14

We have 2 physical hyper-V servers running 8 VMs between them, each physical server has a Domain controller on it running in a VM and all servers are 2008R2

The VM PDC is set to NTP and to sync with time.microsoft.com and the rest including the physical servers are NT5DS. This Main VM PDC definately holds the FSMO and is UDP 123 is active

when i run w32tm /query /status

Im getting VM IC Time Synchronization Provider on both VM DCs, i know this means syncing with the host.

When i run w32tm /resync /rediscover

I got "did not resync because no time data was available " and an event ID 134 in the logs any ideas on that?

I also looked through the logs and have got event 144 & 12

I have followed MS KB details on setting up an external time source and made all registry changes but i think the DNS is getting me?

But when i change the time on one of the physical machines this is where the time is being set from. Maybe if i unregister them all and register and update and sync but im afraid il create a bigger problem!

I am trying to leave time sync between the VM and Hyper-V Host enabled as i believe this to be best practice from what i have read.

Thanks for your help



I have finally got it working! The goal of this is to help people out who are starting at the beginning of setting a Domains time.

In this example all Servers, Primary Domain Controller (PDC), other Domain Controllers (DC) and other servers are running Windows 2008 R2 and are virtualised with Hyper-V.

First things first you will read to disable the 'Time Synchronization Integration Service' on any virtual machine within Hyper-V but instead you should manipulate the Windows Time Service (w32tm service) from within the virtual DC, you should not disable this because when a VM restarts this will cause problems, it should be done with w32tm. http://blogs.msdn.com/b/virtual_pc_guy/archive/2010/11/19/time-synchronization-in-hyper-v.aspx

You will need to find out what server is the PDC and running FSMO roles. Run this: netdom query fsmo The result should be your PDC and this is where you make most of your changes.

Make sure in the firewall there is an “Outbound” rule on UDP123 and the program is %SystemRoot%\System32\w32tm.exe just browse to windows directory and find the exe for time

This is where the registry changes go down! HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time

Make sure the PDC under config in the above registry address is set to NTP for “type“and all other servers are NT5DS, this means NTP is the daddy! Best practise here is to have the PDC look externally for time and everything sync to it.

Run this on all domain controllers (including PDC), it will partially disable windows time so it does not look at the host machine for time, important because we are virtualised. reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider /v Enabled /t reg_dword /d 0

You can go to the ntp.org http://support.ntp.org/bin/view/Servers/WebHome site to find a server closest to you to sync your external time. I recommend not using Microsoft as they are heavily used and can slip out because of this.

Below command will set the PDC to look externally but also check the registry settings as defined here to sync externally (you need to do both) http://support.microsoft.com/kb/816042

Run this on PDC w32tm /config /manualpeerlist:“0.pool.ntp.org,0x1” /syncfromflags:MANUAL /reliable:yes w32tm /config /update w32tm /resync w32tm /resync /rediscover

Run these 2 commands at any time on any server to see their source and when they last updated, these will be used throughout this exercise to make sure your PDC and other servers are getting time from the right place w32tm /query /status w32tm /query /source

Then run this on all DC except the PDC, it will make them look at the PDC for time and resync to it w32tm /config /syncfromflags:DOMHIER /update net stop w32time net start w32time w32tm /resync /force

Issues: When you run the Status or Source query give them a minute or 2 after changes, you should not be looking at the Local CMOS Clock and you should not be using vm ic time synchronization provider as source either.

If successful the PDC should read the external site you have set and the other servers should say the PDC as source

Hope this helps people good luck!

Karl
  • 191
  • 1
  • 2
  • 8
  • Hi, answers go in the Answer section, not as edits to the Question. – Michael Hampton Mar 22 '13 at 15:44
  • 2
    This does not completely work in the newer Hyper-V 2012R2 with latest integration updates, as the time immediately snaps back to the underlying host after being set by the NTP server. Even after sitting for a while, it was stuck on the wrong time. I found that by also modifying the registry key TimeProviders/VMICTimeProvider/InputProvider=0, the server stopped snapping back so readily to the underlying host. – Brain2000 Dec 11 '15 at 22:58
  • 1
    I formatted your [answer](http://serverfault.com/a/490619/153084) below for better readability. Might want to remove the answer from your question and only reference to you answer. – Tilo Jul 05 '16 at 17:38

4 Answers4

12

@PSaul is mostly correct. You do not want to use time.microsoft or time.windows.com as your time source for your Domain Controller that is holding the PDC Emulator FSMO Role. As the default they are heavily used, often slow due to lack of locality and sometimes unavailable. Pick a NTP pool that is closer to you.

