Time synchronization with virtual Domain Controllers

Posted on Friday, April 9th, 2010 at 1:44 am in

An accurate time is crucial for a smooth working IT environment. For example authentication via Kerberos isn’t possible if the time isn’t in sync (if the difference is too high) or it isn’t possible to compare log files to identify a problem if the time is different on systems. There are some points you have to concern about when running AD DCs in a virtual Environment. You have to decide which is your organization-wide time source, how to handle the possibilities you’ve get from the virtualization provider and how to sync the time. First I’ll start with some basics: Time synchronization in a network is done by NTP (Network Time Protocol) and uses UDP 123. You can use a public NTP-Server as time source for your internal or even attach a Radio Clock to a server. NTP is easier to implement because you need just an internet access and no additional hard ÔÇô or software. But you have to deal with the network delay and you should choose an NTP-Source you can really trust. A dedicated radio clock attached to a host is the best and ‘safest’ solution you can get, but you need special hardware (the radio clock). In our example we’ll use external NTP-Servers. First because it’s easier and second because I never used an direct attached radio clock 😉 You’ll find a near NTP-Server for your location at http://support.ntp.org/bin/view/Servers/WebHome It’s important that the time source is near your location so the network delay is as less as possible.

Stratum ÔÇô Levels: There exist 4 Stratum-Levels which define the preciseness of your time source:

  • Stratum 0: An atomic or radio clock which is direct attached to a host
  • Stratum 1: A host which directly synchronize with a Stratum 0 source (some public NTP-Servers or your own host if you’re using a radio clock)
  • Stratum 2: The 2nd level of a sync hierarchy. Stratum 2 servers gets their time from Stratum 1
  • Stratum 3: Not too hard to guess I think 😉 Stratum 3 servers get their time from Stratum 2 sources.

NTP in an Active Directory Environment: Every domain controller in your AD is also an NTP-Server. By default every DC get it’s time from the PDC-Emulator. If you don’t know which DC is your PDC-Emulator you should study your AD more 😉 Or alternatively you can execute “netdom query fsmo” on a command prompt.

In the above screenshot we see that W2K8SRV1.bluesky.local is my PDC (and holds also the other FSMO-Roles, which is normal in an AD with just one DC 😉 ) So, now get familiar with w32tm.exe, your main config tool in Windows for NTP. So, first of all let’s check what your current time source is by running “w32tm /monitor

What does this information mean?

  • Line 1 tells use the time source for this host is W2K8SRV1, that this host is the PDC of the domain and it’s IP-Address (an IPv6 Address in my lab).
  • Line 2: The Network-Delay we have to this host measured by ICMP. We have currently no delay because our time source is the local host.
  • Line 3: The time offset between the local host and the NTP-Server.
  • Line 4: Here will be the source of our time server displayed. Because we haven’t yet configured a NTP-Server the source is LOCL. If you’re unsure what a former admin has configured or basically want to start from scratch you can set your time settings to default values by executing:

    sc stop w32time & w32tm /unregister & w32tm /register & sc start w32time

    This command stops the Windows Time Service (w32time), removes it as service, reinstalls the service and then starts it again.

Now you can configure your external NTP-Sources with the following command:

Explanation of the parameters:

  • /config => we’are configure something /update => It’s an update, so the time services is notified about that
  • /manualpeerlist => we provide a manual list of NTP-Servers to sync from
  • /syncfromflags:manual => we explicitly want to sync from the manual peer list
  • /reliable:yes => this is a ‘good’, a reliable time source for our domain controllers. Other DC’s will sync with this time source.

Now you can check if the external servers are used correctly by executing w32tm /query /peers

As shown in the output I’ve specified two peers. One Stratum 1 server (the first one) and a Stratum 2 server. As we will see in the following screenshot Windows will always try to sync the most accurate time source, in our case the NTP-Server with the .net ÔÇô TLD.

To control that your config works you can execute “w32tm /monitor“. This command will check the time offset of all your Domain Controllers with the PDC.

OK, but what is now the difference between a physical or a virtual Domain Controller?

From the normal operation perspective => Nothing 😉 But there is one huge difference with the time sync.

In every virtualization software (at least all I know like VMWare, HyperV, Citrix Xen, Xen Source, KVM, OpenVZ, Virtuozzo) the Guests are getting their time by default from the Host.

