Domain time

Discussion in 'Virtualized Computing' started by StefanPeeters, Jun 5, 2018.

  1. StefanPeeters

    StefanPeeters [H]Lite

    Messages:
    97
    Joined:
    Oct 7, 2013
    Hi everyone,
    I have a problem I don't seem to find a solution to. I have an active directory network with 600 windows 10 clients. Before we virtualized the domain controllers (windows server 2016) we didn't had any problem with the time in our domain. Now every client has a different time (even up to 2 houres). I tried already a couple of thins but the problem seems not get resolved.
    I virtualized our domain controllers on Citrix.
    I already searched the internet but no solution worked. Does someone know what I can do to sync the correct time to all clients?
    Help will be very apericiatied!
    Thanks
     
  2. JavaLava

    JavaLava n00bie

    Messages:
    35
    Joined:
    Apr 3, 2018
    Make sure the HyperVisor isn't syncing time via its client to the domain controllers....especially the domain controller that has the PDC FSMO role (responsible for time to the joined workstations). In VMware at least, the time sync via VMware Tools is disabled by default.....don't know how it is on Citrix.
     
  3. Grimlaking

    Grimlaking [H]ard|Gawd

    Messages:
    2,029
    Joined:
    May 9, 2006
    Yea it sounds to me that your new vm is syncing with citrix that is syncing with your new vm.
     
  4. Biznatch

    Biznatch [H]ard|Gawd

    Messages:
    1,880
    Joined:
    Nov 16, 2009
    ^ Correct. Always disable time sync from the host on DC VMs. If you have time sync enabled on the rest of the VMs, you better make sure the VM hosts are also pulling their time from the domain controllers. Otherwise if the VM host time offsets more than 5 minutes from the DC, you will have severe authentication issues/failures.
     
  5. SGalbincea

    SGalbincea [H]Lite

    Messages:
    96
    Joined:
    Aug 14, 2008
    With VMware you also need to keep in mind that just un-checking the synchronization box in the GUI config will not completely disable all chances of a host time sync occurring. For instance, a time sync can still happen under the following circumstances:
    • Resume a virtual machine from a suspended state
    • Take or restore a snapshot
    • vMotion a virtual machine
    • Shrink a virtual machine‚Äôs disk
    • Reboot a virtual machine
    • Restart the VMware Tools service on a virtual machine
    To disable time synchronization completely, follow this VMware KB - https://kb.vmware.com/s/article/1189

    As a best practice, you should ensure that all of your hosts are synchronized properly to an authoritative time source that is in sync with your domain and network equipment. We typically host this on a physical domain controller, a practice that I prefer to use, but there are other ways as well.
     
  6. Grimlaking

    Grimlaking [H]ard|Gawd

    Messages:
    2,029
    Joined:
    May 9, 2006
    We actually use a GPS updated time appliance and sync our network devices off of that.
     
    Spartacus09 and SGalbincea like this.
  7. Spartacus09

    Spartacus09 [H]Lite

    Messages:
    113
    Joined:
    Apr 21, 2018
    Well aren't we just Mr. Fancy pants while us time pool pleebs update the normal way :p.
     
  8. Grimlaking

    Grimlaking [H]ard|Gawd

    Messages:
    2,029
    Joined:
    May 9, 2006
    I work for an alarm monitoring company. We keep VERY TIGHT reigns on our time sync settings and thresholds. It's kind of a pain in the ass but it's worth while for the end results.
     
  9. Spartacus09

    Spartacus09 [H]Lite

    Messages:
    113
    Joined:
    Apr 21, 2018
    I'm familiar our hosting team does the same thing, we're an infrastructure monitoring company.