VMware Cloud Community
touimet
Enthusiast
Enthusiast
‎04-04-2008 01:47 PM

How To: Windows DC Time Sync - The authoritative answer.

Okay, now that I have all you experts, gurus & VMware employees looking at this thread maybe we can lay down in black & white what is the best approach to maintaining time synchronization between Windows DC’s. I’ve searched through community posts such as:

http://communities.vmware.com/message/876960#876960

http://communities.vmware.com/thread/85021?tstart=0&start=0

http://communities.vmware.com/message/891248#891248

http://communities.vmware.com/message/838087#838087

http://communities.vmware.com/message/832525#832525

etc etc etc the list goes on….

I’ve found some recommending using vmtools (NoSync) for time sync and other recommending Windows Time Service. Additionally it appears there are many people having time sync issues using either method.

I’ve read through the TAC9710.pdf which is now almost 2 years old and pre-ESX 3.5. Are there new features or better support in the latest vmtools that shifts the argument towards using the tools for time synchronization???

Our environment (test environments) consists of all DC’s are virtual machines and have little to no interaction with physical machines.

So today, post-ESX 3.5 vmtools, what is the authoritative answer on configuring time synchronization???

Thanks,

Todd

0 Kudos
3 Replies
Dollar
Enthusiast
Enthusiast
‎04-09-2008 07:08 AM

A good answer to this question would be helpful. If bringing up a PDC as a VM, you have no choice other than to leave Windows Time Service enable and NOT use the /NoSync option, otherwise the PDC will not advertize itself as a Time Server and maintaining time on all devices in the domain becomes problematic.... not to mention the AD issues that arise.

Thus far, I have gotten by with pointing both the PDC and the ESX Host at the same Navy Atomic clock and running a script every 5 minutes that sync's time to this atomic clock... and leaving the Windows Time Service enabled on the DCs, and NOT using the "Sync Time With Host" feature of VMTools.

I am hoping that buy using the same NTP time source for both the Hosts and VMs, and by force synching this time frequently, I can evade the problems caused by the VM loosing time sync with the Host, or by the DCs loosing time synch with each other. However, I hate the "hope" concept. "Ensuring" would be a better option.

0 Kudos
touimet
Enthusiast
Enthusiast
‎04-09-2008 07:18 AM

Dollar, thanks for the reply.

We did something similiar. We have a Root DC (PDC) and Child DC (PDC) setup to pull time from an external source, the same external source the ESX server is pulling from. We, however, did not setup the automated script to pull time every 5 minutes. That was something I was thinking of doing and since you're not having issues I'll move forward with that.

This thread has been viewed by 33 people with only one reply. It seems as if no one wants to tackle it. It would be nice to have a detailed documented (official) guide on how to best handle time sync on DC's within different setups.

0 Kudos
Dollar
Enthusiast
Enthusiast
‎04-09-2008 08:02 AM

From an Active Directory standpoint, only the PDC should point to the external time source. You should allow subsequent child DC's to inherit it's time naturally, from the PDC. Having the PDC and the ESX Host pulling time frequently from the same external source has thus far prevented any problems in my environment (about 2 months into hosting these DCs as VMs). But again, there is a large amount of "hope" involved. I know that DCs will start to experience some extreme difficulties if time sync falls off for more than 5 minutes. I have no ideal what time spread is allowable between the host and VM (this would seem to be a valuable piece of missing information).

As an additional FYI... I have not noticed any "clock drift" on the VM DCs using this setup. If it's occuring, it's in milli-seconds. But then again, my Host servers are very under utilized. The time sync issue may not manifest itself unless (until) the Host are under CPU stress.

Finally, I agree. There should be some better information. The original "Authoritative Statement" on the issue suggests running the Windows Time Service with the /NoSync option. My experience is that you cannot do this with a PDC as the PDC will not advertise itself as a Time Server (at least this is what DCDIAG will tell you). In addition to DCDIAG reporting a failure (when run on the PDC) that the DC is not advertising itself as a time server, DCDIAG on each subsequent DC will fail a FSMO Role check because the PDC is not advertising as a time server.

0 Kudos