Domain time

[StefanPeeters]

Hi everyone,
I have a problem I don't seem to find a solution to. I have an active directory network with 600 windows 10 clients. Before we virtualized the domain controllers (windows server 2016) we didn't had any problem with the time in our domain. Now every client has a different time (even up to 2 houres). I tried already a couple of thins but the problem seems not get resolved.
I virtualized our domain controllers on Citrix.
I already searched the internet but no solution worked. Does someone know what I can do to sync the correct time to all clients?
Help will be very apericiatied!
Thanks

 

[JavaLava]

Make sure the HyperVisor isn't syncing time via its client to the domain controllers....especially the domain controller that has the PDC FSMO role (responsible for time to the joined workstations). In VMware at least, the time sync via VMware Tools is disabled by default.....don't know how it is on Citrix.

 

[Grimlaking]

Yea it sounds to me that your new vm is syncing with citrix that is syncing with your new vm.

 

[Biznatch]

^ Correct. Always disable time sync from the host on DC VMs. If you have time sync enabled on the rest of the VMs, you better make sure the VM hosts are also pulling their time from the domain controllers. Otherwise if the VM host time offsets more than 5 minutes from the DC, you will have severe authentication issues/failures.

 

[SGalbincea]

With VMware you also need to keep in mind that just un-checking the synchronization box in the GUI config will not completely disable all chances of a host time sync occurring. For instance, a time sync can still happen under the following circumstances:

• Resume a virtual machine from a suspended state
• Take or restore a snapshot
• vMotion a virtual machine
• Shrink a virtual machine’s disk
• Reboot a virtual machine
• Restart the VMware Tools service on a virtual machine

To disable time synchronization completely, follow this VMware KB - https://kb.vmware.com/s/article/1189

As a best practice, you should ensure that all of your hosts are synchronized properly to an authoritative time source that is in sync with your domain and network equipment. We typically host this on a physical domain controller, a practice that I prefer to use, but there are other ways as well.

 

[Grimlaking]

We actually use a GPS updated time appliance and sync our network devices off of that.

 

[Spartacus09]

We actually use a GPS updated time appliance and sync our network devices off of that.

Well aren't we just Mr. Fancy pants while us time pool pleebs update the normal way .

 

[Grimlaking]

Well aren't we just Mr. Fancy pants while us time pool pleebs update the normal way .

I work for an alarm monitoring company. We keep VERY TIGHT reigns on our time sync settings and thresholds. It's kind of a pain in the ass but it's worth while for the end results.

 

[Spartacus09]

I work for an alarm monitoring company. We keep VERY TIGHT reigns on our time sync settings and thresholds. It's kind of a pain in the ass but it's worth while for the end results.

I'm familiar our hosting team does the same thing, we're an infrastructure monitoring company.