Best Practice for Time Sync for Active Directory Domain Controllers
-
I guess my desire here was to have the ESXi host be the main source for time inside my network. It of course would pull time from the internet.
It sounds like this isn't going to work. So instead I have to have my PDC emulator pull it's own time from the internet, and the VM Hosts will have to be managed separately.
-
Here's the command to set your PDC emulator to sync with a time source
w32tm /config /manualpeerlist: peers /syncfromflags:manual /reliable:yes /update
Replace peers with your FQDN or IP of the desired time servers.
-
@Dashrender said:
Shouldn't this be in IT discussions? It's technical in nature.
Hmmm... I didn't choose the category, it just did it.
-
@Dashrender said:
I guess my desire here was to have the ESXi host be the main source for time inside my network. It of course would pull time from the internet.
It sounds like this isn't going to work. So instead I have to have my PDC emulator pull it's own time from the internet, and the VM Hosts will have to be managed separately.
ESXi can pull time from the Internet. If it is correct and the DC is getting its time from the ESXi clock then the ESXi is setting the DC which, in turn, uses SNTP to talk to the rest of the network.
-
Here is vmware's older paper on how they recommend that this be set up:
http://www.vmware.com/files/pdf/Virtualizing_Windows_Active_Directory.pdf
-
-
VMware definitely recommends that you use an external time source to control drift, not using the ESXi virtualized clock.
-
I would set ESXi host to use $external_NTP... and then point the DCs to $external_NTP and then all of the clients will magically sync with DCs.
-
You set your PDC Emulator to pull from a reliable NTP server then the rest will sync from that ex:
w32tm.exe /config /manualpeerlist:”0.us.pool.ntp.org 1.us.pool.ntp.org 2.us.pool.ntp.org 3.us.pool.ntp.org” /syncfromflags:manual /reliable:YES /update
-
I just heard to the tune of "Free your mind, and the rest will follow..." in my head:
Sync your time, and the rest will follow...
-
Alright - I read through the document that Scott provided about VMWare and time syncing.
The reason VMWare wasn't changing my PDC emulator's clock was that time syncing between ESXi and the VM was disabled (default behavior).
Edit the VM session, Click on the Options tab, click on VMware Tools and you'll see these two check boxes at the bottom on the right.
Make your desired choices, save and you're good.
-
@scottalanmiller said:
VMware definitely recommends that you use an external time source to control drift, not using the ESXi virtualized clock.
I wouldn't ever rely solely on their virtual clock, I'd definitely like ESXi itself to be syncing to something.
-
@dafyre said:
I would set ESXi host to use $external_NTP... and then point the DCs to $external_NTP and then all of the clients will magically sync with DCs.
With concerns about Windows and Time, the only server that you should have syncing with an outside source is the PDC emulator. All other domain devices will sync from that machine.
-
@Dashrender said:
@scottalanmiller said:
VMware definitely recommends that you use an external time source to control drift, not using the ESXi virtualized clock.
I wouldn't ever rely solely on their virtual clock, I'd definitely like ESXi itself to be syncing to something.
Of course, no clock anywhere just relies on itself!
-
@Dashrender said:
@dafyre said:
I would set ESXi host to use $external_NTP... and then point the DCs to $external_NTP and then all of the clients will magically sync with DCs.
With concerns about Windows and Time, the only server that you should have syncing with an outside source is the PDC emulator. All other domain devices will sync from that machine.
Only if the PDC emulator is using NTP. If it is using the local clock then the hypervisor has to fulfill that role.
-
@scottalanmiller said:
@Dashrender said:
@dafyre said:
I would set ESXi host to use $external_NTP... and then point the DCs to $external_NTP and then all of the clients will magically sync with DCs.
With concerns about Windows and Time, the only server that you should have syncing with an outside source is the PDC emulator. All other domain devices will sync from that machine.
Only if the PDC emulator is using NTP. If it is using the local clock then the hypervisor has to fulfill that role.
I did say Windows and Time. If the PDC emulator is using the local clock, that local clock would be Windows outside source, but if that's all you're doing, then definitely you should be syncing the local clock (ESXI, Hyper-V XenServer, etc) with an atomic source if possible.
-
I see.