So it seems I’ve been doing this wrong. From reading those, it appears the suggestion is to disable time sync in VMWare tools and let DCs query an NTP server directly (and let members query the DC as normal)
I had been using the suggestions in this post for time sync with Hyper-V, but I’m wondering if this is simply outdated: http://blogs.msdn.com/b/virtual_pc_guy/archive/2010/11/19/time-synchronization-in-hyper-v.aspx specifically, this paragraph seems to conflict with what is on technet: “Question #8 – When should I disable the Hyper-V time synchronization service (either in the virtual machine settings, or inside the guest operating system)? Never.” Matthew Topper From: [email protected] [mailto:[email protected]] On Behalf Of Michael B. Smith Sent: Wednesday, December 3, 2014 6:05 PM To: [email protected] Subject: RE: [NTSysADM] Time Sync on Virtual DCs Please read my referenced article and the linked documents, including those from both VMware and Microsoft. http://theessentialexchange.com/blogs/michael/archive/2010/01/29/a-brief-history-of-time-ok-ok-let-s-go-with-quot-an-introduction-to-the-windows-time-service-quot.aspx From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Matthew Topper Sent: Wednesday, December 3, 2014 6:00 PM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] Time Sync on Virtual DCs I was under the impression that the ‘correct’ way to do this was to have NTP configured on your VMware or Hyper-V hosts (to sync with whatever external NTP servers you want to pull from) and let them be authoritative in that your virtual DC allows its clock to match the hardware, then operate the rest of your network normally, in that the PDC emulator is the authoritative time source for everything else. Am I misunderstanding this? Matthew Topper From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Charles F Sullivan Sent: Wednesday, December 3, 2014 5:42 PM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] Time Sync on Virtual DCs In this article, they only mention syncing with the domain hierarchy in passing. It’s not mentioned as a best practice: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1318 So no we aren’t following their guidance and I see no reason to not use AD, since that has always served us well and seems to be more manageable (it’s the default for domain joined machines). The article does mention making sure that the hosts are properly syncing time, and the issue of VMs syncing with hosts during certain operations, even when not actually set to sync with the host. We weren’t properly syncing some of the hosts with a time server and that’s what caused our issue. From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Joseph L. Casale Sent: Wednesday, December 3, 2014 4:15 PM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] Time Sync on Virtual DCs Search the vmware kb for Timekeeping, there are specific guidelines to follow. I've not encountered an issue ever using these, how does your env compare to their best practises? jlc ________________________________ From: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> on behalf of Charles F Sullivan <[email protected]<mailto:[email protected]>> Sent: Wednesday, December 3, 2014 1:27 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] Time Sync on Virtual DCs Not long ago there was a discussion about best practices for running your DCs as VMs. Besides making sure that your PDC emulator is set to sync time with a reliable outside time server, as you should do with a physical server, be sure the VM hosts have their time sync in order because VMs at times will sync to the host even if you don’t have them set to. Here’s something that happened to us earlier this week, if you have time to read it: Background: 5 DCs in a Windows 2012 R2 native mode domain/forest (only one domain/forest). All 5 are VMware VMs on ESXi 5.1. The DCs (and all of our VMs) are NOT set to sync with the host server. We have UNIX NTP servers in our data center, which only the PDC Emulator is set to sync with and of course the other DCs sync with the PDC and everything else syncs with random DCs. The other day I found that our monitoring software showed the time was off by 5 minutes on virtually all of our servers and I noticed the same on my workstations. I was already aware of the issue mentioned above, where a VMware VM that is not set to sync with the host will sync with it anyway when it’s migrated to a new host or rebooted (and possibly during one or two other operations). So the first thing I did after confirming that the time was off on the PDC emulator, was check to see if it had been migrated to a new host that day and it had been. In fact it was the first time since it became a DC that it had been migrated. I used w32tm to see if it was set to sync with the UNIX time servers and it apparently wasn’t. (Someone else did the domain upgrade back in July and he was responsible for taking care of everything, but I could have sworn I checked this after the upgrade was done.) I simply set it use the UNIX time servers and to resync. The clock on the PDC emulator became “unskewed” pretty quickly and the other DCs followed after a few minutes. Within a few hours the member servers were okay and I suspect the same for our 7000 or so member workstations. I checked with a VMware Admin and sure enough the host which the PDC emulator had been moved to was off by 5 minutes. She found that the time daemon was not set the way they expected and she found the same on lots of other hosts. So the silver lining here is that the hosts are now set correctly with their time service and they should always sync properly with the UNIX time servers in the data center. (BTW, there is workaround for the undesired sync issue which involves editing the .vmx file of each VM, if you can afford to shut down each one and make the change.) Charlie Sullivan Sr. Windows Systems Administrator Boston College 197 Foster St. Room 367 Brighton, MA 02135 617-552-4318
