Setting domain time on a Hyper-V 2012R2 environment

I'm trying to see what I'm missing here, but every time I try to get domain time synchronized with an internet clock, something seems to screw it up. So I need to know the steps of what to check to ensure that in this environment, a DC is the authoritative time server and that everything listens to it.

3 Hyper-V 2012 R2 hosts
2 Server 2012R2 domain controllers, one on host 1, the other on host 2

I need to make sure that DC1 is set up as the authoritative time server using an internet source (I don't care what it is, as long as it's reliable, so please recommend one), that it's not listening to host time, that nothing else is listening to host time, and that every domain joined system on the network listens to time from DC1. DC1 and DC2 both have Time services disabled. If it matters, their domain is currently 8 minutes behind.

Thanks!
LVL 8
Casey WeaverManaged Services Windows Engineer IIIAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
Run the following command on your root DC:

net stop w32time
w32tm /config /syncfromflags:manual /manualpeerlist:"time-a.nist.gov, time-b.nist.gov, time-c.nist.gov"
w32tm /config /reliable:yes
net start w32time

If the root DC is a VM then ensure to configure in your virtualization environment to not synchronize time with host server.
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
We have a How-To here: Set Up PDCe Time.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Will SzymkowskiSenior Solution ArchitectCommented:
I suggest that you follow the Microsoft TechNet to ensure all sets are correct. You also need to make sure that your firewall is allowing port 123 to your DC from the outside time source. If this is not setup on your firewall it will not get the time, even if the server is configured correctly.

https://support.microsoft.com/en-us/kb/816042

Will.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Cliff GaliherCommented:
Guest VMs skew. It has been my experience that no matter what you try, if your PDCe is a VM, it'll drift faster than it checks in with an external source. So here is what I recommend:

Turn *on* the time sync service for the PDCe and do not set an authoritative time source. That way the PDCe will get its time from the host and other machines will get their time, per usual, from the PDCe.

Then on the host, override the default to use domain hierarchy and have *it* get a time from a good source.

The host won't skew from getting a bas time from a VM. And the PDCe will always be accurate because of integration services. Presto, skew problem solved. I've deployed this solution effectively in dozens of environments and unlike many other solutions, does not drift nor require special workarounds. It all uses bona-fide services as MS intended.
Casey WeaverManaged Services Windows Engineer IIIAuthor Commented:
I've followed some advice here and it looks like it's working properly for now. I'll wait a day and make sure after the servers have all their monthly maintenance updates tonight, and then assign points.

Thanks guys!
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
We have a blog for skew too: Preparing a VM for high time skew.

In single server setting we use the Hyper-V host as a time source so we don't see KoD packets from NTP.org. In a cluster setting we always deploy a physical DC to act as PDCe and time source for the domain.
Casey WeaverManaged Services Windows Engineer IIIAuthor Commented:
I have accepted two comments because the two together made the best solution. The blog post was what I was looking for, a well laid out step by step process to achieve the goal. The comment on using the Hyper-V host and overriding the domain hierarchy was the second vital piece. We had a 6 minute skew within 24 hours with the VM. Using one of the hosts was the solution. Using a physical DC wasn't an option, we banished all other servers from our virtual environment a few years ago.

Thank you all!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.