VMware Cloud Community
KeirL
Contributor
Contributor
‎08-15-2020 12:08 AM

NTP configuration for ESXi hosts

Hi

I'm trying to get some more information on the following knowledge base article

https://kb.vmware.com/s/article/1035833

My ESXi 6.7 U3 configuration has 4 x NTP sources. two NTP souces are internal and two are External. One of these internal NTP sources is the MS AD domain controller. With this configuration do I still need to follow the recommendations in the above knowledge base or is this only required if all NTP sources are internal?

0 Kudos
3 Replies
Ardaneh
Enthusiast
Enthusiast
‎08-15-2020 01:58 AM

Hi

Configuring an internal time server such as MS AD to synchronize with an external time source is not mandatory but for your scenario, it is a SHOULD! As you know, the time server for ESXi and vCenter is crucial, so when you have multiple servers, you must be sure that all servers are synced and good to go! especially your internal servers. when one of your NTP servers goes down, ESXi will try to use another server to sync the time, and when the server that has been chosen by ESXi is an internal server such as AD, and the time on that server is not synced with the correct time (there are tons of reasons, even when you deployed your AD on a VM!), you will face some bad situations.

Hence, when you set a windows AD as a time server for your ESXi hosts, you should configure a valid external NTP server for your windows server and follow the best practices if your AD is virtualized, or you can remove this server from your NTP servers list.

0 Kudos
KeirL
Contributor
Contributor
‎08-15-2020 09:26 AM

OK - thanks

So, the Internet links for this environment are poor (just down to where the environment is sited) so there is a risk that the external NTP servers may become inaccessible. This is why I need to have some form of NTP internally - otherwise I would have all my NTP sources external.

But my question is specifically around the need to implement this following recommendation  -  VMware Knowledge Base   when I have both internal and external NTP servers configured and I'm not sure I'm clear as to if this is necessary from your reply - perhaps you can clarify that bit for me? I don't want to follow the process in the VMware KB if it will affect the ability of the ESXi hosts to use the external NTP sources

But you also raise a good point - 90% of the time the Internet links are fine and I would like to ensure that the external sources are the 'preferred' sources - how can I do this please?

kind regards

Keir

0 Kudos
Ardaneh
Enthusiast
Enthusiast
‎08-16-2020 11:44 AM

We can imagine two different scenarios here, one with internal NTP servers and another with external, after that you can find out what you should do with the combination of both.

For the first scenario, when you have only internal NTP servers, those servers must be synced with some external ones in order to be sure that the time is correct, otherwise, you can not guarantee the time correction. After that, you can add those internal servers as NTP servers for your clients (ESXi, VC, ...). The point is if your internal ones are virtualized MS AD, except for that configuration, you should follow this Article too.

For the second scenario, you don't need any additional configuration like internals and you can configure external NTP servers for your clients without any problem.

Hint: when you have more than one NTP server configured for your clients, according to the NTP server and client behaviors, generally speaking, your client can be synced with any of those servers that served better. (A man with a watch knows what time it is. A man with two watches is never sure.)

Now when you have an internal one with the risk of time out of synced (if you don't follow those steps of VMware recommendations) and some external NTP servers for your hosts and VC, you may face some time issue problems randomly.

If I were you, I would follow those instructions from VMware.

for your last question, I don't know if there is any configuration for that in ESXi but for Redhat, you can make a server "truechimer" by editing /etc/ntp.conf and put a "true" in front of your server address (for example: server 127.0.0.1 true)

I hope this could be helpful

cheers

0 Kudos