asked on
Time drift with Hyper-V on previous NTP server
We have recently virtualized seven Windows 2000 servers onto two Hyper-V hosts running Windows 2008 R2 64-bit. We now have clock drift on one of these VMs that does not correct itself and is now 40 seconds ahead of the PDC, drifting about 1 second per hour. The other six are continually correcting and staying within one second of each other and the PDC.
All seven servers are web servers behind a firewall, in the DMZ of our domain. The PDC is behind a second firewall, in the Trusted Zone. Prior to virtualization web server AASD02 was set up to get time from internet NTP servers (tick, tock. time-a, etc.) and the PDC got its time from AASD02. All other servers in the DMZ and Trusted Zone got their time from the domain.
After virtualizing the seven web servers, we noticed clock drift and decided to make the virtual host CTVHOST2 get the time from the internet NTP servers and the PDC get its time from this virtual host. This worked well, and six of the seven web servers and all physical servers are maintaining time nicely now. The only exception is AASD02, which used to get the time from the internet. It is drifting badly, about 1 second per hour, and no corrections are being applied by Windows Time or Hyper-V time synchronization.
I have verified the W32Time settings in the registry of AASD02 now match the other servers, and the VM has been restarted multiple times. Two other VMs on the same host have the same settings and are staying in sync, but this one doesn't. If I correct the time to be behind the PDC by 10 or 15 seconds, it still doesn't get corrected and drifts right past zero to be ahead of the domain time.
How can I get this server to stop drifting? Since it was previously the "reliable time source", is there something buried in Windows 2000 or the BIOS that keeps it from applying Windows Time and Hyper-V Time Synchronization? Everything I find on TechNet, etc. applies to Windows 2003/XP and above, and w32tm is quite a bit different on Windows 2000.
Thanks.
Sam Trexler
All seven servers are web servers behind a firewall, in the DMZ of our domain. The PDC is behind a second firewall, in the Trusted Zone. Prior to virtualization web server AASD02 was set up to get time from internet NTP servers (tick, tock. time-a, etc.) and the PDC got its time from AASD02. All other servers in the DMZ and Trusted Zone got their time from the domain.
After virtualizing the seven web servers, we noticed clock drift and decided to make the virtual host CTVHOST2 get the time from the internet NTP servers and the PDC get its time from this virtual host. This worked well, and six of the seven web servers and all physical servers are maintaining time nicely now. The only exception is AASD02, which used to get the time from the internet. It is drifting badly, about 1 second per hour, and no corrections are being applied by Windows Time or Hyper-V time synchronization.
I have verified the W32Time settings in the registry of AASD02 now match the other servers, and the VM has been restarted multiple times. Two other VMs on the same host have the same settings and are staying in sync, but this one doesn't. If I correct the time to be behind the PDC by 10 or 15 seconds, it still doesn't get corrected and drifts right past zero to be ahead of the domain time.
How can I get this server to stop drifting? Since it was previously the "reliable time source", is there something buried in Windows 2000 or the BIOS that keeps it from applying Windows Time and Hyper-V Time Synchronization? Everything I find on TechNet, etc. applies to Windows 2003/XP and above, and w32tm is quite a bit different on Windows 2000.
Thanks.
Sam Trexler
Internet ProtocolsWindows 2000Microsoft Virtual Server
Last Comment
Philip Elder
ASKER
I have turned off Time Synchronization in Integration services, but left Windows Time running as a service in the guest machine, and restarted the VM. This has reset the time of the AASD02 guest to that of CTVHOST2 - which is different from AASD01 and other virtual and physical servers in the domain. That's not the intended result, but closer.
It has uncovered errors in CTVHOST2 obtaining its time, which I am working on now.
But the end result I need is this: VMs on both CTVHOST1 and CTVHOST2, as well as all physical servers in the Trusted Zone, use the same time source. It is not enough to have the VMs on CTVHOST2 use the time on CTVHOST2, the VMs on CTVHOST1 use the time on CTVHOST1 and the physical servers in the TZ use the domain time - obtained from where?
We must limit internet access for time to one "server" (virtual or host) in the DMZ and somehow use that time as authoritative for all servers, virtual and physical in the domain. How do I accomplish that?
Thanks,
Sam
It has uncovered errors in CTVHOST2 obtaining its time, which I am working on now.
But the end result I need is this: VMs on both CTVHOST1 and CTVHOST2, as well as all physical servers in the Trusted Zone, use the same time source. It is not enough to have the VMs on CTVHOST2 use the time on CTVHOST2, the VMs on CTVHOST1 use the time on CTVHOST1 and the physical servers in the TZ use the domain time - obtained from where?
We must limit internet access for time to one "server" (virtual or host) in the DMZ and somehow use that time as authoritative for all servers, virtual and physical in the domain. How do I accomplish that?
Thanks,
Sam
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Excellent, thorough doc. Should be very helpfule. thanks for the quick response, I'll give it a try tomorrow.
Are any of your DCs on physical boxes? If they are then set them up to pull time from pool.ntp.org. Then set up your hosts and guests to pull from that DC. Allow firewall exceptions for NTP inbound on that DC.
If all DCs are VMs then set up one of the physical hosts to poll pool.ntp.org for time and then set the VMs to poll the host. Again set the firewall accordingly.
http://blog.mpecsinc.ca/2011/01/hyper-v-preparing-high-load-vm-for-time.html
We have had a lot of pain over the time skew situation for VMs.
The above methods work for us. In some cases we drop in an HP MicroServer with Win2K8 R2 running as a DC and set it up to poll pool.ntp.org and then have all VMs poll it for time.
The problem has to do with the polling frequency needed as indicated in the blog post. Do that to ntp.org's servers and they will pass along the Kiss-Of-Death packets basically killing the ability to poll their servers for time.
If all DCs are VMs then set up one of the physical hosts to poll pool.ntp.org for time and then set the VMs to poll the host. Again set the firewall accordingly.
http://blog.mpecsinc.ca/2011/01/hyper-v-preparing-high-load-vm-for-time.html
We have had a lot of pain over the time skew situation for VMs.
The above methods work for us. In some cases we drop in an HP MicroServer with Win2K8 R2 running as a DC and set it up to poll pool.ntp.org and then have all VMs poll it for time.
The problem has to do with the polling frequency needed as indicated in the blog post. Do that to ntp.org's servers and they will pass along the Kiss-Of-Death packets basically killing the ability to poll their servers for time.
• Disable w32time service in the guest machine, or
• Disable Time synchronization in the Integration services
Microsoft suggests using Time synchronization from the host server with Integration services.
http://social.technet.microsoft.com/Forums/en-US/winserverhyperv/thread/d4d65433-8da6-4e67-8811-541a9ad22848/