Time Configuration for a Virtualized Domain Controllers

Today we will talk about some of the features of time configuration on a virtualized domain controllers. Typically, the time synchronization scheme in the Active Directory domain is as follows:

  • The PDC emulator is the main time source on the domain and must be configured to synchronize time with the external time source;
  • All other domain controllers are synchronized with the controller that owns the PDC emulator role;
  • All member servers and workstations synchronize their time with the nearest domain controller.

Tip. For more information about configuring NTP time in a domain, see the article Configure NTP Time Sync using Group Policy.

For example, this is how the time settings look on our virtual domain controller. As you can see, it uses group policies to configure time setting and synchronize time with the external source pool.ntp.org.

vmictimeprovider

However, if you check the current time source (w32tm /query /source), you can find it unexpectedly, because you can see a strange time source named VM IC Time Synchronization Provider.

vmware domain controller time sync

The fact is that Hyper-V virtual machines synchronize their time with the host by default, and regardless of the settings of the time service inside the machine. As a result, it can turn out to be a rather strange situation when the Hyper-V host is a member of the domain and synchronizes time with the domain controller, which in turn is a virtual machine and synchronized with the host (Recursion?).

In order to avoid this, you must disable time synchronization with the host for virtual domain controllers. There are two ways to do this.

The first way is to disable time synchronization in VM properties. To do this, open the properties of the virtual machine in the Hyper-V Manager snap-in, go to the Integration Services section and check off Time synchronization.

vm ic time synchronization provider

The same can be done using the PowerShell console on the Hyper-V server. For example, with this command, get the service status for the VM:

Get-VMIntegrationService -VMName dc1 -Name ‘Time synchronization’

The following command will disable time synchronization:

Get-VMIntegrationService -VMName dc1 -Name ‘Time synchronization’ | Disable-VMIntegrationService

vmictimeprovider vmware

If you are using VMWare ESXi as the virtualization host, you can disable the time synchronization with the host in the virtual machine settings.

VM->Edit Settings -> VM Options tab -> Check off Synchronize guest time with host.

vmware disable time sync domain controller

The second way is to edit the registry inside the guest virtual machine with ADDS role. To disable synchronization, run Regedit.exe, go to branch HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider and change the value for the Enabled parameter to 0.

vmictimeprovider disable

The same setting can be made from the Command Prompt by running the command:

reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider /v Enabled /t reg_dword /d 0

disable vmictimeprovider

In addition, it is desirable to make the following settings:

  1. Change the NTP server polling period:
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient  /v SpecialPollInterval /t reg_dword /d 900
  1. Configure the correct response of the time service to a non-standard time change of more than 52 hours
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config /v MaxNegPhaseCorrection /t reg_dword   0xFFFFFFFF

reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config /v MaxPosPhaseCorrection /t reg_dword /d  0xFFFFFFFF

After disabling synchronization by any of the described methods, it is necessary to restart the time service, this will reset it to a new source. On a domain controller with the PDC-emulator role, you must restart the w32time service and run the synchronization:

net stop w32time

net start w32time
 w32tm /resync /force

virtual domain controller time sync

On all other AD domain controllers, you need to additionally execute the command:

w32tm/config /syncfromflags:DOMHIER /update

This will cause the Time Service to select the PDC emulator as the source according to the domain hierarchy. In this way, we will configure the correct time synchronization scheme in the domain.

3 comments

  1. So no matter what I do, including using the GPO guideline above my w32tm /query /source always says Local CMOSClock, spend my day chasing the system time always..my domain clients do show DC1 or DC2 as the timesource and the non pdc shows that he gets its from the PDC.
    Indeed I’m running on VMware and have the setting disabled. I did however notice that if you follow that GPO guide in this blog, and feel its the unregister / register that it will alter the regedit values…seemed it changed all of them back to default, Enable = 1 including the polling interval time to 3600 and max pos/neg phase correction, so be careful if you follow the gpo guide and do that…
    Seems silly to be chasing this so hard for so long yet everyone knows that time is very critical.
    for now it had my time off by an hour behind almost exactly so checked my timezone its all good and DST is checked….so I bumped it an hour right…then later after re running all and verifying all registery settings are per above I rebooted, now time was off by an hour ahead….
    yet still says Local System Clock for source,,for now until I get the energy and time to go again I’ve just manually adjusted back and will leave alone unless someone else had an answer……so very confused on why this is so difficult…

    I do know that VMware had additional vm options for this they say are best practice, but to be honest unless I can get this PDC to say something other than Local CMOS Clock its pointless right?

    This is my configuration, any help would be greatly appreciated as its driving me crazy chasing time offsets all day…

    C:\Windows\system32>w32tm /query /configuration
    [Configuration]

    EventLogFlags: 2 (Local)
    AnnounceFlags: 10 (Local)
    TimeJumpAuditOffset: 28800 (Local)
    MinPollInterval: 6 (Local)
    MaxPollInterval: 10 (Local)
    MaxNegPhaseCorrection: 4294967295 (Local)
    MaxPosPhaseCorrection: 4294967295 (Local)
    MaxAllowedPhaseOffset: 300 (Local)

    FrequencyCorrectRate: 4 (Local)
    PollAdjustFactor: 5 (Local)
    LargePhaseOffset: 50000000 (Local)
    SpikeWatchPeriod: 900 (Local)
    LocalClockDispersion: 10 (Local)
    HoldPeriod: 5 (Local)
    PhaseCorrectRate: 7 (Local)
    UpdateInterval: 100 (Local)

    [TimeProviders]

    NtpClient (Local)
    DllName: C:\Windows\SYSTEM32\w32time.DLL (Local)
    Enabled: 1 (Local)
    InputProvider: 1 (Local)
    AllowNonstandardModeCombinations: 1 (Local)
    ResolvePeerBackoffMinutes: 15 (Policy)
    ResolvePeerBackoffMaxTimes: 7 (Policy)
    CompatibilityFlags: 2147483648 (Local)
    EventLogFlags: 0 (Policy)
    LargeSampleSkew: 3 (Local)
    SpecialPollInterval: 900 (Policy)
    Type: NTP (Policy)
    NtpServer: us.pool.ntp.org.0x1, 1.us.pool.ntp.org.0x1, 2.us.pool.ntp.org.0x1, 3.us.pool.ntp.org.0x1; (Policy)

    NtpServer (Local)
    DllName: C:\Windows\SYSTEM32\w32time.DLL (Local)
    Enabled: 1 (Local)
    InputProvider: 0 (Local)
    AllowNonstandardModeCombinations: 1 (Local)

    VMICTimeProvider (Local)
    DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
    Enabled: 0 (Local)
    InputProvider: 1 (Local)

  2. Just a heads up. the REG ADD statement in step 2 is missing the /d flag.

    reg add HKLMSYSTEMCurrentControlSetServicesW32TimeConfig /v MaxNegPhaseCorrection /t reg_dword 0xFFFFFFFF

    should be
    reg add HKLMSYSTEMCurrentControlSetServicesW32TimeConfig /v MaxNegPhaseCorrection /t reg_dword /d 0xFFFFFFFF

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.