Solved

Best method to setup time sync on a Hyper-V environment  Active Directory 2008 Server Guest?

Posted on 2015-02-17
8
171 Views
Last Modified: 2015-02-20
I have several sites that have a single physical Hyper-V (full) 2012 R2 Server.  The Hyper-V host server is not in the domain.  One of guests in an Active Directory Windows Server 2008 VM.  The other couple of guests are Windows Server 2008 member servers that belong to the domain.

Integration Services is implemented for all the guests, including the active directory server.

I believe the active directory server is the authorative time server for the domain.

I suspect the domain server time sync is implemented but that the Integration Services time sync is also implemented and worry this could lead to odd time sync issues.

What's the best practice in regards to how this type of configuration should be setup?  Integration Time Sync turned off on one or more of the VMs?  Domain style time sync turned off somehow?  Custom registry mods?  Nothing?
0
Comment
Question by:AnthonyMCSE
  • 4
  • 3
8 Comments
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 100 total points
ID: 40614593
Take a look at the following link which outlines the best practices for running a domain controller in a Hyper-V environment.
https://technet.microsoft.com/en-us/library/virtual_active_directory_domain_controller_virtualization_hyperv%28v=ws.10%29.aspx
Will.
0
 
LVL 32

Accepted Solution

by:
it_saige earned 400 total points
ID: 40614597
You want to disable the Integration Services Time Sync on any VM DC's.

-saige-
0
 

Author Comment

by:AnthonyMCSE
ID: 40614677
The article Will posted appears to be applicable for Windows Server 2008 R2 and it also says to disable Time Sync under Integration Services.  I have a couple sites where the Hyper-V host is Windows Server 2012 R2.  Is this good advice for these sites as well?

I have several other guest VM's on the same Hyper-V host as well, these are Windows Server 2008 R2 guests that also belong to the domain.  Should they have Integration Services Time Sync turned off as well and in turn rely on the domain controller for correct time?  

It appears that there is competing time source, as this log shows, currently on one of my Windows Server 2008 VMs between the domain controller and integrated services time sync.  The query results below were taken from the same machine in succession:

C:\Users\administrator.DFP>w32tm /query /status
Leap Indicator: 0(no warning)
Stratum: 3 (secondary reference - syncd by (S)NTP)
Precision: -6 (15.625ms per tick)
Root Delay: 0.1249542s
Root Dispersion: 1.7611385s
ReferenceId: 0xC0A800CA (source IP:  192.168.0.202)
Last Successful Sync Time: 2/16/2015 5:43:12 PM
Source: dfp-server.dfp.local
Poll Interval: 10 (1024s)


C:\Users\administrator.DFP>w32tm /query /status
Leap Indicator: 3(last minute has 61 seconds)
Stratum: 0 (unspecified)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0000000s
Root Dispersion: 0.0100000s
ReferenceId: 0x00000000 (unspecified)
Last Successful Sync Time: 2/16/2015 5:58:03 PM
Source: VM IC Time Synchronization Provider
Poll Interval: 10 (1024s)
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40614695
With regard to time services, I can confirm that it is still very applicable.  I had a domain where the time was off by 5 minutes because of the Time Sync from the Integration Services.  After disabling the Time Sync in the Integration Services, the time was accurate.  Again, this only applies to Guest OS's that are DC's, member servers and computers are not affected.

-saige-
0
 

Author Comment

by:AnthonyMCSE
ID: 40614769
Saige,

So what do you think about the log above, where the member server VM that is in the same domain appears to be syncing with two different sources?  Just don't worry about it?
0
 

Author Comment

by:AnthonyMCSE
ID: 40614810
Also, after turning off the virtual DC's integrated services time sync, I'd need to set it up to sync to an external source, right?  So far, it is the only DC...
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40614820
These are the results I would expect:

Windows Server 2012 R2 VM DC (PDCe FSMO Holder) -Time synchronized from external time source.Windows Server 2012 R2 VM DC -IP of PDCe FSMO Holder is 192.168.1.20.Windows Server 2008 VM Member Server -Capture.JPG
On these VMs, the Time Sync Integration Service is disabled on the DC's but not on the member server -DC01 (PDCe FSMO Holder) Time synchronization is disabledDC02 Time synchronization is diabledMember server - Time synchronization is enabled.
If you are seeing inconsistent results, ensure that your member servers and non-PDCe DC's are using DOMHIER in their time configuration:
w32tm /config /syncfromflags:domhier /update

Open in new window


http://blogs.technet.com/b/industry_insiders/archive/2006/08/29/w32-tm-service.aspx

-saige-
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40614825
Correct.  Here is a previous EE PAQ discussing Windows Time Services, I also discuss using a GPO policy and WMI filter so that you don't have to futz with registry settings or command lines on the PDCe.

http://www.experts-exchange.com/Software/Server_Software/Active_Directory/Q_28597899.html

-saige-
0

Join & Write a Comment

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now