So if the time on the Host isn’t accurate, all the guests are running with a wrong time. Furthermore normally the time sync from the virtualization environment takes precedence over a (maybe) configured NTP Daemon inside the Guest.

So what happens when you run your PDC as a VM-Guest and syncing all your VM-Hosts with one of your Domain Controllers?

You’ve created a loop and you’ll never get the right time. Even when you configured an external time source the VM-Host time will overwrite any change with it’s own time. So one resolution for that would be to run an physical domain controller too (which would be a good decision) and move the PDC-Emulator FSMO-Role to this DC. If you have no possibility to run a physical DC (Damn IT Budgets L ) you have still another option.

Simply disable the time sync between the Guest and the Host!

On Hyper-V just edit the Settings the of the desired VM and within the option “Integration Services” disable “Time synchronization


With VirtualInfrastructure from VMWare you have also to edit the properties for the Guest. Within the “Options“-Tab select “VMware Tools” and uncheck “Synchronize guest time with host

After these changes the NTP Daemon inside the Guest will be responsible again for the time sync. Ff everything is configured correctly you should have an accurate time on all AD-Computers.

Hope this post was a little helpful. Please let me know if anything is missing or not clearly described.

Cheers
_Hans

You might also be interested in

11 Comments

Add your comment

  1. sperrgebiet's world: Time synchronization with virtual Domain … | Blog ccna - April 9, 2010 at 2:20 am

    […] the original: sperrgebiet's world: Time synchronization with virtual Domain … If you enjoyed this article please consider sharing […]

  2. Tweets that mention sperrgebiet's world: Time synchronization with virtual Domain Controllers -- Topsy.com - April 10, 2010 at 12:35 pm

    […] This post was mentioned on Twitter by VM Digest. VM Digest said: sperrgebiet's world: Time synchronization with virtual Domain … http://bit.ly/cTSRew […]

  3. emt training - April 11, 2010 at 8:24 am

    Great information! IÔÇÖve been looking for something like this for a while now. Thanks!

  4. Server 2003 Microsoft Question? | islandpeoplesearch.com - April 11, 2010 at 7:53 pm

    […] sperrgebiet's world: Time synchronization with virtual Domain Controllers […]

  5. How to cross authenticate 2 win 2003 domains with one logon? | Host Rage - April 20, 2010 at 11:12 am

    […] sperrgebiet's world: Time synchronization w&#1110t&#1211 virtual Domain Controllers […]

  6. Motorola Droid Complete Charging & Synching Solution | Droid Reviews - April 24, 2010 at 4:56 am

    […] sperrgebiet's world: Time synchronization w&#1110th virtual Domain Controllers […]

  7. Motorola Droid Car & USB charger power pack | Droid Reviews - April 25, 2010 at 5:04 am

    […] sperrgebiet's world: Time synchronization w&#1110th virtual Domain Controllers […]

  8. Google Nexus A Car and USB Charger | Cell Phone Choice - May 4, 2010 at 3:10 am

    […] sperrgebiet's world: Time synchronization with virtual Domain Controllers […]

  9. Bruce - May 21, 2010 at 12:37 pm

    […] sperrgebiet’s world: Time synchronization with virtual Domain Controllers […]

  10. Time Synchronization in Virtual Environment Explained « Eureka! Moments - November 21, 2011 at 9:02 pm

    […] Time synchronization with virtual Domain Controllers LD_AddCustomAttr("AdOpt", "1"); LD_AddCustomAttr("Origin", "other"); LD_AddCustomAttr("theme_bg", "ffffff"); LD_AddCustomAttr("theme_text", "444444"); LD_AddCustomAttr("theme_link", "cd4517"); LD_AddCustomAttr("theme_border", "2F2019"); LD_AddCustomAttr("theme_url", "AD92C3"); LD_AddCustomAttr("LangId", "1"); LD_AddCustomAttr("Autotag", "technology"); LD_AddSlot("wpcom_below_post"); LD_GetBids(); Like this:LikeBe the first to like this post.   Leave a comment […]

  11. Dominique - September 26, 2012 at 11:00 pm

    Awesome article! You saved my day!

Leave a Reply

Leave A Comment

Top