External NTP with Virtual Domain Controllers

Client Workstations and Member Servers are simonizing Time from domain controllers and it becomes very important to have at least one external System synchronizing with External NTP.

By default,

  • FSMO role owner sync with Hyper-V Host (When in Virtual), Physical hosts sync with local clock
  • Additional domain controllers sync with FSMO role owner
  • Client workstations and member Servers sync with any domain controller

As a best practice, you can setup sync FSMO role owner with some external NTP and that’s going to resolve your lot of issues related to time difference.

In Hyper-V virtualization, Go to Integration Services and disable “time synchronization” Integration Services.” By default, all of these services are pretty much enabled, including time synchronization.

As guest Domain Controller (Virtual DCs), getting its time from the clock of the physical Hyper-V server at start-up. When these times get out of sync with other DC’s and virtual hosts (e.g. power outage, accidental reboot, migration , etc.), weird issues are noticed and Kerberos authentication etc,. As the time issues spread on your network, suddenly users report authentication, map drive isn’t available anything.

To see what your server is using as it’s time authority use:

w32tm /query /source 

w32tm /query /status   (For more detailed output)

If integration services is enabled on your virtual machines, this will return a value like: VM IC Time Synchronization Provider. Disabling time integration services at least for virtual DC’s seems like a good idea, and arguably you should do this for all VM’s if you want the DC’s to be in charge of network time, without involving the underlying host systems. The other option is synchronize your Hyper-V hosts’ hardware clock to the NTP authority.

Disable time synchronization for VM’s using PowerShell or GUI

Use PowerShell as Administrator from the Hyper-V host servers:

Get-VMIntegrationService -VMName "DC2"

Disable-VMIntegrationService -VMName DC2 –Name "Time Synchronization"

In the GUI: Hyper-V Manager > Virtual Machine > Settings > Integration Services:

Set external time sync for your Domain Controllers

w32tm /config /syncfromflags:manual /manualpeerlist:”0.us.pool.ntp.org 1.us.pool.ntp.org” /reliable:yes /update

Restart Windows Time Service and force a sync

Net restart w32time
Net start w32time
w32tm /resync /force

Verify status on a domain controller usingw32tm /query /status

Proceed with client workstations/member servers and restart “Windows Time Service”.

To disable VMICimeProvider after Windows starts,

reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider /v Enabled /t reg_dword /d 0

Leave A Comment

Your email address will not be published. Required fields are marked *