Today we will talk about some of the features of time configuration on a virtualized domain controllers. Typically, the time synchronization scheme in the Active Directory domain is as follows:
- The PDC emulator is the main time source on the domain and must be configured to synchronize time with the external time source;
- All other domain controllers are synchronized with the controller that owns the PDC emulator role;
- All member servers and workstations synchronize their time with the nearest domain controller.
Tip. For more information about configuring NTP time in a domain, see the article Configure NTP Time Sync using Group Policy.
For example, this is how the time settings look on our virtual domain controller. As you can see, it uses group policies to configure time setting and synchronize time with the external source pool.ntp.org.
However, if you check the current time source (w32tm /query /source), you can find it unexpectedly, because you can see a strange time source named VM IC Time Synchronization Provider.
The fact is that Hyper-V virtual machines synchronize their time with the host by default, and regardless of the settings of the time service inside the machine. As a result, it can turn out to be a rather strange situation when the Hyper-V host is a member of the domain and synchronizes time with the domain controller, which in turn is a virtual machine and synchronized with the host (Recursion?).
In order to avoid this, you must disable time synchronization with the host for virtual domain controllers. There are two ways to do this.
The first way is to disable time synchronization in VM properties. To do this, open the properties of the virtual machine in the Hyper-V Manager snap-in, go to the Integration Services section and check off Time synchronization.
The same can be done using the PowerShell console on the Hyper-V server. For example, with this command, get the service status for the VM:
Get-VMIntegrationService -VMName dc1 -Name ‘Time synchronization’
The following command will disable time synchronization:
Get-VMIntegrationService -VMName dc1 -Name ‘Time synchronization’ | Disable-VMIntegrationService
If you are using VMWare ESXi as the virtualization host, you can disable the time synchronization with the host in the virtual machine settings.
VM> Edit Settings > VM Options tab > Check off Synchronize guest time with host.
The second way is to edit the registry inside the guest virtual machine with ADDS role. To disable synchronization, run Regedit.exe, go to branch HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider and change the value for the Enabled parameter to 0.
The same setting can be made from the Command Prompt by running the command:
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider /v Enabled /t reg_dword /d 0
In addition, it is desirable to make the following settings:
- Change the NTP server polling period:
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient /v SpecialPollInterval /t reg_dword /d 900
- Configure the correct response of the time service to a non-standard time change of more than 52 hours
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config /v MaxNegPhaseCorrection /t reg_dword 0xFFFFFFFF reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config /v MaxPosPhaseCorrection /t reg_dword /d 0xFFFFFFFF
After disabling synchronization by any of the described methods, it is necessary to restart the time service, this will reset it to a new source. On a domain controller with the PDC-emulator role, you must restart the w32time service and run the synchronization:
net stop w32time net start w32time w32tm /resync /force
On all other AD domain controllers, you need to additionally execute the command:
w32tm/config /syncfromflags:DOMHIER /update
This will cause the Time Service to select the PDC emulator as the source according to the domain hierarchy. In this way, we will configure the correct time synchronization scheme in the domain.
- RDP Error: Remote Desktop Can’t Find the Computer - September 17, 2020
- How to Seize FSMO Roles From Dead Domain Controller? - September 16, 2020
- Active Directory Schema Update - September 11, 2020