We help IT Professionals succeed at work.

Domain Time Synchronization problem  with a domain controller in a virtual machine

Medium Priority
671 Views
Last Modified: 2012-06-27
¿y primary Domain controller (windows 2008) is in site A.
In site B I have a second DC (windows 2008) which is running in a hyper-v virtual machine.
This is the only DC in site B.
In VM's properties -> integration services -> Time synchronization is enabled

I think there is conflict in time sync here.The guest(DC) should sync time with host or with primary DC in Site A?And then the host should sync with the dc in this site or with the primary DC in site A?
When a restart of host occurs, it's services start first.Is it set to automatically search for primary dc in site A?

Do I have to disable time sync in integration services and try to synchronize time for both servers (host and guest) with primary dc in site A?

I am a little confused here.I would appreciate If someone could explain.
Comment
Watch Question

ChrisLead Infrastructure Architect
CERTIFIED EXPERT

Commented:
if you have a single domain then the PDC emulator should be set to sync from an external time source.
You can then let the rest of the domain pick its time up from windows time from the PDC emulator. If you have that set up then the hyper V host would pick its time up from that DC and then the integration services will pass that time on. Just make sure you host is not under too much load as this will affect the guests.

Author

Commented:
Yes its a single domain.
I have configured my primary DC (PDC emulator) with command

w32tm /config /manualpeerlist:time.windows.com /syncfromflags:manual /reliable:yes /update

I am thinking to run these commands in host

w32tm /config /syncfromflags: domhier /update
net stop w32time
net start w32time

...and let other things as it is.
Do you agree?
ChrisLead Infrastructure Architect
CERTIFIED EXPERT

Commented:
good article about the hierarchy

http://blogs.msdn.com/b/w32time/archive/2007/09/04/keeping-the-domain-on-time.aspx

I have configured the PDC via group policy and left the rest to pick it up from domain time. I have set the addvanced settings to make sure the sync flags are fully set. But your way will work also.
Leon FesterSenior Solutions Architect

Commented:
Recommendations from Microsoft and VMWare for VMWare hosts is never to sync via the sync tools but rather to setup AD time sync with a known ntp server on the network,

I would imagine the same would apply to Hyper-V.
Run the same command as above, but adjust the manualpeerlist to include the IP or name of the preferred NTP server, in your case the PDCe.
CERTIFIED EXPERT
Commented:
If you have the PDC synced from an external source (NTP Server) for the second DC that is on a VM you have 2 options:

1. Disable "Time synchronization" from the "integration services" so will let you second DC to syncronyze with the PDC.
2. Leave the "Time synchronization" enabled but sync you Host OS also with the PDC so the "real machine" will be "in sync" with the same time source as your VM.
ChrisLead Infrastructure Architect
CERTIFIED EXPERT

Commented:
the same guidance doesn't apply to Hyper V
Recommendations are to use integrations services in all but one instance.
As stated above if the PDC emulator is a VM disable the integration services and snyc from external time source. If not make sure the host is in sync with the PDC emulator and let the integration services sort the VM's out (there is some contradictions in details on the internet but this has come from a MS Consultancy Health Check)

Commented:
If your Hyper-V host and guest are members of your AD domain they should automatically be synchronising time with your PDC FSMO holder. It won't matter whether the guest is configured to synchronise with the Hyper-V host or the PDC, it should be receiving the same time synchronisation.

Have you followed MS KB 816042 on how to setup an external time source on the DC holding the PDC FSMO? You need to scroll about half way down to "Configuring the Windows Time service to use an external time source".

This KB would only apply to your PDC. All other DCs and clients in your domain will automatically synchronise with the PDC unless configured otherwise (which is not recommended).

Commented:
To reset your Hyper-V host and guest to synchronise with the PDC the commands to run on each server are:

w32tm /config /syncfromflags:domhier /update
net stop w32time
net start w32time

Open in new window

kevinhsiehNetwork Engineer
CERTIFIED EXPERT
Commented:
Disable the Hyper-V time synchronization for ALL domain controller VMs. I have multiple DCs in my site and most of them are virtual. I had an issue with time drifting for some machines and I couldn't figure out why. It turns out that for one virtual DC it was syncing time with the host. The host was in turn syncing time to the VM, and everyone was drifting. As soon as I disabled the Hyper-V time sync the DC was able to get time from the PDC emulator, and then the host got correct time from the virtual DC, and then all the other VMs got correct time from the host. I haven't had any problems since.
ChrisLead Infrastructure Architect
CERTIFIED EXPERT
Commented:
if you had time drifting from a non PDC DC then there were issues with the Host itself - high loading causes the virtual tick to drift.

Use group policy to Set the PDC emulator to sync to external time source
Use group policy to force all other DC's and member servers to sync from the domain
If you have this set up properly, with the correction settings in line then you should get no issues

Explore More ContentExplore courses, solutions, and other research materials related to this topic.