I was talking with someone about this subject recently and realized I should write some of it down. To make sure that all of your Windows machines – virtual or otherwise – have the same time the process below will help. Remember that AD will tolerate only about a five minute difference – meaning if a person or computer tries to authenticate and the local time is more then five minutes different from the DC they will not be successful in logging in. Windows is not alone in this, vRealize Automation, SSO, are several other examples that are impacted in similar ways. So it is quite important to have consistent, and correct, time.
When you install Windows machines in a Windows Active Ddirectory domain Windows takes care of the time. It will make sure all of the machines have the same time (more or less – it is not perfectly accurate nor does it need to be). This is done by the first installed Domain Controller (called the PDC emulator) which is responsible for time. It is because of this that we configure that PDC emulator to use an external clock so that it always has the correct time, which means the rest of the domain will have the right time.
BTW, the commands below are done at the command line but be sure to start the command line as Admin.
I used the command below to configure my DC (PDC Emulator) with three external NTP servers.
w32tm /config “manualpeerlist:1.us.pool.ntp.org,2.us.pool.ntp.org,3.us.pool.ntp.org” /syncfromflags:manual /reliable:yes /update
And to be safe I stop and start the w32tm service.
This all looks like below. As always click on the image to see a bigger version of it.
How do we check that it is set?
Notice part way down we see the Type: NTP which is good, and below it we see the NTP hosts too. So our config looks good. BTW, the command we used for this is below.
w32tm /query /configuration
Test – PDC to time source (NTP)
We should see what the time difference between our DC and the NTP server is. It may take some time for that to look good.
So this looks mighty fine. Is that .009 of a second? Note bad at all. The command we used for this is below.
w32tm /stripchart /computer:1.us.pool.ntp.org
Test – VM to time source (PDC)
This is likely not going to be as good as above as Windows takes longer to sync up time. But here is what it looks like.
So that is just under 10 seconds difference. Not bad but we will keep an eye on it. We use the same command here as above but pointing at our PDC emulator.
w32tm /stripchart /computer:bosad01.pml.com
Test – is my VM getting time from the Windows Domain?
You will need to check the time configuration on one of your Windows machines. This does not need to be done on all machines. When a Windows machine is joined to a domain this is automatically done. Use the following command to check.
w32tm /query /configuration
You need to look for the Type: NT5DS field to confirm the Windows machine is getting time from the AD domain. See below for an example.
Something to remember:
- When a physical machine, or a virtual machine starts the OS gets an update of the time during the start-up process. For physical machines that time comes from the BIOS real time clock. For virtual machines it comes from ESXi. This is why we like to have our ESXi hosts pointed at the same time server(s) as the PDC emulator.
- How do you find the PDC emulator? If you use Active Directory Users and Computers, Right-click the domain, and select Operations Master, you will see a PDC tab and you can find the PDC name on that tab.
- I believe it is best to use Windows to keep your Windows machines time current and NOT VMware Tools.
- I believe it is best to have Windows and ESXi hosts point at the same source. Can be an edge router configured to talk to three external sources or it can be three external sources.
- Timekeeping in Virtual Machines
- Timekeeping best practices for Linux Guests – KB 1006427
- ESX and ESXi host Timekeeping best practices – KB 2004453
This has shown you how to configure your Windows domain to have consistent time as well as correct since it is connected to external time sources.
Questions or comments welcome!
=== END ===