time synchronization

Time Configuration for a Virtualized Domain Controllers


Today we will talk about some of the features of time configuration on a virtualized domain controllers. Typically, the time synchronization scheme in the Active Directory domain is as follows:

  • The PDC emulator is the main time source on the domain and must be configured to synchronize time with the external time source;
  • All other domain controllers are synchronized with the controller that owns the PDC emulator role;
  • All member servers and workstations synchronize their time with the nearest domain controller.

Tip. For more information about configuring NTP time in a domain, see the article Configure NTP Time Sync using Group Policy.

For example, this is how the time settings look on our virtual domain controller. As you can see, it uses group policies to configure time setting and synchronize time with the external source pool.ntp.org.

ntp server policy

However, if you check the current time source (w32tm /query /source), you can find it unexpectedly, because you can see a strange time source named VM IC Time Synchronization Provider.

vm time synchronization provider

The fact is that Hyper-V virtual machines synchronize their time with the host by default, and regardless of the settings of the time service inside the machine. As a result, it can turn out to be a rather strange situation when the Hyper-V host is a member of the domain and synchronizes time with the domain controller, which in turn is a virtual machine and synchronized with the host (Recursion?).

READ ALSO  How to Mount Windows Folder into VMware ESXi

In order to avoid this, you must disable time synchronization with the host for virtual domain controllers. There are two ways to do this.

The first way is to disable time synchronization in VM properties. To do this, open the properties of the virtual machine in the Hyper-V Manager snap-in, go to the Integration Services section and check off Time synchronization.

dc settings time synchronization

The same can be done using the PowerShell console on the Hyper-V server. For example, with this command, get the service status for the VM:

Get-VMIntegrationService -VMName dc1 -Name ‘Time synchronization’

The following command will disable time synchronization:

Get-VMIntegrationService -VMName dc1 -Name ‘Time synchronization’ | Disable-VMIntegrationService

get vm integration service time sync

If you are using VMWare ESXi as the virtualization host, you can disable the time synchronization with the host in the virtual machine settings.

VM->Edit Settings -> VM Options tab -> Check off Synchronize guest time with host.

vm options synchronize time

The second way is to edit the registry inside the guest virtual machine with ADDS role. To disable synchronization, run Regedit.exe, go to branch HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider and change the value for the Enabled parameter to 0.

VMICTimeProvider

The same setting can be made from the Command Prompt by running the command:

reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider /v Enabled /t reg_dword /d 0

VMICTimeProvider reg add

In addition, it is desirable to make the following settings:

  1. Change the NTP server polling period:
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient  /v SpecialPollInterval /t reg_dword /d 900
  1. Configure the correct response of the time service to a non-standard time change of more than 52 hours
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config /v MaxNegPhaseCorrection /t reg_dword   0xFFFFFFFF
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config /v MaxPosPhaseCorrection /t reg_dword /d  0xFFFFFFFF

After disabling synchronization by any of the described methods, it is necessary to restart the time service, this will reset it to a new source. On a domain controller with the PDC-emulator role, you must restart the w32time service and run the synchronization:

net stop w32time
net start w32time
w32tm /resync /force

net stop w32 time

On all other AD domain controllers, you need to additionally execute the command:

w32tm/config /syncfromflags:DOMHIER /update

This will cause the Time Service to select the PDC emulator as the source according to the domain hierarchy. In this way, we will configure the correct time synchronization scheme in the domain.

READ ALSO  Run PowerShell Script from Task Scheduler

You may also like:

VMware ESXi: Shared Disk Between VMs In some cases (as a rule in clustering scenarios) it may be necessary to share the same disk between 2 (or more) virtual machines (VMs). The most opti...
How to copy files with BITS using PowerShell If you use local (and global) networks, you might know that files between systems are transferring by using SMB, FTP or HTTP protocols. The problem wi...
Configure Autostart of VM on VMware ESXi By default, virtual machines located on VMWare ESXi or VMware Hypervisor is not starting automatically at the host boot. This means that after the ESX...
Grant Full Access to All Mailboxes in Exchange 200... This is a short tutorial on how to add full access to all mailboxes in Exchange 2007 and 2010 for a an additional user. This can come in handy when sa...
Add Calendar Permissions in Office 365 via Powersh... This is a tutorial on adding calendar permissions in Office 365 for your users via Powershell. You can add permissions onto a specific mailbox, or you...