Solved

Best method to setup time sync on a Hyper-V environment  Active Directory 2008 Server Guest?

Posted on 2015-02-17
8
175 Views
Last Modified: 2015-02-20
I have several sites that have a single physical Hyper-V (full) 2012 R2 Server.  The Hyper-V host server is not in the domain.  One of guests in an Active Directory Windows Server 2008 VM.  The other couple of guests are Windows Server 2008 member servers that belong to the domain.

Integration Services is implemented for all the guests, including the active directory server.

I believe the active directory server is the authorative time server for the domain.

I suspect the domain server time sync is implemented but that the Integration Services time sync is also implemented and worry this could lead to odd time sync issues.

What's the best practice in regards to how this type of configuration should be setup?  Integration Time Sync turned off on one or more of the VMs?  Domain style time sync turned off somehow?  Custom registry mods?  Nothing?
0
Comment
Question by:AnthonyMCSE
  • 4
  • 3
8 Comments
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 100 total points
ID: 40614593
Take a look at the following link which outlines the best practices for running a domain controller in a Hyper-V environment.
https://technet.microsoft.com/en-us/library/virtual_active_directory_domain_controller_virtualization_hyperv%28v=ws.10%29.aspx
Will.
0
 
LVL 33

Accepted Solution

by:
it_saige earned 400 total points
ID: 40614597
You want to disable the Integration Services Time Sync on any VM DC's.

-saige-
0
 

Author Comment

by:AnthonyMCSE
ID: 40614677
The article Will posted appears to be applicable for Windows Server 2008 R2 and it also says to disable Time Sync under Integration Services.  I have a couple sites where the Hyper-V host is Windows Server 2012 R2.  Is this good advice for these sites as well?

I have several other guest VM's on the same Hyper-V host as well, these are Windows Server 2008 R2 guests that also belong to the domain.  Should they have Integration Services Time Sync turned off as well and in turn rely on the domain controller for correct time?  

It appears that there is competing time source, as this log shows, currently on one of my Windows Server 2008 VMs between the domain controller and integrated services time sync.  The query results below were taken from the same machine in succession:

C:\Users\administrator.DFP>w32tm /query /status
Leap Indicator: 0(no warning)
Stratum: 3 (secondary reference - syncd by (S)NTP)
Precision: -6 (15.625ms per tick)
Root Delay: 0.1249542s
Root Dispersion: 1.7611385s
ReferenceId: 0xC0A800CA (source IP:  192.168.0.202)
Last Successful Sync Time: 2/16/2015 5:43:12 PM
Source: dfp-server.dfp.local
Poll Interval: 10 (1024s)


C:\Users\administrator.DFP>w32tm /query /status
Leap Indicator: 3(last minute has 61 seconds)
Stratum: 0 (unspecified)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0000000s
Root Dispersion: 0.0100000s
ReferenceId: 0x00000000 (unspecified)
Last Successful Sync Time: 2/16/2015 5:58:03 PM
Source: VM IC Time Synchronization Provider
Poll Interval: 10 (1024s)
0
 
LVL 33

Expert Comment

by:it_saige
ID: 40614695
With regard to time services, I can confirm that it is still very applicable.  I had a domain where the time was off by 5 minutes because of the Time Sync from the Integration Services.  After disabling the Time Sync in the Integration Services, the time was accurate.  Again, this only applies to Guest OS's that are DC's, member servers and computers are not affected.

-saige-
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 

Author Comment

by:AnthonyMCSE
ID: 40614769
Saige,

So what do you think about the log above, where the member server VM that is in the same domain appears to be syncing with two different sources?  Just don't worry about it?
0
 

Author Comment

by:AnthonyMCSE
ID: 40614810
Also, after turning off the virtual DC's integrated services time sync, I'd need to set it up to sync to an external source, right?  So far, it is the only DC...
0
 
LVL 33

Expert Comment

by:it_saige
ID: 40614820
These are the results I would expect:

Windows Server 2012 R2 VM DC (PDCe FSMO Holder) -Time synchronized from external time source.Windows Server 2012 R2 VM DC -IP of PDCe FSMO Holder is 192.168.1.20.Windows Server 2008 VM Member Server -Capture.JPG
On these VMs, the Time Sync Integration Service is disabled on the DC's but not on the member server -DC01 (PDCe FSMO Holder) Time synchronization is disabledDC02 Time synchronization is diabledMember server - Time synchronization is enabled.
If you are seeing inconsistent results, ensure that your member servers and non-PDCe DC's are using DOMHIER in their time configuration:
w32tm /config /syncfromflags:domhier /update

Open in new window


http://blogs.technet.com/b/industry_insiders/archive/2006/08/29/w32-tm-service.aspx

-saige-
0
 
LVL 33

Expert Comment

by:it_saige
ID: 40614825
Correct.  Here is a previous EE PAQ discussing Windows Time Services, I also discuss using a GPO policy and WMI filter so that you don't have to futz with registry settings or command lines on the PDCe.

http://www.experts-exchange.com/Software/Server_Software/Active_Directory/Q_28597899.html

-saige-
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now