Best Practice for Time Sync for Active Directory Domain Controllers
-
Soooo what is the BP for setting time in a virtualized environment? Should the VM's get their time from the host OS, or should they pull it direct from an online time source?
I know with Windows it's a bit more complex.
Should the PDC emulator pull time from the host server (in my case ESXi - for now) or should it pull from the internet?
-
@Dashrender said:
Soooo what is the BP for setting time in a virtualized environment? Should the VM's get their time from the host OS, or should they pull it direct from an online time source?
I know with Windows it's a bit more complex.
Should the PDC emulator pull time from the host server (in my case ESXi - for now) or should it pull from the internet?
Microsoft recommends that you turn off time synchronization for Domain Controllers. Not sure about generic servers.
-
@coliver said:
@Dashrender said:
Soooo what is the BP for setting time in a virtualized environment? Should the VM's get their time from the host OS, or should they pull it direct from an online time source?
I know with Windows it's a bit more complex.
Should the PDC emulator pull time from the host server (in my case ESXi - for now) or should it pull from the internet?
Microsoft recommends that you turn off time synchronization for Domain Controllers. Not sure about generic servers.
Generic ones get it from the DCs, in those cases.
-
@Dashrender said:
Should the PDC emulator pull time from the host server (in my case ESXi - for now) or should it pull from the internet?
Where is ESXi getting it from?
-
@scottalanmiller said:
@coliver said:
@Dashrender said:
Soooo what is the BP for setting time in a virtualized environment? Should the VM's get their time from the host OS, or should they pull it direct from an online time source?
I know with Windows it's a bit more complex.
Should the PDC emulator pull time from the host server (in my case ESXi - for now) or should it pull from the internet?
Microsoft recommends that you turn off time synchronization for Domain Controllers. Not sure about generic servers.
Generic ones get it from the DCs, in those cases.
So would the hypervisors? If that is the case just turning it off for DCs should be enough.
-
@scottalanmiller said:
@Dashrender said:
Should the PDC emulator pull time from the host server (in my case ESXi - for now) or should it pull from the internet?
Where is ESXi getting it from?
Let's assume the cloud.
-
@coliver said:
@scottalanmiller said:
@coliver said:
@Dashrender said:
Soooo what is the BP for setting time in a virtualized environment? Should the VM's get their time from the host OS, or should they pull it direct from an online time source?
I know with Windows it's a bit more complex.
Should the PDC emulator pull time from the host server (in my case ESXi - for now) or should it pull from the internet?
Microsoft recommends that you turn off time synchronization for Domain Controllers. Not sure about generic servers.
Generic ones get it from the DCs, in those cases.
So would the hypervisors? If that is the case just turning it off for DCs should be enough.
Only if it is HyperV. Windows doesn't talk NTP.
-
@scottalanmiller said:
@coliver said:
@Dashrender said:
Soooo what is the BP for setting time in a virtualized environment? Should the VM's get their time from the host OS, or should they pull it direct from an online time source?
I know with Windows it's a bit more complex.
Should the PDC emulator pull time from the host server (in my case ESXi - for now) or should it pull from the internet?
Microsoft recommends that you turn off time synchronization for Domain Controllers. Not sure about generic servers.
Generic ones get it from the DCs, in those cases.
Exactly, the rest of the domain will get it's time from the PDC emulator.
Question, is it OK to shorten PDC emulator to PDCe?
-
@scottalanmiller said:
@coliver said:
@scottalanmiller said:
@coliver said:
@Dashrender said:
Soooo what is the BP for setting time in a virtualized environment? Should the VM's get their time from the host OS, or should they pull it direct from an online time source?
I know with Windows it's a bit more complex.
Should the PDC emulator pull time from the host server (in my case ESXi - for now) or should it pull from the internet?
Microsoft recommends that you turn off time synchronization for Domain Controllers. Not sure about generic servers.
Generic ones get it from the DCs, in those cases.
So would the hypervisors? If that is the case just turning it off for DCs should be enough.
Only if it is HyperV. Windows doesn't talk NTP.
That makes sense in the Microsoft kind of way...
-
I recall when I setup a VM ages ago that VMWare could be the time source for the VMs. I though it was set to work like the BIOS clock.
-
My current PDC emulator is set to pull time from the BIOS clock
C:\Windows\system32>w32tm /query /source Local CMOS ClockThis hasn't been an issue for years, yet someone called this morning and reported that the phones and the computers didn't match timewise, so I'm looking into it.
-
I'm going to turn this into its own topic.
-
-
I looked at the settings in ESXi, it was not set to pull time from an external source. I have corrected that, and enabled NTP.
ESXi is now correct on it's time, now to force the PDC emulator to sync.. and eventually all windows clients will sync as well.
-
OK tried a
w32tm /resyncand got back
The computer did not resync because no time data was available. -
@Dashrender said:
OK tried a
w32tm /resyncand got back
The computer did not resync because no time data was available.If I remember correctly it actually uses VMWare tools to do the syncing between the computers and the hypervisor.
-
@coliver said:
@Dashrender said:
OK tried a
w32tm /resyncand got back
The computer did not resync because no time data was available.If I remember correctly it actually uses VMWare tools to do the syncing between the computers and the hypervisor.
It you are on VMware ESXi, then the VMware tools are the only possible mechanism for that.
-
OK, I have VM Tools running - do I just wait and see?
-
@Dashrender said:
OK tried a
w32tm /resyncand got back
The computer did not resync because no time data was available.What time source do you have set? w32tm requires an SNTP source to sync to, what SNTP server do you have it talking to?
-
@scottalanmiller said:
@Dashrender said:
OK tried a
w32tm /resyncand got back
The computer did not resync because no time data was available.What time source do you have set? w32tm requires an SNTP source to sync to, what SNTP server do you have it talking to?
I don't, it's currently pulling from
Local CMOS Clock
