Today, we’ll look at some of the characteristics of virtualized domain controllers’ time configuration. In the Active Directory domain, the time synchronization scheme is typical as follows:
All other domain controllers are synchronized with the controller that owns the PDC emulator role; all member servers and workstations synchronize their time with the nearest domain controller; the PDC emulator is the domain’s main time source and must be configured to synchronize time with the external time source.
Tip: See the article Configure NTP Time Sync using Group Policy for additional details on configuring NTP time in a domain.
However, if you look at the current time source (w32tm /query /source), you’ll see a weird time source entitled VM IC Time Synchronization Provider, which you can find unexpectedly.
In fact, regardless of the time service settings inside the machine, Hyper-V virtual machines synchronize their time with the host by default. As a result, when the Hyper-V host is a domain member and synchronizes time with the domain controller, which is a virtual machine and synchronized with the host (Recursion? ), it can create an odd situation.
You must disable time synchronization with the host for virtual domain controllers to avoid this. There are two options for accomplishing this.
The first option is to turn off time synchronization in the virtual machine’s properties. To do so, use the Hyper-V Manager snap-in to view the virtual machine’s properties, then navigate to the Integration Services section and check off Time synchronization.
On the Hyper-V server, you can perform the same thing with the PowerShell console. Get the VM’s service status, for example, with this command:
Get-VMIntegrationService -VMName dc1 -Name ‘Time synchronization’
The following command will disable time synchronization:
Get-VMIntegrationService -VMName dc1 -Name ‘Time synchronization’ | Disable-VMIntegrationService
If you are using VMWare ESXi as the virtualization host, you can disable the time synchronization with the host in the virtual machine settings.
VM> Edit Settings > VM Options tab > Check off Synchronize guest time with host.
The second option is to use the ADDS role to edit the registry inside the guest virtual machine. Run Regedit.exe, navigate to the branch HKLMSYSTEMCurrentControlSetServicesW32TimeTimeProvidersVMICTimeProvider, and set the Enabled parameter to 0 to stop synchronisation.
The same setting can be made from the Command Prompt by running the command:
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider /v Enabled /t reg_dword /d 0
In addition, it is desirable to make the following settings:
- Change the NTP server polling period:
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient /v SpecialPollInterval /t reg_dword /d 900- Configure the time service’s correct response to a non-standard time shift of more than 52 hours.
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config /v MaxNegPhaseCorrection /t reg_dword 0xFFFFFFFF
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config /v MaxPosPhaseCorrection /t reg_dword /d 0xFFFFFFFF
It is required to restart the time service after stopping synchronization using any of the techniques outlined above, as this will reset it to a new source. You must restart the w32time service and conduct the synchronization on a domain controller with the PDC-emulator role:
You must also run the following command on all other AD domain controllers:
w32tm/config /syncfromflags:DOMHIER /update