Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

«
»

(2011-09-14) Time Sync Recommendations For Virtual DCs On Hyper-V – Change In Recommendations

Posted by Jorge on 2011-09-14


UPDATED: (2013-11-17) Time Sync Recommendations For Virtual DCs On Hyper-V – Change In Recommendations (AGAIN)

The time synchronization hierarchy within any AD forest is shown in the picture below.

image

Figure 1: Default Time Synchronization Hierarchy Within Any AD Forest

As displayed in figure 1, DCs have their own time synchronization mechanism. When virtualizing DCs the time synchronization mechanism between the virtual DC (the VM guest) and the VM host must be disabled and it must be ensured the time synchronization mechanism natively used by the DCs is NOT disturbed. Reasoning for this is the high dependency that other processes (e.g. replication, authentication, etc.) have with accurate time.

PREVIOUS RECOMMENDATIONS:

  • Disable “Time Synchronization” within the Hyper-V Integration Services for each virtual DC VM (VM must be OFFLINE for this!)

image

Figure 2: Hyper-V Time Synchronization Services In DISABLED State

  • Disable the “VM IC Time Provider” on every virtual DC through the registry or through a custom GPO setting
    • Key: HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider
    • Name: Enabled
    • Type: REG_DWORD
    • Data: 0x00000000

NEW RECOMMENDATIONS:

  • Leave “Time Synchronization” within the Hyper-V Integration Services ENABLED (DO NOT DISABLE!) for each virtual DC VM (VM must be OFFLINE for this!)
    REMARK: Microsoft documentation or other blogs may still advise in disabling time sync with the host. That information is incorrect! Leave it enabled!
  • Disable the “VM IC Time Provider” on every virtual DC through the registry or through a custom GPO setting
    • Key: HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider
    • Name: Enabled
    • Type: REG_DWORD
    • Data: 0x00000000

Additional information about configuring Time Sync for DCs can be found through the following links:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Advertisement

This entry was posted on 2011-09-14 at 14:37 and is filed under Active Directory Domain Services (ADDS), NTP, Virtualization. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

4 Responses to “(2011-09-14) Time Sync Recommendations For Virtual DCs On Hyper-V – Change In Recommendations”

  1. thvuyVuylsteke said

    2011-09-19 at 20:32

    Jorge,

    Just wondering, why this switch in recommendations? Besides that, if it’s a real recommendation, it would be nice to have the AD PG write some official KB article and support your opinion.

    Regards,
    Thomas

    Like

    Reply

    • Jorge said

      2011-09-20 at 11:19

      Hey Thomas,

      This recommendation IS supported by MSFT!

      For example:
      The info on “http://technet.microsoft.com/en-us/library/virtual_active_directory_domain_controller_virtualization_hyperv(WS.10).aspx” shows

      Time service
      For virtual machines that are configured as domain controllers, it is recommended that you partially disable time synchronization between the host system and guest operating system acting as a domain controller. This enables your guest domain controller to synchronize time for the domain hierarchy, but protects it from having a time skew if it is restored from a Saved state.
      To partially disable the Hyper-V time synchronization provider, leave Time synchronization enabled under Integration Services and run the following command from an elevated command prompt on the guest domain controller:
      –> reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider /v Enabled /t reg_dword /d 0
      This command stops Windows Time service (W32Time) from using Hyper-V time synchronization integration when the guest domain controller’s operating system is started. With this setting disabled, the Hyper-V time synchronization provider is only used if the guest domain controller is rebooted or restored from a Saved state.

      The info on “http://blogs.msdn.com/b/virtual_pc_guy/archive/2010/11/19/time-synchronization-in-hyper-v.aspx” shows:
      The answer of question#6 and question#8

      Regards,
      Jorge

      Like

      Reply

  2. NTP in Active directory Environment « infrastarter said

    2011-12-30 at 16:41

    […] https://jorgequestforknowledge.wordpress.com/2011/09/14/time-sync-recommendations-for-virtual-dcs-on-… Share this:TwitterFacebookLike this:LikeBe the first to like this post. […]

    Like

    Reply

  3. NTP in Active directory Environment – IT_AdminKom said

    2019-06-17 at 04:01

    […] https://jorgequestforknowledge.wordpress.com/2011/09/14/time-sync-recommendations-for-virtual-dcs-on-… […]

    Like

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

«
»
 
%d bloggers like this: