Time drift with Hyper-V on previous NTP server

SamTrexler
SamTrexler used Ask the Experts™
on
We have recently virtualized seven Windows 2000 servers onto two Hyper-V hosts running Windows 2008 R2 64-bit.  We now have clock drift on one of these VMs that does not correct itself and is now 40 seconds ahead of the PDC, drifting about 1 second per hour. The other six are continually correcting and staying within one second of each other and the PDC.

All seven servers are web servers behind a firewall, in the DMZ of our domain.  The PDC is behind a second firewall, in the Trusted Zone.  Prior to virtualization web server AASD02 was set up to get time from internet NTP servers (tick, tock. time-a, etc.) and the PDC got its time from AASD02.  All other servers in the DMZ and Trusted Zone got their time from the domain.

After virtualizing the seven web servers, we noticed clock drift and decided to make the virtual host CTVHOST2 get the time from the internet NTP servers and the PDC get its time from this virtual host.  This worked well, and six of the seven web servers and all physical servers are maintaining time nicely now.  The only exception is AASD02, which used to get the time from the internet.  It is drifting badly, about 1 second per hour, and no corrections are being applied by Windows Time or Hyper-V time synchronization.

I have verified the W32Time settings in the registry of AASD02 now match the other servers, and the VM has been restarted multiple times.  Two other VMs on the same host have the same settings and are staying in sync, but this one doesn't.  If I correct the time to be behind the PDC by 10 or 15 seconds, it still doesn't get corrected and drifts right past zero to be ahead of the domain time.

How can I get this server to stop drifting? Since it was previously the "reliable time source", is there something buried in Windows 2000 or the BIOS that keeps it from applying Windows Time and Hyper-V Time Synchronization?  Everything I find on TechNet, etc. applies to Windows 2003/XP and above, and w32tm is quite a bit different on Windows 2000.

Thanks.

Sam Trexler
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Svet PaperovIT Manager

Commented:
You need to do one of the following:
•  Disable w32time service in the guest machine, or
•  Disable Time synchronization in the Integration services

Microsoft suggests using Time synchronization from the host server with Integration services.

http://social.technet.microsoft.com/Forums/en-US/winserverhyperv/thread/d4d65433-8da6-4e67-8811-541a9ad22848/
 

Author

Commented:
I have turned off Time Synchronization in Integration services, but left Windows Time running as a service in the guest machine, and restarted the VM.  This has reset the time of the AASD02 guest to that of CTVHOST2 - which is different from AASD01 and other virtual and physical servers in the domain.  That's not the intended result, but closer.

It has uncovered errors in CTVHOST2 obtaining its time, which I am working on now.

But the end result I need is this: VMs on both CTVHOST1 and CTVHOST2, as well as all physical servers in the Trusted Zone, use the same time source.  It is not enough to have the VMs on CTVHOST2 use the time on CTVHOST2, the VMs on CTVHOST1 use the time on CTVHOST1 and the physical servers in the TZ use the domain time - obtained from where?  

We must limit internet access for time to one "server" (virtual or host) in the DMZ and somehow use that time as authoritative for all servers, virtual and physical in the domain.  How do I accomplish that?

Thanks,

Sam

IT Manager
Commented:
This is the best thing you could do – set a single source of time for the network.
Here what I’ve did in my network:
-      I have a Linux server in DMZ and it receives time from Internet
-      I set the domain controller holding PDC Emulator FSMO role to receive its time from that server in DMZ
-      I have configured the other domain controllers to receive their time from the PDC emulator
-      I’ve used Group Policy to enable NTP clients on member server and workstations

Here is my setup:
1. Check that HVSDC1 (IP address: 192.168.10.21) is the PDC Emulator in the domain.
2. Configure HVSDC1 to synchronize with external sources and set it as an Authoritative Time Server:
  a. In HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters change Type value from NT5DS to NTP
  b. In HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters change NtpServer value to mylocal.server.com,0x1 (mylocal.server.com is the DNS name of the Linux server in DMZ)
  c. In HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config change AnnounceFlags decimal value from 10 to 5
  d. In HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\ NtpServer make sure that Enable has value 1
  e. In HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\ NtpClient change the value of SpecialPollInterval to 900 decimal (15 min.)
  f. In HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config change the values of MaxPosPhaseCorrection and MaxNegPhaseCorrection to 3600.
3. Restart Windows Time service:  net stop w32time && net start w32time
4. Force the server to resynchronize with the new source: w32tm /resync /rediscover
5. For all Domain Controllers and all other stand-alone hosts:
  a. In HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters change NtpServer value to 192.168.10.21.
  b. Restart Windows Time service:  net stop w32time && net start w32time and force the server to resynchronize: w32tm /resync /rediscover
6. Verify the settings of Default Domain Policy GPO: the state of Enable Windows NTP Client in Computer Configuration | Administrative Templates | System | Windows Time Service | Time Providers must be enabled to allow Windows NTP Client on all domain members to synchronize with the NTP server.

For step-by-step instructions of how to set up Windows Time Service see the official blog of Windows Time Service http://blogs.msdn.com/w32time/default.aspx and the following TechNet link http://technet.microsoft.com/en-us/library/cc773263%28WS.10%29.aspx.

I hope this helps

Author

Commented:
Excellent, thorough doc.  Should be very helpfule.  thanks for the quick response, I'll give it a try tomorrow.
Philip ElderTechnical Architect - HA/Compute/Storage

Commented:
Are any of your DCs on physical boxes? If they are then set them up to pull time from pool.ntp.org. Then set up your hosts and guests to pull from that DC. Allow firewall exceptions for NTP inbound on that DC.

If all DCs are VMs then set up one of the physical hosts to poll pool.ntp.org for time and then set the VMs to poll the host. Again set the firewall accordingly.

http://blog.mpecsinc.ca/2011/01/hyper-v-preparing-high-load-vm-for-time.html

We have had a lot of pain over the time skew situation for VMs.

The above methods work for us. In some cases we drop in an HP MicroServer with Win2K8 R2 running as a DC and set it up to poll pool.ntp.org and then have all VMs poll it for time.

The problem has to do with the polling frequency needed as indicated in the blog post. Do that to ntp.org's servers and they will pass along the Kiss-Of-Death packets basically killing the ability to poll their servers for time.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial