Today we will talk about some of the features of time configuration on virtualized domain controllers. Typically, the time synchronization scheme in the Active Directory domain is as follows:
- The PDC emulator is the main time source on the domain and must be configured to synchronize time with the external time source;
- All other domain controllers are synchronized with the controller that owns the PDC emulator role;
- All member servers and workstations synchronize their time with the nearest domain controller.
Tip. For more information about configuring NTP time in a domain, see the article Configure NTP Time Sync using Group Policy.
Understanding the Role of Domain Controllers
Active Directory Domain controllers are the servers that hold the Active Directory Domain Services (AD DS). The active directory domain services allow for user authentication, security enforcement, and other critical network functionalities.
In a virtualized domain, these controllers are replicated in the form of virtual domain controllers, which have the same responsibilities as physical controllers but exist within a virtual machine. There are more layers of abstraction and possibilities with synchronizing time with a virtual domain controller vs physical domain controllers.
The Importance of Correct Time Configuration
In an Active Directory environment with production domain controllers, time synchronization is crucial. All domain controllers, including virtualized domain controllers, need to have their clocks set correctly to maintain system integrity and to synchronize data accurately. The system currentcontrolset services w32time, in both physical and virtual environments, is tasked with ensuring accurate time synchronization across the network.
Challenges with Time Synchronization in Virtualized Domain Controllers
A virtualized domain controller introduce unique challenges when it comes to time synchronization vs a physical domain controller. Since they’re hosted on a virtual machine, they’re subject to the host computer’s time settings. This becomes a problem if there is a discrepancy between the host Windows operating system and the guest operating system running on the virtual machine. Therefore, it becomes necessary to disable time synchronization between the host and the guest virtual machine to prevent potential inconsistencies.
Time Configuration and The PDC Emulator Role
In every Active Directory domain, one domain controller holds the Primary Domain Controller (PDC) emulator role. This domain controller becomes the authoritative time server for the entire domain, including all other domain controllers and member servers. It’s crucial to ensure that the domain controller holding the PDC emulator role has the correct time. If this domain controller’s time drifts, the entire active directory database could experience issues.
Configuring Time Synchronization in a Virtualized Environment
The key to proper time configuration in a virtualized domain lies in the configuration of the domain controller virtual machine. To prevent the guest domain controller from syncing its time with the host operating system, disable time synchronization via integration services. Modifying the registry key under system current control set services w32time time providers can further refine the time synchronization parameters.
Windows Server and Time Synchronization
The relationship between Windows Server and its domain controllers, whether physical or virtual, is intrinsic. Windows Server includes built-in mechanisms for time synchronization among domain controllers. However, with virtual domain controllers, one must consider the additional layer of the host operating system and the virtual machine itself. Understanding and managing these layers is key to maintaining correct time configuration.
Viewing time configuration for a virtualized domain controllers
For example, this is how the time settings look on our virtual domain controller. As you can see, it uses group policies to configure time settings and synchronize time with the external source pool.ntp.org.
However, if you check the current time source (w32tm /query /source), you can find it unexpectedly, because you can see a strange time source named VM IC Time Synchronization Provider.
The fact is that Hyper-V virtual machines synchronize their time with the host by default, and regardless of the settings of the time service inside the machine. As a result, it can turn out to be a rather strange situation when the Hyper-V host is a member of the domain and synchronizes time with the domain controller, which in turn is a virtual machine and synchronized with the host (Recursion?).
In order to avoid this, you must disable time synchronization with the host for virtual domain controllers. There are two ways to do this.
Note. Check our tutorial on how to use the Ansible ping module.
The first way is to disable time synchronization in VM properties. To do this, open the properties of the virtual machine in the Hyper-V Manager snap-in, go to the Integration Services section and check off Time synchronization.
