

#Enable NTP - from regedit

HKLM->System->CurrentControlSet->Services->W32Time->TimeProviders->NtpServer->Enabled should be set to 1

Restart the Windows Time service

Option B - Use one of the hosts as the NTP server.

ESXi does not run ntp server. This is not a supported configuration.

I have no Linux experience so any how-to advice using the GUI would be really helpful.

Linux experience shouldn't be relevant. ESXi is not Linux and if you can't do it from the GUI, or PowerCLI (which is firmly Windows-like) you probably are doing it wrong.

Reply
0 Kudos
littlebox
Contributor
Contributor

Josh

Thanks for the reply.

I entered the w32tm commands successfully, made the registry change and was able to start the Windows Time Service.

All ESXi hosts NTP Server seeting was set to the Win 2008 Server's IP and the NTP client is running on all.

However, the time on all hosts are still not pulling from the server. I reboot the Win2008 server and verified that the Windows Time Service was still running.  As I mentioned in the original post, I do not have an internet connection so I am not sure if the w32tm commands pointing to the oceania servers are the cause.

Any suggestions?

Reply
0 Kudos
JarryG
Expert
Expert

Just a side-note: You say you do not have internet connection. May I ask how did you set-up ntp-server? Starting ntp-service on windows-host (or ntp-daemon on linux) does *not* mean you have ntp-server running, because the clock on the system is still not synchronised and depends fully only on system-clock (I have seen motherboards of such a "quality" that system-time drifted away a few minutes per day).

ntp-server either:

a) has direct source of exact time (devices like i.e. gps-clock, atomic-clock, radio-receiver, called "stratum 0"), and such a server is then "top-level" ntp-server (called "stratum 1"), or

b) is integrated in the hierarchical system of ntp-servers. Such a ntp-server is then one level lower, than ntp-server where it asks for time (i.e. my ntp-server is "stratum 2", because it synchronises time with a few "stratum 1" servers). But in this case, your server needs to have some kind of connection to higher-level ntp-servers (i.e. internet)...

Technically, you can start ntp-service (or daemon) without having time synchronised (with either time-devices or superior time-servers). But I see two problems:

1. your hosts using such a "lonely ntp-server" for synchronisation will never have correct time, but time of this "ntp-server". They will not have exact time, only equally wrong time.

2. as time goes on, difference to correct time becomes huge. Even with a good motherboard you can expect to have time-deviation ~15min per year. Such a time-stamp in logs is useless. So you will have to correct system-time of your "lonely ntp-server" manually. And that is the worst what can happen to ntp-clients: when they suddenly find their time is completely wrong. Such a deviation can not be corrected by "slewing" (very small time-delta change, i.e. 0.01s per second). Instead, one huge step is used, and this frequencly causes problems for other services like mail, ftp, dns, etc. I had such a problem with dovecot (mail-server), which simply stopped serving clients whenever server-time was changed using step higher than 0.1s...

My recommendation is either get some source of exact time for your ntp-server (these are not expensive, simple gps-module or ukw radio-receiver is enough) or establish connection between your ntp-server and at least two superior ntp-servers. Because having a ntp-server with no source of exact time is imho useless. BTW, I do not know windows ntp-service, but it might be that it simply refuses to serve time for clients if it does not have its own time synchronised (no source of exact time)...

_____________________________________________ If you found my answer useful please do *not* mark it as "correct" or "helpful". It is hard to pretend being noob with all those points! :winking_face:
Reply
0 Kudos
littlebox
Contributor
Contributor

JarryG

I was hoping to use the vcenter server  (which is a VM) as my NTP server. I realize that this is not optimal but my test environment is a closed network and restrictions prevent me from adding any devices or external connections. Right now all 3 hosts have different times so I figure that having them all on the same time, even it is not that accurate would be better than what I currently have.

You bring up some interesting points though. In a production environment given the same restrictions, would it be better to not use an NTP server given the potential problems you mention?

Reply
0 Kudos
JarryG
Expert
Expert

Well, it depends on services you are running. We had a lot of problems with out-of-sync time, i.e. when users called it-support and asked "what happened to my email, the one I sent 5 minutes ago?". If timestamp in log-file was half an hour off, we had trouble finding the correct email. Similar problem was with file-servers if users looked for files based on their modification time. A lot of problems arose until we finally invested in one radio-clock receiver and set up our own company's dedicated stratum-1 time-server. imho correct synchronised time in production environment is a must...

_____________________________________________ If you found my answer useful please do *not* mark it as "correct" or "helpful". It is hard to pretend being noob with all those points! :winking_face:
Reply
0 Kudos
Josh26
Virtuoso
Virtuoso

Unfortunately the way NTP works - if it cannot communicte with an upstream, it's not considered reliable, and therefore, it's nothing that your clients (esxi hosts) will talk to.

JarryG wrote:

Well, it depends on services you are running. We had a lot of problems with out-of-sync time

Wait until your domain controllers stop talking to each other because kerberos won't authenticate, due to a timeshift of < 1 hour.

Reply
0 Kudos