Time

Showing posts with label Time. Show all posts

Best Practices for Configuring Time in a Virtualized Environment

Friday, October 3, 2014

I frequently work with customers who are having trouble with time synchronization in their virtualized environment (whether they know it or not). Accurate time is immensely important in a Windows domain since the primary authentication protocol is Kerberos. Kerberos uses time-based ticketing and if the time is off 5 minutes or more between computers, random authentication errors and other problems occur.

Time synchronization normally occurs automatically in a Windows domain, but things can get pretty screwed up in a virtualized environment when the VMs are configured to sync from a host with inaccurate time.

The following are my best practices for configuring and managing time in a virtualized environment:

Configure the Domain Controller holding the PDC Emulator FSMO role to synchronize time from an accurate time source. Run the following two commands from an elevated CMD prompt:

w32tm /config /manualpeerlist:pool.ntp.org /syncfromflags:manual /reliable:yes /update

net stop w32time && net start w32time

Use pool.ntp.org as your external time source, as shown above. This is a load balanced set of time servers located around the world and will return the best server for your geographic location. You may instead want to get time from an internal source, In this case, change the w32tm command as required. You can specify multiple peers by enclosing them in quotes separated by spaces (i.e., /manualpeerlist:"source1 source2"). Your PDC Emulator needs User Datagram Protocol (UDP) port 123 access to get time from the target, so configure your firewall accordingly.

Disable time synchronization for all domain-joined VMs. How you do this depends on your virtualization platform. In VMware ESX it depends on the version you're running. In Hyper-V you do this by disabling Time Synchronization in Hyper-V Integration Services of the VM, as shown below.

Running Domain Controllers in Hyper-V

all

Ensure your VM host is configured to get accurate time. If you run VMware vSphere or ESX you must configure the host to get time from an external time source. VMware has a nasty habit of syncing time to VMs even though you've told it not to. See my article, Fixing Time Errors on VMware vSphere and ESX Hosts. If you're running Hyper-V you should also configure the host to get accurate time. If the host is a member of the domain it should sync with the domain hierarchy, so you're set. If the host is in a workgroup, configure it to get Internet Time from pool.ntp.org, as shown below. Note that domain-joined computers do not have the Internet Time tab.

Restart the Windows Time service on all domain computers to synchronize time with the domain hierarchy. The Windows Time service is responsible for syncing time in the network. The computer's time should automatically update to match the Domain Controller time a few seconds after restarting the service. Use the following command to reset the service:

net stop w32time && net start w32time

If the time difference is more than a 5 minutes, you may find that the computer will not update its time. You may need to reset the time manually, then restart the Windows Time service to get it into sync. Please refer to the excellent TechNet article, How the Windows Time Service Works for more detailed about how time synchronization works in a computer network.

Fixing Time Errors on VMware vSphere and ESX Hosts

Tuesday, July 19, 2011

Time synchronization across a Windows domain is very important. If a member server's clock varies more than 5 minutes from other domain servers, Kerberos tickets will fail. This causes random authentication errors for users and/or applications which are sometimes difficult to troubleshoot.

Normally, time is synchronized in a Windows domain using the domain hierarchy. The domain controller holding the PDC Emulator FSMO role is normally configured to get time from an authoritative NTP time source, and syncs time with all the other DCs in the domain. The domain clients in each site sync time from the DCs in their local site, maintaining a relatively close synchronization of time across the domain.

Virtual machines are no different than physical computers and normally sync time using the same domain hierarchy. Lately, however, I've seen VMs running on VMware vSphere boot up with random time differences from the domain. I've seen this problem with three different clients lately, so I figured this might be a pervasive enough issue to blog about.

The trouble happens when the VMware vSphere, ESX or ESXi host does not have an accurate source of time, or time "drifts" due to an inaccurate system clock module. vSphere and ESX hosts run a proprietary operating system and are not domain member servers, therefore they do not participate in domain hierarchy time synchronization.

Most companies that use VMware hosts use vCenter to manage these hosts and their VMs. Often, the servers that run vCenter are domain member computers and administrators think that since the vCenter syncs time with the domain, the hosts and VMs do, too. Not true. You need to configure the vSphere or ESX hosts to sync time from an accurate time source, otherwise the VM guests may start up with the wrong time - this can happen even if time synchronization between the virtual machine and the ESX server in VMware Tools is not enabled.

Here's how to configure your vSphere or ESX hosts to get time from an authoritative source.

Logon to vCenter and select your vSphere or ESX host.
Click the Configuration tab and then Time Configuration under the Software heading. Notice that the time on the vSphere host does not match the domain time shown on the Windows client running vCenter .

Click Properties in the top left of the Configuration tab. This opens the Time Configuration window.

Click the Options button and add a new NTP server that is the accurate source of time. I recommend using the PDC emulator, since it should already be configured as an authoritative time source.

Select the checkbox to Restart NTP service to apply changes and click OK twice to close the Time Configuration window. You will see that the vSphere/ESX host now has the correct time and is configured to use dc01.companyabc.com as its time server.

You may need to restart the VM guests running on that VMware host to have them sync time with the domain. The Windows Time service will not correct the time on the VMs if it varies too much from domain time. All domain computers sync time when they start up on the domain, regardless of how far out of sync they were.

I have not seen this type of behavior with Hyper-V, only vSphere, ESX and ESXi hosts.

Handy UTC/GMT Time Converter Website

Wednesday, February 27, 2008

Don't you love it when you come across a nifty little tool that makes your life easier?

WorldTimeServer.com is a free web tool that offers lots of cool little tools that help you work with time around the world. Important to me, is the Time Zone Calculator that lets you enter a UTC time and it will convert it to you local time (or any other timezone, for that matter). This is extremely useful when troubleshooting SMTP headers, especially with all the changes in DST lately.

Upcoming Webcast for daylight saving time changes in 2007

Thursday, September 13, 2007

Of note to Systems Administrators (especially Exchange SAs)

Available on Friday, September 14th at 9am PT:

Preparing for Daylight Saving Time: This Webcast will provide an overview of information on Microsoft products and resources available to help businesses prepare for change to Daylight Saving Time.

https://www.livemeeting.com/cc/lmevents/join?id=msft091407sa&role=attend&pw=AGT732

To see future Webcasts related to this subject please keep checking our "Webcasts for daylight saving time changes in 2007" page which you can find here.