However, do not disable Hyper-V Time Synchronization integration. It is required for certain functions like resetting the time after a reboot or when the virtual machine comes back from a saved state. What you want to do is to tell your virtualized Domain Controllers to ignore their Hyper-V host as a time source.

This can be done as follows:

reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider /v Enabled /t reg_dword /d 0

This command removes Hyper-V time source as a possible source for W32Time.

w32tm /config /syncfromflags:DOMHIER /update

Now tell W32Time to go search for the best possible time source in the domain hierarchy. If you want to use an external source for both Domain Controllers you can configure it to do so using the commands @PSaul posted or from here. Generally speaking, the Domain Controller holding the PDC Emulator role should sync from the external source and your other Domain Controllers should sync from it.

net stop w32time & net start w32time
w32tm /resync /force

Restart the time service and force a resynchronization.

w32tm /query /source

Finally you should confirm that your Domain Controllers have the correct time source.

See Ben Armstrong's excellent blog post for more details.

  • Thanks for the info, i had read Ben Armstrongs blog and wanted to stick to best practices. On the VM which is the PDC today i ran: w32tm /config /manualpeerlist:“0.pool.ntp.org,0x1” /syncfromflags:MANUAL /reliable:yes w32tm /config /update w32tm /resync w32tm /resync /rediscover – Karl Mar 15 '13 at 07:24
  • In the registry 0.pool.ntp.org,0x1 is now the value for NTP Server. I can ping 0.pool.ntp.org from the PDC but still cant ping time.windows.com which I thought was strange! The time is being set by one of the hosts I am sure of that but it is set to NT5DS and it /query /status is telling me its using the PDC, do I need to run some commands on the host to get it to resync to the VM PDC? I have seen the reg add command and I assume this needs to be done on all DC’s? I am wondering does the w32tm /config /syncfromflags:DOMHIER /update also need to be run on the PDC or just all other DC’s? – Karl Mar 15 '13 at 07:39
  • I think the end of the first comment is missing, after i ran the below commands on the PDC. All said successful but when I ran w32tm /query /status I still had a source of “vm ic time synchronization provider” w32tm /config /manualpeerlist:“0.pool.ntp.org,0x1” /syncfromflags:MANUAL /reliable:yes w32tm /config /update w32tm /resync w32tm /resync /rediscover and start and stop – Karl Mar 15 '13 at 07:42
  • Thanks for all the advice I think I finally have it but I will leave for a few days to confirm and then I will update what I done to fix – Karl Mar 16 '13 at 01:02
  • http://blogs.msdn.com/b/virtual_pc_guy/archive/2010/11/19/time-synchronization-in-hyper-v.aspx – Jonathon Anderson Jan 27 '16 at 22:06
  • In HyperV 2012R2, i also had to disable Time Synchronization under Integration Services for the PDC VM. – Matt Keller Dec 05 '16 at 21:39
5

I have finally got it working! The goal of this is to help people out who are starting at the beginning of setting a Domains time.

In this example all Servers, Primary Domain Controller (PDC), other Domain Controllers (DC) and other servers are running Windows 2008 R2 and are virtualized with Hyper-V.

First things first you will read to disable the 'Time Synchronization Integration Service' on any virtual machine within Hyper-V but instead you should manipulate the Windows Time Service (w32tm service) from within the virtual DC, you should not disable this because when a VM restarts this will cause problems, it should be done with w32tm. MSDN info

You will need to find out what server is the PDC and running FSMO roles. Run this: netdom query fsmo The result should be your PDC and this is where you make most of your changes.

Make sure in the firewall there is an “Outbound” rule on UDP123 and the program is %SystemRoot%\System32\w32tm.exe just browse to windows directory and find the exe for time

This is where the registry changes go down!

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time

Make sure the PDC under config in the above registry address is set to NTP for “Type“ and all other servers are NT5DS, this means NTP is the daddy! Best practice here is to have the PDC look externally for time and everything sync to it.

Run this on all domain controllers (including PDC), it will partially disable windows time so it does not look at the host machine for time, important because we are virtual.

reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider /v Enabled /t reg_dword /d 0

You can go to the ntp.org site to find a server closest to you to sync your external time. I recommend not using Microsoft as they are heavily used and can slip out because of this.

The command below will set the PDC to look externally but also check the registry settings as defined here to sync externally (you need to do both) MS KB 816042

Run this on PDC

w32tm /config /manualpeerlist:"0.pool.ntp.org,0x1" /syncfromflags:MANUAL /reliable:yes   
w32tm /config /update   
w32tm /resync 
w32tm /resync /rediscover

Run these 2 commands at any time on any server to see their source and when they last updated, these will be used throughout this exercise to make sure your PDC and other servers are getting time from the right place

w32tm /query /status  
w32tm /query /source

Then run this on all DC except the PDC, it will make them look at the PDC for time and resync to it

w32tm /config /syncfromflags:DOMHIER /update 
net stop w32time 
net start w32time 
w32tm /resync /force

Issues: When you run the Status or Source query give them a minute or 2 after changes, you should not be looking at the Local CMOS Clock and you should not be using VM IC Time Synchronization Provider as source either.

If successful the PDC should read the external site you have set and the other servers should say the PDC as source

Hope this helps people good luck!

cyberop5
  • 5
  • 2
Karl
  • 191
  • 1
  • 2
  • 8
  • Two more things: Use a GPO to configure NTP time on the PDCE - this means it will be configured automatically if the PDCE role moves: www.sysadminlab.net/windows/configuring-ntp-on-windows-using-gpo. – LeeM Mar 07 '19 at 23:11
  • For setting the flags on the NTP service, consider using 0x8 - this means it's a reliable timesource that is synching with a hardware clock somewhere. Also consider *not* using the 0x1 for "special time interval". Unless you need to sync your clock at specified intervals, it's kind of unnecessary these days. If the DC doesn't get its time straight after boot (e.g network not ready), it waits that entire interval. Or if you use 0x1/0x9, set another source with 0xa - fallback source, gets queried immediately if the primary source(s) don't respond. – LeeM Mar 07 '19 at 23:19
1

I would suggest:

  • NOT enabling time sync between the HyperV host and the Guest VMs -- especially for DCs. The PDC role holder should update via NTP from several good time sources. The Host's clock can update via NTP as well but you want the PDC to be the "master" for other DCs and member servers. (at least with VMwre, I assume the same with HyperV)
  • Ensure you have UDP port 123 open for outbound traffic.
  • That you can resolve the FQDN of the NTP servers (can you PING them?)
  • All other DCs and member machines should update automatically.

Don't use ONLY time.windows.com or time.microsoft.com, use one of the *.pool.ntp.org servers. I use north-america.pool.ntp.org or ca.north-america.pool.ntp.org -- the closer the better. You can check: http://www.pool.ntp.org/ to find servers close to you.

Then run something like:

w32tm /config /manualpeerlist:"north-america.pool.ntp.org 0.pool.ntp.org" /syncfromflags:MANUAL /update /reliable:YES

(Add in whatever NTP servers you want. In Canada I use time.nrc.ca as well)

Followed by:

net stop w32time
net start w32time

You can check the Peers with:

w32tm /query /peers

Check the System Log to see if it is updating. You should be able to set the clock ahead 1min, restart the w32time service and it will update within 30seconds. [less than 5 min time skew is acceptable within an AD domain]

PSaul
  • 119
  • 2
0

As recommended by others, definitely do not have hardware time sync from the host to guest. You should also sync with external NTP servers only from the domain controller that holds the forest root PDC emulator role. If your forest root PDC emulator role domain controller is not synchronizing, the DC's that rely on it are going to have problems.

You may also want to try the following hotfix:

Time synchronization is not performed even though the W32Time service is successfully started in Windows Server 2008 or in Windows Server 2008 R2

http://support.microsoft.com/kb/2493006

You may find it more helpful if you use the /verbose flag for w32tm:

w32tm /query /status /verbose /computer:dcname

Additional information:

https://technet.microsoft.com/en-us/library/virtual_active_directory_domain_controller_virtualization_hyperv%28WS.10%29.aspx

"For virtual machines that are configured as domain controllers, it is recommended that you disable time synchronization between the host system and guest operating system acting as a domain controller. This enables your guest domain controller to synchronize time from the domain hierarchy."

"To disable the Hyper-V time synchronization provider, shut down the VM and clear the Time synchronization check box under Integration Services."

Greg Askew
  • 34,339
  • 3
  • 52
  • 81