Proper AD PDC Time confirguration in Hyper-V?
-
So I am configuring my first fully virtualized Active Directory using Hyper-V ith 2 VMs dedicated to AD using Windows 2016.
Everything is fine except that I am not sure about what is the proper configuration for Time synchronization.There are lots of conflicted information on Internet, in the end I tried to use
https://www.veeam.com/blog/time-synchronization-all-virtual-environment-guide.html and
https://support.microsoft.com/en-us/help/816042/how-to-configure-an-authoritative-time-server-in-windows-serverbut w32tm /query /source doesn't return my external source. It returns "local CMOS Clock"
Is there a reliable guide out there for this? -
Microsoft have made this a real pita for an AD server. They want you to use a GPS device as a time source. Ptah, get'erdone.
net stop w32time w32tm /config /syncfromflags:manual /manualpeerlist:"0.us.pool.ntp.org,1.us.pool.ntp.org,2.us.pool.ntp.org,3.us.pool.ntp.org" w32tm /config /reliable:yes net start w32time -
@travisdh1
Thank you. I did that initially and it doesn't work.
I am trying to update the GPO for the PDC emulator -
@dave_c said in Proper AD PDC Time confirguration in Hyper-V?:
@travisdh1
Thank you. I did that initially and it doesn't work.
I am trying to update the GPO for the PDC emulatorAh, that one I don't know. Good luck, and let us know if you figure it out!
-
I tried to force the external TIme source by GPO following http://www.sysadminlab.net/windows/configuring-ntp-on-windows-using-gpo
Same result, PDC is still using Local CMOS Clock. I will try again tomorrow and report back. -
You should disable time sync in the Hyper-V integration services on all your DC VMs but make sure your Hyper-V host is syncronising its time with the same external source. When your VMs are restarting they can only fall back to the hypervisor's time since there is no real CMOS for obvious reasons.
Check if UDP port 123 is not blocked by the VM's Windows firewall, on your network or by your ISP.
-
@taurex
Thank you, I will try and report back.
I tried with Hyper-V time sync enabled (per Veeam instructions linked in OP) and disabled (as everyone else recommends); none worked. Actually, Veeam's recommendation kind of makes sense.I never considered that the host should be synchronized with the same external source. That is because the host is AD joined and the general recommendation is to have all AD joined computers/server to sync with PDC emulator.
-
@taurex
It didn't work. This is a new client we are taking over, and it might be a problem with a current GPO. I will do lab tests before trying again on the client's servers.@all
Thanks, I will report back in case I find anything useful -
@dave_c said in Proper AD PDC Time confirguration in Hyper-V?:
@taurex
Thank you, I will try and report back.
I tried with Hyper-V time sync enabled (per Veeam instructions linked in OP) and disabled (as everyone else recommends); none worked. Actually, Veeam's recommendation kind of makes sense.I never considered that the host should be synchronized with the same external source. That is because the host is AD joined and the general recommendation is to have all AD joined computers/server to sync with PDC emulator.
The problem with this is that you can end up in a loop where time can drift uncontrollably. Since the PDCe is syncing to the host and the host is syncing to the PDCe you have nothing authoritative handling time externally and keeping it consistent. That is why most recommend disabling host synchronization for your DCs.
-
@Kelly
That makes sense.
Veeam recomends enabling it and using the registry to disable it once the system has booted. -
Keep in mind that anything you read regarding 2012 Server or older is not relevant for 2016 (or newer).
Windows has historically been worthless at keeping accurate time and the win32 time service was just designed to keep time accurate time within a few minutes. With 2016 Microsoft made an effort to correct this.
Here is the basic info for Windows 2016 Server.
https://docs.microsoft.com/en-us/windows-server/networking/windows-time-service/accurate-timeThere are several ways to set things up depending on what you need.
-
@Pete-S
I will read that carefully, but what I see indicates that the PDC VM has to synchronize with the host and the host needs to use the external clock.
Thank you for the info. -
@dave_c said in Proper AD PDC Time confirguration in Hyper-V?:
@Pete-S
I will read that carefully, but what I see indicates that the PDC VM has to synchronize with the host and the host needs to use the external clock.
Thank you for the info.No probs. Don't forget to check out the video as well for an executive summary. It's time well spent.
https://channel9.msdn.com/Blogs/windowsserver/Time-Improvements-in-Windows-Server-2016/player
Also external clock, as in hardware clocks like GPS or local stratum-1 ntp server, is only needed for accurate time services. Most people don't need that kind of accuracy. So in order of reliability and accuracy:
- local hardware or local ntp time servers (stratum-1)
- known reliable ntp servers with few hops (stratum-1)
- ntp pool servers (stratum-1 to 3)
I would look at option number two if a local time server is not needed. Find locally placed stratum-1 ntp servers, for instance from NIST (if you're in the US) and sync your Hyper-V hosts or firewall /router against those.
NTP pool are basically random servers of unknown accuracy on the net running ntpd. A lot of them aren't monitored in any way and network availability can be anything from great to spotty.
-
@Pete-S Good to know. Thanks for the link.