The same can be done using the PowerShell console on the Hyper-V server. For example, with this command, get the service status for the VM:
Get-VMIntegrationService -VMName dc1 -Name ‘Time synchronization’
The following command will disable time synchronization:
Get-VMIntegrationService -VMName dc1 -Name ‘Time synchronization’ | Disable-VMIntegrationService
If you are using VMWare ESXi as the virtualization host, you can disable the time synchronization with the host in the virtual machine settings.
VM> Edit Settings > VM Options tab > Check off Synchronize guest time with host.
The second way is to edit the registry inside the guest virtual machine with ADDS role. To disable synchronization, run Regedit.exe, go to branch HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider and change the value for the Enabled parameter to 0.
The same setting can be made from the Command Prompt by running the command:
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider /v Enabled /t reg_dword /d 0
In addition, it is desirable to make the following settings:
- Change the NTP server polling period:
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient /v SpecialPollInterval /t reg_dword /d 900
- Configure the correct response of the time service to a non-standard time change of more than 52 hours:
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config /v MaxNegPhaseCorrection /t reg_dword 0xFFFFFFFF reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config /v MaxPosPhaseCorrection /t reg_dword /d 0xFFFFFFFF
After disabling synchronization by any of the described methods, it is necessary to restart the time service, this will reset it to a new source. On a domain controller with the PDC-emulator role, you must restart the w32time service and run the synchronization:
net stop w32time
net start w32time
w32tm /resync /force
On all other AD domain controllers, you need to additionally execute the command:
w32tm/config /syncfromflags:DOMHIER /update
This will cause the Time Service to select the PDC emulator as the source according to the domain hierarchy. In this way, we will configure the correct time synchronization scheme in the domain.
Frequently Asked Questions
1. What is a Virtualized Domain Controller?
A virtualized domain controller is a domain controller that runs on a virtual machine, instead of a physical server. It is a replica of a physical domain controller and has the same responsibilities, such as user authentication and security enforcement.
2. Why is Time Configuration Important for Virtualized Domain Controllers?
Time configuration is crucial for virtualized domain controllers because they play a pivotal role in maintaining system integrity and synchronizing data accurately. A discrepancy in time can lead to inconsistencies in data and potential security risks.
3. How Can I Disable Time Synchronization Between the Host and the Virtual Domain Controller?
Time synchronization between the host and the virtual domain controller can be disabled via integration services. Furthermore, you can modify the registry key under system currentcontrolset services w32time timeproviders to refine time synchronization parameters.
4. What is the Role of the PDC Emulator in Time Synchronization?
The domain controller holding the Primary Domain Controller (PDC) emulator role becomes the authoritative time server for the entire domain. It’s crucial to ensure that this domain controller has the correct time to maintain system integrity and prevent potential issues in the active directory database.
5. What is the Relationship Between Windows Server and Domain Controllers?
Windows Server includes built-in mechanisms for time synchronization among domain controllers. However, with virtual domain controllers, you need to consider the additional layer of the host operating system and the virtual machine, which can impact time configuration.
6. How Can I Maintain Correct Time Configuration Across My Active Directory Domain?
By understanding the unique challenges presented by virtual domain controllers and employing strategic configuration techniques, you can maintain accurate time across your active directory domain. This includes disabling time synchronization between the host and guest virtual machine and ensuring the domain controller holding the PDC emulator role has the correct time.
7. Is It Beneficial to Deploy Additional Domain Controllers?
Yes, deploying additional domain controllers can enhance system redundancy, which is crucial in the event of a virtual machine failure. It’s beneficial to deploy these controllers on separate virtual disks to protect the active directory database.
Mastering time configuration in virtualized domain controllers is no small feat, but with the right understanding and approach, it can greatly enhance the integrity and efficiency of your Active Directory domain. Given the critical role that domain controllers play in system operations and security, getting this right is not a luxury, but a necessity.
Remember that the principles guiding time configuration in physical servers hold true in a virtualized environment, but they also come with an additional layer of complexity. By gaining control over the relationship between your virtual machine, guest domain controller, and host operating system, you can navigate this complexity and maintain consistent, accurate time across your domain.