hyper-v server time sync source - PDC / external NTP?
The environement:
- 10 Hyper-V hosts, all AD joined
- a lot of VMs AD joined and some not
- some AD DCs including PDC as Guests
What You think is the best approach to time sync a hyper-v farm with AD controllers as guests ? I got 2 plans :)
what would be the best time source for Hyper-V servers?
Plan 1
- setup AD PDC VM to time sync to external NTP as primary source,
- All the Hyper-V servers will sync to PDC because theyr are domain joined,
- All other guest will sync to Hyper-V time service.
Plan 2 (I am thinking about implementing this one because the hypervisor layer will be independent from the guest PDC)
- force all Hyper-v Hosts to sync time from external NTP.
- Sync time on all the guests to Hyper-V time service including PDC
Maybe someone got a good option number 3 ?
Solution 1:
On one hand, this is a neat question, but on the other hand, it may be primarily opinion-based. There really is no one single way to do this. You have options, and many of them are equally as valid.
From reading blog posts like this one, you get the impression that even Microsoft employees are torn about it:
Our original recommendation was to disable the time synchronization and leave it up to the DC’s own functionality to synchronize time with other DC’s.
For a time, I followed that advice with no ill-effects, because I was so comfortable with the way NTP and time sync in an AD domain works, that I felt that the Hyper-V time sync was just getting in the way. It worked fine for me.
But Ben Armstrong, Hyper-V Program Manager, says this:
Question #8 – When should I disable the Hyper-V time synchronization service (either in the virtual machine settings, or inside the guest operating system)?
Never.
There are definitely times when you will want to augment the functionality of the Hyper-V time integration services with a remote time source (be it a domain source or an external time server) but the only way to get the best experience around virtual machine boot / restore operations is to leave the Hyper-V time integration services enabled.
When I run the following commands on a Win8.1 virtualized guest (joined to an AD domain, whose DCs are also virtualized, and time sync integration services enabled on all,) on Hyper-V 2012 R2, I see this:
C:\>w32tm /query /source
VM IC Time Synchronization Provider
C:\>w32tm /query /peers
#Peers: 1
Peer: DC01.labs.myotherpcisacloud.com
State: Active
Time Remaining: 254.6744551s
Mode: 3 (Client)
Stratum: 2 (secondary reference - syncd by (S)NTP)
PeerPoll Interval: 10 (1024s)
HostPoll Interval: 10 (1024s)
The output seems contradictory.
And this guy talks about partially disabling the time sync on your domain guests via a registry tweak on all your domain members. But I personally shun that approach. It bugs me when I go into someone else's environment (to fix their time sync issues no doubt) and I see that they've manually reconfigured every single domain member's Windows Time service. Leave it alone, is my motto.
Here's my own personal check list:
Leave time sync integration service enabled everywhere.
Assuming all DCs are VMs, configure your forest root PDCE domain controller to sync with an external time source, such as *.pool.ntp.org. Your forest root PDCE should be the only computer in your AD forest configured to look to an external time source. All other domain members and domain controllers will organically locate a DC via traditional Windows Time mechanisms.
Configure your Hyper-V hosts to point to the same external time source(s) as the virtualized forest root PDCE. Regardless of whether your Hyper-V hosts are joined to the same domain or not, you want them to be able to reach a reliable time source if the virtualized DCs that run inside them are down.
This works fine... it isn't the only way to skin the cat, but it works fine.
Solution 2:
I would use Plan 1. DC's and domain members should sync with the domain hierarchy (except for the forest root PDC Emulator, which should use an external time source).
Here are the priorities, in order of importance:
- The DC's and domain members are in sync with each other
- The DC's and domain members have the correct time
If you run w32tm /query /status /verbose, 'Source:' should never display "Local CMOS Clock" or "Free-Running System Clock".