VMware Cloud Community
MDIT3
Contributor
Contributor

Sync time from Domain Controller on isolation network

We have a test lab that runs ESXi 5.5 servers. The network is completely closed, so we set the time on the lab domain controller and want to point the ESXi servers to it so that all systems are based on one system that pushes out time everywhere... The domain controller is Server 2008 R2 SP1, and the ESXi servers are 5.5 U1. No matter what we do, the ESXi servers do not take time.

When we run watch ntpq -p 127.0.0.1 we see that time is coming from the right source with stratum 1, but the offset keeps increasing. We have tried setting the time on the ESXi server, but the time keeps slipping even though the ESXi server is getting time from the domain controller. We have also tried modifying the ntp.conf file to change the time source to version 3 (followed by a service restart of ntp), but none of this seems to change problem.

Is there something special we need to do to get time to sync with a Windows Domain controller on a private network? We do this just fine with the exact same configuration on our product network. The only difference being that we have an external time source.

Tags (3)
Reply
0 Kudos
2 Replies
a_p_
Leadership
Leadership

Welcome to the Community,

please take a look at VMware KB: Synchronizing ESXi/ESX time with a Microsoft Domain Controller

Also keep in mind that in case the DC is a virtual machine running on the host, this configuration may cause issues with time drifts, i.e. the DC relies on the host's time and the host syncs its time from the DC.

André

Reply
0 Kudos
dabson
Enthusiast
Enthusiast

Further to your comments, we also actively synchronize our production ESXi servers against our Active Directory domain controllers. We haven't experienced drift. You shouldn't have to make changes to the ntp.conf on your hosts for it to work properly.

As a.p. mentions, there are issues if your DC happens to be virtual. VMware and Microsoft's best practice is to not have any domain controllers synch time with the vSphere hosts. Best practice is to have the DC with the Primary Domain Controller role synchronize directly with the appropriate NTP source and have any additional DC's synchronize with the PDC-role DC.

You may want to check the support site of the vendor of your host hardware. Sometimes there are known issues with particular server models and clock drift. Sometimes a firmware update can sort things out. I remember a problem with particular HP blades losing time until a firmware update was released to fix the issue.


---
If you found this useful please give a Kudo or mark the answer as Helpful or Correct.

Dee Abson
https://wiseintro.co/deeabson
https://teebeedee.org
Reply
0 Kudos