Windows Server, Workstation and Time

M

marley1

Supreme [H]ardness
Joined
Jul 18, 2000
Messages
5,447
I have a setup that is running Server 2008 R2 with Hyper-V Role and 2 Guest OS (DC and Exchange). I was under the impression that if time right is on Host, the Guest will have same time and any workstations join to DC will have those times.

This setup is in two locations and tied in with VPN. The times on some machines match other do not.

I want to setup a GPO to set the workstation and server times to a trusted time source.

What is the best way to go about this? I remember having to do a Registry tweak a long time ago but I assume GPO is the better way to do this.
 
I cobbled this together when I designed our local hybrid virutualized domain. You might find it useful...


How to modify the VM DC’s clock to correctly synchronize to the domain

Contrary to this document and references below, you still may need to disable the time integration service, via the integrations tools, if you continue to see Power Kernel Time messages ever minute in the event log AND the PCD Emulate FSMO role resides on a VM.

Log into the virtual machine, open an administrative command prompt and run the following commands:
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider /v Enabled /t reg_dword /d 0
This command stops W32Time from using the Hyper-V time synchronization integration service for moment-to-moment synchronization. Remember from earlier in this post that we do not go through the Windows time synchronization infrastructure to correct the time in the event of virtual machine boot / restore from saved state or snapshot. So those operations are unaffected.
w32tm /config /syncfromflags:DOMHIER /update (That's : DOMHIER without the extra space)
This command tells Windows to go and look for the best time source in the domain hierarchy. If you want to use an external time server instead you can use the commands found here: http://technet.microsoft.com/en-us/library/cc784553(WS.10).aspx
net stop w32time & net start w32time
w32tm /resync /force
These two commands just “kick the Windows time service” to make sure the settings changes take effect immediately.
w32tm /query /source
This final command should confirm that everything is working as expected.


When you run these commands you should see something like this:



References:

http://technet.microsoft.com/en-us/..._controller_virtualization_hyperv(WS.10).aspx
 
The point is if your PDC is on a VM, IT WILL DRIFT.

If you have this scenario, you will need to force all the other machines to listen to the PDC emulate machine for their domain clock.

Now since you only have (1) DC you can do this a myriad of ways, but since you are synchronizing over a VPN, your going to have to test and verify until you have this functionally correct.

I would start simple.

Make sure your DC has the integration services correctly installed and configured. If that configuration does not work, follow my guide above.
 
What I am not getting is this below. Server has correct time. Workstation or a few are doing similar as this. I don't mind having the DC set its time for the NTP and update to the workstations, or even do a GPO for them to just sync

net time \\speonk-server1 /set /yes
Current time at \\speonk-server1 is 10/9/2012 12:59 PM

Local time (GMT-04:00) at \\speonk-server1 is 10/9/2012 1:59 PM

The command completed successfully.
 
Why not set the workstations ( and DCs for that matter ) to pull their time from an ntp server?

Policies -> Administrative Templates -> System -> Windows Time Service -> Time providers

Configure Windows NTP Client
NTP Server: 0.pool.ntp.org,0x8
Type: NTP
CrossSiteSyncFlags: 2
ResolvePeerBackoffMinutes: 15
ResolvePeerBackupTime: 7
SpecialPollInterval: 3600
EventLogFlags: 0

( note, these settings were taken from my home environment...and I don't recall why I did some of them, and am not in a position to research it at the moment. I advise you to fully understand each setting before you implement )
 
XOR != OR said:
Why not set the workstations ( and DCs for that matter ) to pull their time from an ntp server?

Policies -> Administrative Templates -> System -> Windows Time Service -> Time providers

Configure Windows NTP Client
NTP Server: 0.pool.ntp.org,0x8
Type: NTP
CrossSiteSyncFlags: 2
ResolvePeerBackoffMinutes: 15
ResolvePeerBackupTime: 7
SpecialPollInterval: 3600
EventLogFlags: 0

( note, these settings were taken from my home environment...and I don't recall why I did some of them, and am not in a position to research it at the moment. I advise you to fully understand each setting before you implement )
Click to expand...


