(2013-11-17) Time Sync Recommendations For Virtual DCs On Hyper-V – Change In Recommendations (AGAIN)

The default time synchronization hierarchy within any AD forest is shown in the picture below.

Figure 1: Default Time Synchronization Hierarchy Within Any AD Forest

–

As displayed in figure 1, DCs have their own time synchronization mechanism. When virtualizing DCs the time synchronization mechanism between the virtual DC (the VM guest) and the VM host must be disabled and it must be ensured the time synchronization mechanism natively used by the DCs is NOT disturbed. Reasoning for this is the high dependency that other processes (e.g. replication, authentication, etc.) have with accurate time.

–

OLD RECOMMENDATIONS:

• Disable “Time Synchronization” within the Hyper-V Integration Services for each virtual DC VM (VM must be OFFLINE for this!)

Figure 2: Hyper-V Time Synchronization Services In DISABLED State

–

• Disable the “VM IC Time Provider” on every virtual DC through the registry or through a custom GPO setting
  • Key: HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider
  • Name: Enabled
  • Type: REG_DWORD
  • Data: 0x00000000

–

PREVIOUS RECOMMENDATIONS:

• Leave “Time Synchronization” within the Hyper-V Integration Services ENABLED (DO NOT DISABLE!) for each virtual DC VM (VM must be OFFLINE for this!)
  REMARK: Microsoft documentation or other blogs may still advise in disabling time sync with the host. That information is incorrect! Leave it enabled!
• Disable the “VM IC Time Provider” on every virtual DC through the registry or through a custom GPO setting
  • Key: HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider
  • Name: Enabled
  • Type: REG_DWORD
  • Data: 0x00000000

–

NEW RECOMMENDATIONS:

• Disable “Time Synchronization” within the Hyper-V Integration Services for each virtual DC VM (VM must be OFFLINE for this!)

Figure 3: Hyper-V Time Synchronization Services In DISABLED State

–

UPDATE (2013-12-14): make sure to have the following hotfix (KB2902014) if the Hyper-V host is running WIN8 or W2K12

–

Additional information about configuring Time Sync for DCs can be found through the following links:

• (2010-09-26) Configuring And Managing The Windows Time Service (Part 1)
• (2010-09-26) Configuring And Managing The Windows Time Service (Part 2)
• (2010-09-26) Configuring And Managing The Windows Time Service (Part 3)
• (2010-09-26) Configuring And Managing The Windows Time Service (Part 4)
• How the Windows Time Service Works
• Windows Time Service Technical Reference
• Running Domain Controllers in Hyper-V

–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————