VMware Cloud Community
aleceiffel
Contributor
Contributor
Jump to solution

Domain Controller time - need input

I've seen a lot of different configurations for DC time on ESX server both on this forum and others on the internet. I'm getting somewhat confused and would like to get some opinions before making any bad decisions.

My current setup is 2 Windows 2003 DCs on bare metal. I am looking to leave the PDC emulator on a bare metal system, promote a third DC on a virtual machine in EXS 3.5 and demote the second bare metal machine so that I end up with 2 DCs, one of which is a virtual machine that can be cloned for disaster recovery and/or testing purposes.

My concern is the time drift issue that affects virtual machines. I've seen various opinions but the best that I can figure out after reading http://download3.vmware.com/vmworld/2006/tac9710.pdf is that I should:

1) set the PDC running on bare metal to sync time with tock.usno.navy.mil by configuring the registry entries:

HKLM\System\CurrentControlSet\Services\W32Time\Parameters

Type = NTP

NtpServer = tock.usno.navy.mil,0x1

HKLM\System\CurrentControlSet\Services\W32Time\Config

AnnounceFlags = 5

Then stop and start the w32time service and force the time update with "w32tm /resync /rediscover"

2) configure the EXS server as an NTP client syncing to the PDC

3) configure the second DC running as a Virtual machine to sync with the host ESX server by setting:

HKLM\System\CurrentControlSet\Services\W32Time\Parameters

Type = NoSync

Then setting the "time synchronization between virtual machine and EXS server" option in VMware tools

My questions are: Am I missing anything? Does anybody have a similar setup running? Do any of these settings prevent client PCs or member servers from syncing to the domain controllers? The document I linked to above says to set the registry entries in the domain controller group policy but this would put the same settings on all DCs would it not? Can I do it as manual registry configurations as indicated above?

Thanks

Reply
0 Kudos
1 Solution

Accepted Solutions
LarsLiljeroth
Expert
Expert
Jump to solution

Hi

We use the same setup except from step 3. All our vm's use the AD timesync and NO

VM Tools sync...

Works just fine for us for the last 2 years...

// Lars Liljeroth -------------- *If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

View solution in original post

Reply
0 Kudos
6 Replies
LarsLiljeroth
Expert
Expert
Jump to solution

Hi

We use the same setup except from step 3. All our vm's use the AD timesync and NO

VM Tools sync...

Works just fine for us for the last 2 years...

// Lars Liljeroth -------------- *If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!
Reply
0 Kudos
ctfoster
Expert
Expert
Jump to solution

I'd go along with Lars. We have the PDC emulator running on metal with an external sync. All other DC and servers are virtual and take the sync from the metal PDC. No server uses the VM Tools to to sync time or takes any other source. Setting the option on all the servers and clients, except the PDC, is a simple as making sure each server is using AD time.

net time /setsntp

net time /querysntp > This computer is not currently configured to use a specific timeserver (therefore I'll query DNS for a AD timesource)

Make sure you only have one source any everybody talks to that source. Remember if you have a time drift, so long as everybody is drifting at the same rate - it's not good - but things will still work. You have problems when one half of the network is going one way (esx time) and one half the other (AD time). Keep an eye on your event logs for W32Time error. Works for me.

TomHowarth
Leadership
Leadership
Jump to solution

As both the other posters have have stated do not mix time sychronisation.

Configure the 2nd DC and all other servers to use the PDC as the time source.

The only time I would consider the use of ESX time is when I have no Physical DC's and my ESX Hosts are set to get their time from a NTP source. Even, then I would rather have my PDC set to a NTP source and point all other server to it this way if there is any time drift all server would suffer the same drift and as perviously stated things would still work.

My reasoning for the above is as follows, a misconfiguration of a ESX host (ie not pointing it at the same NTP server or an NTP communication failure could result in time drift between ESX hosts, therefore the posibility of a time jump when DRS or VMotion moves the PDC emulator could give rise to the risk of time drift.

Tom Howarth

VMware Communities User Moderator

Tom Howarth VCP / VCAP / vExpert
VMware Communities User Moderator
Blog: http://www.planetvm.net
Contributing author on VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment
Contributing author on VCP VMware Certified Professional on VSphere 4 Study Guide: Exam VCP-410
aleceiffel
Contributor
Contributor
Jump to solution

Thanks for your input

So if I understand what you are saying correctly I should leave all the default settings on the Virtual Machine DC after I promote it and all time issues will be fine. It will sync with the PDC emulator often enough to avoid any time drift problems.

Reply
0 Kudos
TomHowarth
Leadership
Leadership
Jump to solution

That is correct,

Please remember to use the helpful or correct buttons if you found any of the information enparted here useful

Tom Howarth

VMware Communities User Moderator

Tom Howarth VCP / VCAP / vExpert
VMware Communities User Moderator
Blog: http://www.planetvm.net
Contributing author on VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment
Contributing author on VCP VMware Certified Professional on VSphere 4 Study Guide: Exam VCP-410
Reply
0 Kudos
stormlight
Enthusiast
Enthusiast
Jump to solution

Hello, I followed ctfoster directions and did a net time /setsntp on DC2/DC3 and other server so that everyone syncs with the physical DC1

However the other servers are still syncing to DC2 and DC3 that are vms and not DC1 that is still physical.

Am i missing something?

If you find this or any post helpful please award points

If you find this or any post helpful please award points
Reply
0 Kudos