Best Practice for Time Sync for Active Directory Domain Controllers
-
-
VMware definitely recommends that you use an external time source to control drift, not using the ESXi virtualized clock.
-
I would set ESXi host to use $external_NTP... and then point the DCs to $external_NTP and then all of the clients will magically sync with DCs.
-
You set your PDC Emulator to pull from a reliable NTP server then the rest will sync from that ex:
w32tm.exe /config /manualpeerlist:”0.us.pool.ntp.org 1.us.pool.ntp.org 2.us.pool.ntp.org 3.us.pool.ntp.org” /syncfromflags:manual /reliable:YES /update -
I just heard to the tune of "Free your mind, and the rest will follow..." in my head:
Sync your time, and the rest will follow...
-
Alright - I read through the document that Scott provided about VMWare and time syncing.
The reason VMWare wasn't changing my PDC emulator's clock was that time syncing between ESXi and the VM was disabled (default behavior).
Edit the VM session, Click on the Options tab, click on VMware Tools and you'll see these two check boxes at the bottom on the right.
Make your desired choices, save and you're good.
-
@scottalanmiller said:
VMware definitely recommends that you use an external time source to control drift, not using the ESXi virtualized clock.
I wouldn't ever rely solely on their virtual clock, I'd definitely like ESXi itself to be syncing to something.
-
@dafyre said:
I would set ESXi host to use $external_NTP... and then point the DCs to $external_NTP and then all of the clients will magically sync with DCs.
With concerns about Windows and Time, the only server that you should have syncing with an outside source is the PDC emulator. All other domain devices will sync from that machine.
-
@Dashrender said:
@scottalanmiller said:
VMware definitely recommends that you use an external time source to control drift, not using the ESXi virtualized clock.
I wouldn't ever rely solely on their virtual clock, I'd definitely like ESXi itself to be syncing to something.
Of course, no clock anywhere just relies on itself!
-
@Dashrender said:
@dafyre said:
I would set ESXi host to use $external_NTP... and then point the DCs to $external_NTP and then all of the clients will magically sync with DCs.
With concerns about Windows and Time, the only server that you should have syncing with an outside source is the PDC emulator. All other domain devices will sync from that machine.
Only if the PDC emulator is using NTP. If it is using the local clock then the hypervisor has to fulfill that role.
-
@scottalanmiller said:
@Dashrender said:
@dafyre said:
I would set ESXi host to use $external_NTP... and then point the DCs to $external_NTP and then all of the clients will magically sync with DCs.
With concerns about Windows and Time, the only server that you should have syncing with an outside source is the PDC emulator. All other domain devices will sync from that machine.
Only if the PDC emulator is using NTP. If it is using the local clock then the hypervisor has to fulfill that role.
I did say Windows and Time. If the PDC emulator is using the local clock, that local clock would be Windows outside source, but if that's all you're doing, then definitely you should be syncing the local clock (ESXI, Hyper-V XenServer, etc) with an atomic source if possible.
-
I see.
