Where’s my time
Simple things are sometimes the most tricky.
Once in a while there’s a recurring question - how should you set up time in your domain, if all DCs are virtualized. Undying answer is
“have one physical box that acts as a primary DC”.
My “virtualize everything” nature opposes this. You can have all DCs virtualized in your environment - you just have to do it right.
How it works
I highly recommend these links if you’re interested in this subject:
- How the Windows Time Works
- Windows Time Configuration - It’s simple
- Windows Server 2016 Accurate Time
Just a quick re-cap. When an OS boots up it queries a
'source' for current time. In case of physical box
'source' will be system clock. Virtual machine though will ask hypervisor for the current time.
Then, after VM is completely up, in Active Directory environment it will use domain hierarchy (unless configured differently) to synchronize it’s clock in regular intervals.
What is the issue then? Imagine all your DCs are down, or under a heavy load or your Hyper-V host is under heavy load - it may cause time to shift a little bit. Then a VM with DC role starts and synchronizes time with Hyper-V host - changing it’s time to inaccurate. Then, suddenly, all machines in your domain have wrong time and bad things happen: Kerberos tickets are out of sync making logins fail, internet services complain about your time, etc.
To resolve this some advise to disable the Hyper-V integration component of Time Synchronization:
but that’s not the best idea.
Why? Because VM does not have a battery to sustain current clock status when it is powered off. Then, when it starts or resumes its time is not correct. It is desired for a VM to get its time from Hyper-V host. Some people configure Hyper-V hosts as authoritative time source for whole domain, which is violating best practices in Active Directory domain environment.
How should it be done then?
- All Domain Controllers should be allowed to use Hyper-V integration components during startup,
- and only during startup!
- Domain Controller with FSMO (PDC Emulator) roles should synchronize time with external source,
- All other Domain Controllers should synchronize from the PDC,
- All machines should synchronize from any Domain Controller.
I’ve got not time, show me some code
- First, let’s make sure our DCs have Time synchronization enabled:
If not, we can easily fix that:
- Then add registry entry on all DCs that will stop VM (once booted) from using VM IntegrationComponent Time Provider:
- Configure PDC Emulator to use external source:
- Configure all other DCs to use domain hierarchy:
Once done you’ll get information that your PDC Emulator is synchronizing with external source:
And your other DCs will synchronize with your PDC:
And we’re back on right time track!
P.S. Did anyone noticed this little error message?
"VM Integration Services status reports protocol version mismatch on pre-Windows 10 Version 1607 or Windows Server 2016 VM guests" (link)
It just means that my VM is not Windows 2016 running on Windows 2016 Hyper-V Host.