That may work....and may not. If the DC drifts more than a minute or two between updates to the NTP, the domain clients will get time/sync errors. And even before that occurs the event log will fill up with sync warnings. If you are going to do something like what you are recommending, hard code the NTP for the domain controller and allow the DC to automatically control time for the DC. If you check the log you 'll see the clients updating their time almost every 2 minutes, and correcting a second or two. Again I've only seen this occurs when you have a DC as a VM and you have multiple DCs that has different physical hosts or have one DC on metal hardware and another on a VM.
 
Ah, I missed the vm part of it ( or rather, I read it and ignored it ).

I have many many DCs in a vm, and once I get the vmtools installed, I never have a problem with clock drift. In the old days, this was indicative of a kernel that didn't understand the VM environment, but it's been years since I've seen this in an OS.
 
Rather it's a question of VM PDC times that can't drift due to VM Tool sync and Clients that can and do drift.
 
What is the difference between local time and current time? That's what I am not following.

Host, Guest1, Guest2 are all correct time.

DC - Speonk-Server1 has correct time
Exchange - Speonk-Exchange has correct time and pulls from the DC
Host has the correct time as well.

I want the clients to sync from the DC but for some reason a few workstations are 1 hour behind and saying that odd GMT -4
 
So it seems like I need to go on each machine and check Adjust Time based on Day Light Savings and it is all working.

Not that many computers just doing it manually =)
 
yeah that would have did it. my google foo was a little slow this afternoon, was quicker for me to just hit the few machines.

thanks!
 
marley1 said:
yeah that would have did it. my google foo was a little slow this afternoon, was quicker for me to just hit the few machines.

thanks!
Click to expand...
Googlefoo had nothing to do with that; I've had to solve that problem before, that was in my shortcuts :p

I mainly posted it here for future searchers.
 
I could swear I remember reading that a DC is supposed to have the time syn disabled on the VM host, and the DC should be setup to pull the time directly from an NTP. The servers in the domain will automatically sync the clocks to the PDC, which get the time from the NTP.
 
Biznatch said:
I could swear I remember reading that a DC is supposed to have the time syn disabled on the VM host, and the DC should be setup to pull the time directly from an NTP. The servers in the domain will automatically sync the clocks to the PDC, which get the time from the NTP.
Click to expand...

This is mostly correct. I have a strange environment, One DC on bare metal, Two DC's in a VMware Cluster, and another locally running in a Hyper-V environment.

The one in the VMcluster is the PDC.

I no longer have errors on any of my DC's or workstations across the enterprise. Approx 40 servers and 550 workstations. But I generated a document I posted above, which must be followed for my DC in my Hyper-V environment. Otherwise the event logs go nuts with yellow and my local developers start having SQL authentication issues.
 
Mackintire said:
This is mostly correct. I have a strange environment, One DC on bare metal, Two DC's in a VMware Cluster, and another locally running in a Hyper-V environment.

The one in the VMcluster is the PDC.

I no longer have errors on any of my DC's or workstations across the enterprise. Approx 40 servers and 550 workstations. But I generated a document I posted above, which must be followed for my DC in my Hyper-V environment. Otherwise the event logs go nuts with yellow and my local developers start having SQL authentication issues.
Click to expand...

Why would you not have the PDC on the physical hardware? All our DCs are virtualized, but if we had 1 physical box it would be setup as the PDC and still set to pull time from the NTP. If you were getting errors, then there was an issue with the domain servers pulling time from the PDC. You can check if there is GPO setup that is screwing up the settings, or create your own to enforce the settings you want.
 
Biznatch said:
Why would you not have the PDC on the physical hardware? All our DCs are virtualized, but if we had 1 physical box it would be setup as the PDC and still set to pull time from the NTP. If you were getting errors, then there was an issue with the domain servers pulling time from the PDC. You can check if there is GPO setup that is screwing up the settings, or create your own to enforce the settings you want.
Click to expand...

Because only the VMware DCs are located in the data center.

The physical box is sitting at a remote location connected to the data center via a SSL tunnel over a DS3, and the hyper-V DC is sitting in my building which is connected to the data center by a 100Mbit fiber ring.
 
You must log in or register to reply here.
Back
Top