Best method to setup time sync on a Hyper-V environment  Active Directory 2008 Server Guest?

Posted on 2015-02-17
Last Modified: 2015-02-20
I have several sites that have a single physical Hyper-V (full) 2012 R2 Server.  The Hyper-V host server is not in the domain.  One of guests in an Active Directory Windows Server 2008 VM.  The other couple of guests are Windows Server 2008 member servers that belong to the domain.

Integration Services is implemented for all the guests, including the active directory server.

I believe the active directory server is the authorative time server for the domain.

I suspect the domain server time sync is implemented but that the Integration Services time sync is also implemented and worry this could lead to odd time sync issues.

What's the best practice in regards to how this type of configuration should be setup?  Integration Time Sync turned off on one or more of the VMs?  Domain style time sync turned off somehow?  Custom registry mods?  Nothing?
Question by:AnthonyMCSE
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 100 total points
ID: 40614593
Take a look at the following link which outlines the best practices for running a domain controller in a Hyper-V environment.
LVL 34

Accepted Solution

it_saige earned 400 total points
ID: 40614597
You want to disable the Integration Services Time Sync on any VM DC's.


Author Comment

ID: 40614677
The article Will posted appears to be applicable for Windows Server 2008 R2 and it also says to disable Time Sync under Integration Services.  I have a couple sites where the Hyper-V host is Windows Server 2012 R2.  Is this good advice for these sites as well?

I have several other guest VM's on the same Hyper-V host as well, these are Windows Server 2008 R2 guests that also belong to the domain.  Should they have Integration Services Time Sync turned off as well and in turn rely on the domain controller for correct time?  

It appears that there is competing time source, as this log shows, currently on one of my Windows Server 2008 VMs between the domain controller and integrated services time sync.  The query results below were taken from the same machine in succession:

C:\Users\administrator.DFP>w32tm /query /status
Leap Indicator: 0(no warning)
Stratum: 3 (secondary reference - syncd by (S)NTP)
Precision: -6 (15.625ms per tick)
Root Delay: 0.1249542s
Root Dispersion: 1.7611385s
ReferenceId: 0xC0A800CA (source IP:
Last Successful Sync Time: 2/16/2015 5:43:12 PM
Source: dfp-server.dfp.local
Poll Interval: 10 (1024s)

C:\Users\administrator.DFP>w32tm /query /status
Leap Indicator: 3(last minute has 61 seconds)
Stratum: 0 (unspecified)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0000000s
Root Dispersion: 0.0100000s
ReferenceId: 0x00000000 (unspecified)
Last Successful Sync Time: 2/16/2015 5:58:03 PM
Source: VM IC Time Synchronization Provider
Poll Interval: 10 (1024s)
Why You Need a DevOps Toolchain

IT needs to deliver services with more agility and velocity. IT must roll out application features and innovations faster to keep up with customer demands, which is where a DevOps toolchain steps in. View the infographic to see why you need a DevOps toolchain.

LVL 34

Expert Comment

ID: 40614695
With regard to time services, I can confirm that it is still very applicable.  I had a domain where the time was off by 5 minutes because of the Time Sync from the Integration Services.  After disabling the Time Sync in the Integration Services, the time was accurate.  Again, this only applies to Guest OS's that are DC's, member servers and computers are not affected.


Author Comment

ID: 40614769

So what do you think about the log above, where the member server VM that is in the same domain appears to be syncing with two different sources?  Just don't worry about it?

Author Comment

ID: 40614810
Also, after turning off the virtual DC's integrated services time sync, I'd need to set it up to sync to an external source, right?  So far, it is the only DC...
LVL 34

Expert Comment

ID: 40614820
These are the results I would expect:

Windows Server 2012 R2 VM DC (PDCe FSMO Holder) -Time synchronized from external time source.Windows Server 2012 R2 VM DC -IP of PDCe FSMO Holder is Server 2008 VM Member Server -Capture.JPG
On these VMs, the Time Sync Integration Service is disabled on the DC's but not on the member server -DC01 (PDCe FSMO Holder) Time synchronization is disabledDC02 Time synchronization is diabledMember server - Time synchronization is enabled.
If you are seeing inconsistent results, ensure that your member servers and non-PDCe DC's are using DOMHIER in their time configuration:
w32tm /config /syncfromflags:domhier /update

Open in new window

LVL 34

Expert Comment

ID: 40614825
Correct.  Here is a previous EE PAQ discussing Windows Time Services, I also discuss using a GPO policy and WMI filter so that you don't have to futz with registry settings or command lines on the PDCe.


Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read…
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question