Using W2K3 Domain Controller as an NTP

Michelle_Laveri · ‎01-16-2007

Anyone uses a windows domain controller as an NTP?

I think the DC is running on physical - and it is rigged to a NTP server on the internet... with ESX set to get its time from the DC...

Any problems. I have a customer who has configured this - and finds its not in synch...

Regards

Mike

Regards
Michelle Laverick
@m_laverick
http://www.michellelaverick.com

bister · ‎01-16-2007

Microsoft DC uses slightly different NTP-implementation and therefore it doesn't work correctly with ESX.

Regards,

Christian

Niranec · ‎01-16-2007

Hi Mike

I have configured a DC as an NTP server fior the service console numerouse times, it has to be the PDC emulator which is responsible for keeping time across the domain.

It is a best parctice to to this if you run DC's on top of your ESX server.

Niran

bister · ‎01-16-2007

Hi all,

I also tried using our DC/PDC as time-service (NNTP), but that didn't work. Then we switched to an NTP-appliance and that works smoothly.

Regards,

Christian

Niranec · ‎01-16-2007

Hi bister

can you please explain what didnt work?

because i had no problem with it

Thank you

thickclouds · ‎01-16-2007

We had problems wit ESX authenticating with our DC's for NTP.

Charlie Gautreaux vExpert http://www.thickclouds.com

bister · ‎01-16-2007

Hi Niranec,

the ESX wasn't in sync. That was the problem. Didn't look for a solution since we have an NTP-appliance anyhow.

Regards,

Christian

emmar · ‎06-07-2007

Does anyone know what it is about w2k3 DCs that stops this from happening? Am i right in thinking that you can use a w2k DC and it works fine?

Thanks

E

Texiwill · ‎06-07-2007

Hello,

I imagine that in order to use the PDC as a time sync, you will need to join the ESX Server to the domain, thereby giving it permission.

Best regards,

Edward

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

sanderso · ‎06-07-2007

There's nothing that stops this from happening. I've got a bunch of ESx 2.5 and 3.0.1 boxes syncing their time from Windows 2003 domain controllers. They don't have to be joined to the domain and I didn't have to do anything special to the ntp.conf file besides point them to the proper servers.

henrydenhengst · ‎06-07-2007

Anyone uses a windows domain controller as an NTP? Yes, of course.

NTP (pool) server Internet

^

\||

Local Internet Router NTP (1) (if possible cluster)

^

\||

ESX servers (all)

^

\||

Windows Server DC (1) (24x7 by HA, DRS and VCB)

^

\||

Windows Servers DCs (other), Windows Server Members and Client Machines in Domain.

If you follow this method of which a pdf is available at VMware.com than it works perfect.

www.vmware.com/pdf/vmware_timekeeping.pdf

emmar · ‎06-07-2007

Thanks All.

My post maybe a bit of a red herring as there were some other issues with the ESX firewall - I gave up using a w2k3 DC and used pool.ntp.org instead.

But even though i'd enabled ntpClient it wouldnt work unless i allowed all incoming and outgoing ports........ but once the ESX server had contacted the timesource once, i could block all incoming and outgoing ports and it would carry on fine. Even after a reboot or restarting ntpd.

Cheers all

E

wunderon · ‎06-07-2007

I've had no issues using W2K3 DC's as NTP sources for ESX 3.0.1

Thorsten_Schnei · ‎09-22-2007

Hi,

from your description I assume that your PDC-emulator is also running on VMware and that it gets the time from the host (with the /nosync option set).

Did you ever had the problem that AD stopped time serving on the PDC as it couldn't verify the time source ? I read about that in a post (https://www.vmware.com/community/thread.jspa?forumID=21&threadID=16115&messageID=186017#186017) and am now a little bit unsure.

I'm wondering why there is no official white paper on how to set time sync in an AD environment up. Yes, I know the white papers but there is nothing about AD and the PDC emulator. Microsoft recommends in their papers to not use time sync with the host when running DCs on Virtual server.

Cheers

virtualdud3 · ‎09-23-2007

I don't know for sure, but my first thought as to why w2k DCs "work" and w2k3 DCs so not is that, by default, w2k3 DCs require SMB packet signing and secure channel signing/encryption.

############### Under no circumstances are you to award me any points. Thanks!!!

Thorsten_Schnei · ‎09-23-2007

out of office message removed

smithg001 · ‎09-24-2007

W2K3 and W2K domain controllers work as NTP time sources for VMware ESX Server version 2.x and 3.x (and 1.5 but I hope no one cares about that anymore). The important steps to take to enable this are:

esxcfg-firewall -e ntpClient # this enables NTP time syncing through the VMware ESX Server 3 host based firewall
Correct configuration of the /etc/ntp.conf file:
server <ip address or dns name of DC> minpoll 10 prefer
restrict <ip address or dns name of DC> mask 255.255.255.255 nomodify notrap noquery
Create /etc/ntp/step-tickers that contains just the ip address or dns name of the DC on the first line
chkconfig --level 3 ntpd on # this sets the ntpd process to start as part of the standard VMware ESX Server boot process
ntpdate -u <ip address or dns name of DC> # this syncs the current systems time to the DC you have selected
hwclock --systohc # this writes the just synced time to the bios clock
service ntpd start # this starts the ntpd service to initiate the periodic syncing betwen the DC and the ESX Host

You must make sure that the service has been enabled in the Firewall config and that the time has been set initially (step 5) before you try and let ntpd sync the time. If you follow these steps you shoud be able to sync any host or linux system for that matter with an Active Directory DC.

-

Gregory Smith

greg@virtualsmith.net

nzsteve · ‎09-26-2007

I've done the same in a few places, so can second that you shouldnt have any probs with it. PDC emulator on a physical server, ESX hosts syncing from it.

steve

smithg001 · ‎09-26-2007

I've done the same in a few places, so can second that you shouldnt have any probs with it. PDC emulator on a physical server, ESX hosts syncing from it.

You don't actually need to point at the PDC emulator. Any DC will respond to an NTP query and allow you to sync time through it.

psharpley · ‎09-26-2007

Yep, always works for me too. I also edit /etc/hosts just in-case. Check local console time before and after by running date to see an update to the local clock. You can also watch -n1 "ntpq -p" to see it happening. Check the hwclock using hwclock --show after the update to see it saved