Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Vmware ESXi 5.1 NTP and Windows Domain Time synchronization

Posted on 2013-11-22
5
Medium Priority
?
7,616 Views
Last Modified: 2013-11-27
We have a Windows Domain , all servers are virtualized running on VMware ESXi 5.1 .

Each Virtual Guest is configured to receive time from the host configured through edit settings VMware Tools "Syncronize guest time with host"
I understand now that this could be bad for a domain controller, what is my best way to synchronize time ?

Also each of my ESXi host computers are configured to receive time from NTP servers (192.43.244.18 and 69.36.240.252). In Vsphere Client NTP client is running yet my 6 host machines do not have the same time some are off by more than a minute.  How do I properly configure NTP and make sure it is working ?

I have Windows guests Server 2003 / 2008 and 2012 .  Where should they be getting time ? from the DC's ? how do I force this to work ?


Thanks for your input.
0
Comment
Question by:Ekuskowski
  • 2
  • 2
5 Comments
 
LVL 125

Assisted Solution

by:Andrew Hancock (VMware vExpert / EE MVE^2)
Andrew Hancock (VMware vExpert / EE MVE^2) earned 668 total points
ID: 39670294
How we setup our clients is as follows:-

1. ESXi/ESX Hosts are set to an external time source. (internet or your own time server)

2. DC, PDC emulator is set to the same external time source as in 1.

3. VMware Tools Sync time with host is disabled on ALL Windows VMs. They will get time from Domain.

4. Linux/Unix VMs are synced with external time source as in 1.

I also refer you to:-

VMware KB: Timekeeping best practices for Windows, including NTP

VMware KB: Troubleshooting NTP on ESX and ESXi 4.x / 5.x

Timekeeping In VirtualMachines Whitepaper
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 1332 total points
ID: 39670853
You should configure authorative time server role on PDC and point the time sync to external windows time and disable the time sync from host server to VM.

Virtualizing Domain Controllers and the Windows Time Service(Virtualized DC Best Practices:
http://msmvps.com/blogs/acefekay/archive/2011/08/23/virtualizing-domain-controllers-and-the-windows-time-service.aspx

Configure authorative time server on the PDC role holder server below is the KB article for the same.http://support.microsoft.com/kb/816042

Please also make sure that udp port 123 which as direction the chosen NTP server is not blocked.

For other domain computers / servers, make sure that they are using NT5DS for time sync. More here: http://support.microsoft.com/kb/223184
0
 

Author Comment

by:Ekuskowski
ID: 39675922
I'm still not sure Why my VMware hosts are not keeping the correct time, I'm just going to call VMware to resolve that part of my issue

I have four domain controllers in my organization that each now gets its time from an external source (time.windows.com 0x9) .  Which I believe is just a Microsoft Default time source.

I have two Domain controllers at my main site and then at two remote sites I have one domain controller in each.

Should any of my domain controllers be getting time from another domain controller or is it ok to have them all access the same external time source ?
should I change the time source from the default (time.windows.com ? If I should change is there a particular NTP server I should be pointing at ?
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 1332 total points
ID: 39676554
Refer below link to disable host to VM server.
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1189
You just need to configure NTP on PDC role holder server and other DC should be set to NT5DS.

Just execute below commands on DC.

PDC server.

net stop w32time
w32tm /unregister
w32tm /register
net start w32time
net time /setsntp:
net stop w32time & net start w32time
w32tm /config /manualpeerlist:pool.ntp.org /syncfromflags:manual /reliable:yes /update
w32tm /resync /rediscover
net stop w32time & net start w32time

NON PDC server

net stop w32time
w32tm /unregister
w32tm /register
net start w32time
net time /setsntp:
Net stop w32time & net start w32time
w32tm /config /syncfromflags:domhier /update
W32tm /resync /rediscover
net stop w32time & net start w32time
0
 

Author Closing Comment

by:Ekuskowski
ID: 39681852
As of now all my servers time is in sync, I mainly followed Sandeshdubey especially the straight forward commands that were posted. I still need to take care of my VMware host servers but for now I am ok.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

August and September have been big months for VMware—from VMworld last month to our new Course of the Month in VMware Professional - Data Center Virtualization. We reached out to Andrew Hancock, resident VMware vExpert, to have a more in-depth discu…
Sometimes it necessary to set special permissions on user objects.  For instance when using a Blackberry server, the SendAs permission needs to be set. I see many admins struggle with the setting that permission only to see it disappear within a few…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question