Not long ago there was a discussion about best practices for running your DCs as VMs. Besides making sure that your PDC emulator is set to sync time with a reliable outside time server, as you should do with a physical server, *be sure the VM hosts have their time sync in order because VMs at times will sync to the host even if you don’t have them set to*.
Here’s something that happened to us earlier this week, if you have time to read it: Background: 5 DCs in a Windows 2012 R2 native mode domain/forest (only one domain/forest). All 5 are VMware VMs on ESXi 5.1. The DCs (and all of our VMs) are NOT set to sync with the host server. We have UNIX NTP servers in our data center, which only the PDC Emulator is set to sync with and of course the other DCs sync with the PDC and everything else syncs with random DCs. The other day I found that our monitoring software showed the time was off by 5 minutes on virtually all of our servers and I noticed the same on my workstations. I was already aware of the issue mentioned above, where a VMware VM that is not set to sync with the host will sync with it anyway when it’s migrated to a new host or rebooted (and possibly during one or two other operations). So the first thing I did after confirming that the time was off on the PDC emulator, was check to see if it had been migrated to a new host that day and it had been. In fact it was the first time since it became a DC that it had been migrated. I used w32tm to see if it was set to sync with the UNIX time servers and it apparently wasn’t. (Someone else did the domain upgrade back in July and he was responsible for taking care of everything, but I could have sworn I checked this after the upgrade was done.) I simply set it use the UNIX time servers and to resync. The clock on the PDC emulator became “unskewed” pretty quickly and the other DCs followed after a few minutes. Within a few hours the member servers were okay and I suspect the same for our 7000 or so member workstations. I checked with a VMware Admin and sure enough the host which the PDC emulator had been moved to was off by 5 minutes. She found that the time daemon was not set the way they expected and she found the same on lots of other hosts. So the silver lining here is that the hosts are now set correctly with their time service and they should always sync properly with the UNIX time servers in the data center. (BTW, there is workaround for the undesired sync issue which involves editing the .vmx file of each VM, if you can afford to shut down each one and make the change.) Charlie Sullivan Sr. Windows Systems Administrator Boston College 197 Foster St. Room 367 Brighton, MA 02135 617-552-4318
