Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Best method to setup time sync on a Hyper-V environment  Active Directory 2008 Server Guest?

Posted on 2015-02-17
8
Medium Priority
?
189 Views
Last Modified: 2015-02-20
I have several sites that have a single physical Hyper-V (full) 2012 R2 Server.  The Hyper-V host server is not in the domain.  One of guests in an Active Directory Windows Server 2008 VM.  The other couple of guests are Windows Server 2008 member servers that belong to the domain.

Integration Services is implemented for all the guests, including the active directory server.

I believe the active directory server is the authorative time server for the domain.

I suspect the domain server time sync is implemented but that the Integration Services time sync is also implemented and worry this could lead to odd time sync issues.

What's the best practice in regards to how this type of configuration should be setup?  Integration Time Sync turned off on one or more of the VMs?  Domain style time sync turned off somehow?  Custom registry mods?  Nothing?
0
Comment
Question by:AnthonyMCSE
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 400 total points
ID: 40614593
Take a look at the following link which outlines the best practices for running a domain controller in a Hyper-V environment.
https://technet.microsoft.com/en-us/library/virtual_active_directory_domain_controller_virtualization_hyperv%28v=ws.10%29.aspx
Will.
0
 
LVL 34

Accepted Solution

by:
it_saige earned 1600 total points
ID: 40614597
You want to disable the Integration Services Time Sync on any VM DC's.

-saige-
0
 

Author Comment

by:AnthonyMCSE
ID: 40614677
The article Will posted appears to be applicable for Windows Server 2008 R2 and it also says to disable Time Sync under Integration Services.  I have a couple sites where the Hyper-V host is Windows Server 2012 R2.  Is this good advice for these sites as well?

I have several other guest VM's on the same Hyper-V host as well, these are Windows Server 2008 R2 guests that also belong to the domain.  Should they have Integration Services Time Sync turned off as well and in turn rely on the domain controller for correct time?  

It appears that there is competing time source, as this log shows, currently on one of my Windows Server 2008 VMs between the domain controller and integrated services time sync.  The query results below were taken from the same machine in succession:

C:\Users\administrator.DFP>w32tm /query /status
Leap Indicator: 0(no warning)
Stratum: 3 (secondary reference - syncd by (S)NTP)
Precision: -6 (15.625ms per tick)
Root Delay: 0.1249542s
Root Dispersion: 1.7611385s
ReferenceId: 0xC0A800CA (source IP:  192.168.0.202)
Last Successful Sync Time: 2/16/2015 5:43:12 PM
Source: dfp-server.dfp.local
Poll Interval: 10 (1024s)


C:\Users\administrator.DFP>w32tm /query /status
Leap Indicator: 3(last minute has 61 seconds)
Stratum: 0 (unspecified)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0000000s
Root Dispersion: 0.0100000s
ReferenceId: 0x00000000 (unspecified)
Last Successful Sync Time: 2/16/2015 5:58:03 PM
Source: VM IC Time Synchronization Provider
Poll Interval: 10 (1024s)
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
LVL 34

Expert Comment

by:it_saige
ID: 40614695
With regard to time services, I can confirm that it is still very applicable.  I had a domain where the time was off by 5 minutes because of the Time Sync from the Integration Services.  After disabling the Time Sync in the Integration Services, the time was accurate.  Again, this only applies to Guest OS's that are DC's, member servers and computers are not affected.

-saige-
0
 

Author Comment

by:AnthonyMCSE
ID: 40614769
Saige,

So what do you think about the log above, where the member server VM that is in the same domain appears to be syncing with two different sources?  Just don't worry about it?
0
 

Author Comment

by:AnthonyMCSE
ID: 40614810
Also, after turning off the virtual DC's integrated services time sync, I'd need to set it up to sync to an external source, right?  So far, it is the only DC...
0
 
LVL 34

Expert Comment

by:it_saige
ID: 40614820
These are the results I would expect:

Windows Server 2012 R2 VM DC (PDCe FSMO Holder) -Time synchronized from external time source.Windows Server 2012 R2 VM DC -IP of PDCe FSMO Holder is 192.168.1.20.Windows Server 2008 VM Member Server -Capture.JPG
On these VMs, the Time Sync Integration Service is disabled on the DC's but not on the member server -DC01 (PDCe FSMO Holder) Time synchronization is disabledDC02 Time synchronization is diabledMember server - Time synchronization is enabled.
If you are seeing inconsistent results, ensure that your member servers and non-PDCe DC's are using DOMHIER in their time configuration:
w32tm /config /syncfromflags:domhier /update

Open in new window


http://blogs.technet.com/b/industry_insiders/archive/2006/08/29/w32-tm-service.aspx

-saige-
0
 
LVL 34

Expert Comment

by:it_saige
ID: 40614825
Correct.  Here is a previous EE PAQ discussing Windows Time Services, I also discuss using a GPO policy and WMI filter so that you don't have to futz with registry settings or command lines on the PDCe.

http://www.experts-exchange.com/Software/Server_Software/Active_Directory/Q_28597899.html

-saige-
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question