Hyper-V: Time Configuration
What is the best practice for configuring time source in a multi server domain? (Have a mix of 2003 STD and 2012 STD and HyperV - VMs)
This is what I was thinking.......Have the DC/FSMO get external time, Have the other DCs and member servers point to the DC/FSMO. I believe workstations will by default point to the DC/Fsmo???
Should the other DCs and member servers point to the DC/FSMO and have a 2nd time source thats external?
This is what I was thinking.......Have the DC/FSMO get external time, Have the other DCs and member servers point to the DC/FSMO. I believe workstations will by default point to the DC/Fsmo???
Should the other DCs and member servers point to the DC/FSMO and have a 2nd time source thats external?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Should Member Servers and DCs sync against PD emulator (domain) with a 2nd entry to an external source?
Do I have to do anything special for a Hyper-V VM that is a DC ?
or a Hyper-V VM that is a Member Server?
Or a Hyper-V host (2012 R2 Standard)?
Do I have to do anything special for a Hyper-V VM that is a DC ?
or a Hyper-V VM that is a Member Server?
Or a Hyper-V host (2012 R2 Standard)?
Here is my go to file for Windows NTP Setup:
You need to turn off time services for guests in Hyper V so they will get their time from your domain hierarchy
Here are the instructions for NTP GPO:
http://blogs.technet.com/b/nepapfe/archive/2013/03/01/it-s-simple-time-configuration-in-active-directory.aspx
Net Stop W32Time
w32tm /config /syncfromflags:manual /manualpeerlist:0.pool.ntp
W32tm /config /reliable:yes
Net Start W32Time
W32tm /config /update
W32tm /resync
- to configure a domain computer for automatic domain time synchronization, run:
w32tm /config /syncfromflags:domhier /update
After that you have to run:
net stop w32time
net start w32time
--------------------------
- to reconfigure the previous PDC Emulator, in case of transferring/seizing the FSMO to another Domain Controller, run:
w32tm /config /syncfromflags:domhier /reliable:no /update
After that you have to run:
net stop w32time
net start w32time
If you have problems with the time service configuration, because too many changes where done in the registry or you like start fresh on a computer, then you can reset the time service to a default state the following way. Make sure to use an elevated command prompt, to have full administrative permissions. Then type in the following commands:
net stop w32time
w32tm /unregister
w32tm /register
net start w32time
You need to turn off time services for guests in Hyper V so they will get their time from your domain hierarchy
Here are the instructions for NTP GPO:
http://blogs.technet.com/b/nepapfe/archive/2013/03/01/it-s-simple-time-configuration-in-active-directory.aspx
Net Stop W32Time
w32tm /config /syncfromflags:manual /manualpeerlist:0.pool.ntp
W32tm /config /reliable:yes
Net Start W32Time
W32tm /config /update
W32tm /resync
- to configure a domain computer for automatic domain time synchronization, run:
w32tm /config /syncfromflags:domhier /update
After that you have to run:
net stop w32time
net start w32time
--------------------------
- to reconfigure the previous PDC Emulator, in case of transferring/seizing the FSMO to another Domain Controller, run:
w32tm /config /syncfromflags:domhier /reliable:no /update
After that you have to run:
net stop w32time
net start w32time
If you have problems with the time service configuration, because too many changes where done in the registry or you like start fresh on a computer, then you can reset the time service to a default state the following way. Make sure to use an elevated command prompt, to have full administrative permissions. Then type in the following commands:
net stop w32time
w32tm /unregister
w32tm /register
net start w32time
I would not do second source as an external.
There are different ways to setup the time synchronization in virtualized environment. However, there are couple thinks to consider:
- If the DC are running on domain member Hyper-V servers, you should disable the time synch from Integration services
- All member servers and workstations in a domain will synch the time with PDC FSMO-holder’s DC
Your approach sounds correct. Another that you could consider is to synch the DC with an internal source which is synched with an external one. In such way, you improve the security by reducing the cases where the DC communicates with Internet’s hosts and you have a single time source for the whole organization. This other source could be a Linux server or a router/firewall.