Announcement

Collapse
No announcement yet.

Problem with partially disabling host time synchronization on virtual DC

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problem with partially disabling host time synchronization on virtual DC

    Hoping you guys can help me out with a problem that's been bugging us and I can't seem to figure out.

    We decided to move ahead with virtualizing all our domain controllers on Hyper-V and we've run into some problems. All Hyper-V hosts are 2008 R2 SP1, and all virtual DC's are 2008 R2 SP1 Core.

    Per MS's recommendation, we partially disabled the host time synchronization with the guest DC's by disabling the VMIC time provider in the w32time settings (reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Tim eProviders\VMICTimeProvider /v Enabled /t reg_dword /d 0), but leaving the checkbox for "time synchronization" checked under integration services in the VM settings.

    We also configured each virtual DC to sync with the same external time source via NTP, so they are not following the domain hierarchy but are each reliable time sources.

    If I run the command w32tm /query /source, it shows the external NTP server as the source as it should.

    However, we believe the guest DC's are still syncing their time with the Hyper-V hosts and we can't figure out why. I tested this by advancing the time on a host that has one virtual DC on it, and the guest DC immediately updated its time to match the host time. If I reverse the change on the host, the guest DC's time slowly ticks down to match the host time again. We're worried that this could lead to time skew on our virtual DC's.

    Is this expected behavior based on our setup, or is there something I'm missing?

    Steve

  • #2
    Re: Problem with partially disabling host time synchronization on virtual DC

    I tend to leave virtual DCs Time sync as it is, so in effect, they will us the PDC role holder for the time sync and should you want to, get the PDC role holder to sync with an external time source.

    As the Hyper-V Hosts are also members of the AD domain, they will also sync with the PDC role holder.

    With regards to your setup, you mention that you have left the Time synchronisation box checked under integration services. Usually, I'd uncheck that one and let AD to the time synchronisation.

    Have you tested with unchecking that box?

    Comment


    • #3
      Re: Problem with partially disabling host time synchronization on virtual DC

      Not yet. I'm hesitant to do so because MS recommends leaving it checked. It is my understanding that the time synchronization integration service is responsible for setting the time on the guest OS when a virtual machine resumes from a saved state or when it is powered on.

      Are there any potential risks if I disable the time synchronization integration service on the virtual DC? What happens is the virtual DC is resumed from a saved state and the time is off? Will the w32time service be able to correct the time if it's outside the limitations set in the registry? Is there any chance the guest DC will start rejecting authentication requests because of the time difference?

      Comment


      • #4
        Re: Problem with partially disabling host time synchronization on virtual DC

        I can't give a reference, but I have always disabled Hyper-V timesync on virtual DCs and let them pick up the time from the PDC emulator. I'm sure this was a microsoft recommendation at some point.

        Powering on shouldn't be an issue, and how often do you save your virtual DCs for long periods?

        Having said that, I found this blog which gives some food for thought:http://kevingreeneitblog.blogspot.co...n-windows.html
        Is it the one you have followed?

        Also note, reading the original post above, normally you only sync the PDC emulator with the external time source, and all other DCs should sync from the PDC emulator

        (not sure if any of this is helpful around your issue, though)
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment

        Working...
        X