Solved

Best method to setup time sync on a Hyper-V environment  Active Directory 2008 Server Guest?

Posted on 2015-02-17
8
182 Views
Last Modified: 2015-02-20
I have several sites that have a single physical Hyper-V (full) 2012 R2 Server.  The Hyper-V host server is not in the domain.  One of guests in an Active Directory Windows Server 2008 VM.  The other couple of guests are Windows Server 2008 member servers that belong to the domain.

Integration Services is implemented for all the guests, including the active directory server.

I believe the active directory server is the authorative time server for the domain.

I suspect the domain server time sync is implemented but that the Integration Services time sync is also implemented and worry this could lead to odd time sync issues.

What's the best practice in regards to how this type of configuration should be setup?  Integration Time Sync turned off on one or more of the VMs?  Domain style time sync turned off somehow?  Custom registry mods?  Nothing?
0
Comment
Question by:AnthonyMCSE
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 100 total points
ID: 40614593
Take a look at the following link which outlines the best practices for running a domain controller in a Hyper-V environment.
https://technet.microsoft.com/en-us/library/virtual_active_directory_domain_controller_virtualization_hyperv%28v=ws.10%29.aspx
Will.
0
 
LVL 34

Accepted Solution

by:
it_saige earned 400 total points
ID: 40614597
You want to disable the Integration Services Time Sync on any VM DC's.

-saige-
0
 

Author Comment

by:AnthonyMCSE
ID: 40614677
The article Will posted appears to be applicable for Windows Server 2008 R2 and it also says to disable Time Sync under Integration Services.  I have a couple sites where the Hyper-V host is Windows Server 2012 R2.  Is this good advice for these sites as well?

I have several other guest VM's on the same Hyper-V host as well, these are Windows Server 2008 R2 guests that also belong to the domain.  Should they have Integration Services Time Sync turned off as well and in turn rely on the domain controller for correct time?  

It appears that there is competing time source, as this log shows, currently on one of my Windows Server 2008 VMs between the domain controller and integrated services time sync.  The query results below were taken from the same machine in succession:

C:\Users\administrator.DFP>w32tm /query /status
Leap Indicator: 0(no warning)
Stratum: 3 (secondary reference - syncd by (S)NTP)
Precision: -6 (15.625ms per tick)
Root Delay: 0.1249542s
Root Dispersion: 1.7611385s
ReferenceId: 0xC0A800CA (source IP:  192.168.0.202)
Last Successful Sync Time: 2/16/2015 5:43:12 PM
Source: dfp-server.dfp.local
Poll Interval: 10 (1024s)


C:\Users\administrator.DFP>w32tm /query /status
Leap Indicator: 3(last minute has 61 seconds)
Stratum: 0 (unspecified)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0000000s
Root Dispersion: 0.0100000s
ReferenceId: 0x00000000 (unspecified)
Last Successful Sync Time: 2/16/2015 5:58:03 PM
Source: VM IC Time Synchronization Provider
Poll Interval: 10 (1024s)
0
How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

 
LVL 34

Expert Comment

by:it_saige
ID: 40614695
With regard to time services, I can confirm that it is still very applicable.  I had a domain where the time was off by 5 minutes because of the Time Sync from the Integration Services.  After disabling the Time Sync in the Integration Services, the time was accurate.  Again, this only applies to Guest OS's that are DC's, member servers and computers are not affected.

-saige-
0
 

Author Comment

by:AnthonyMCSE
ID: 40614769
Saige,

So what do you think about the log above, where the member server VM that is in the same domain appears to be syncing with two different sources?  Just don't worry about it?
0
 

Author Comment

by:AnthonyMCSE
ID: 40614810
Also, after turning off the virtual DC's integrated services time sync, I'd need to set it up to sync to an external source, right?  So far, it is the only DC...
0
 
LVL 34

Expert Comment

by:it_saige
ID: 40614820
These are the results I would expect:

Windows Server 2012 R2 VM DC (PDCe FSMO Holder) -Time synchronized from external time source.Windows Server 2012 R2 VM DC -IP of PDCe FSMO Holder is 192.168.1.20.Windows Server 2008 VM Member Server -Capture.JPG
On these VMs, the Time Sync Integration Service is disabled on the DC's but not on the member server -DC01 (PDCe FSMO Holder) Time synchronization is disabledDC02 Time synchronization is diabledMember server - Time synchronization is enabled.
If you are seeing inconsistent results, ensure that your member servers and non-PDCe DC's are using DOMHIER in their time configuration:
w32tm /config /syncfromflags:domhier /update

Open in new window


http://blogs.technet.com/b/industry_insiders/archive/2006/08/29/w32-tm-service.aspx

-saige-
0
 
LVL 34

Expert Comment

by:it_saige
ID: 40614825
Correct.  Here is a previous EE PAQ discussing Windows Time Services, I also discuss using a GPO policy and WMI filter so that you don't have to futz with registry settings or command lines on the PDCe.

http://www.experts-exchange.com/Software/Server_Software/Active_Directory/Q_28597899.html

-saige-
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question