Time Server Configuration in Active Directory – Physical and Virtual Machines
Time Server is crucial configuration for any Active Directory environment. With time not in sync could lead to logon failures, and incorrect co-relation of log files and even Active Directory failures.
Time configuration on Physical Servers is easy, but on Virtual Machines it needs extra care and I will explain Why later in this article.
Time Server config on Microsoft Active Directory
Flexible Single Master Operations (FSMO) role, PDC Emulator, is responsible for time-sync across the enterprise. All other domain controllers sync to PDC Emulator role for time sync, child domain PDC emulators sync their time with root Forest PDC Emulator, and all member servers and workstations sync time with the their respective domain controllers.
Execute below commands in PDC Emulator to sync time with external time source.
1. Set the Time Server to sync to. Replace <time-server> with your desired time server. It could be external time server or even any networking device in your enterprise. Time server uses UDP Port 123 to sync
W32tm /config /manualpeerlist:<time-server> /syncfromflags:manual /reliable:yes /update
2. Restart the Time service
net stop w32tm
net start w32tm
3. Perform resync
Time Sync on additional domain controllers and Child domains
Above commands will set time service on PDC Emulators in the root domain, on the additional domain controllers, and child domain PDC emulators, execute below command to configure the time service
W32tm /config /syncfromflags:domhier /update
Time Sync on Domain Controllers running as Virtual Machines
While the above works well with domain controllers that are deployed on Physical hardware, there is slight complexity when they are deployed on Virtual Machines. Typical structure is as shown below –
Physical Server –> Host OS –> Hypervisor –> Virtual Machine –> Domain Controller
Though domain controllers are configured to sync time with external time source or PDC Emulator, the Physical Servers are also joined to domain, they may have wrong time updated on them. This creates a time mis-match loop, and creates a major time sync problem across the enterprise.
To overcome this, you can disable Time sync service on the Virtual Machine to sync time with Hypervisor it is running on.
To do this, go to the properties of Virtual Machine properties (Hyper-V or VMM) (I don’t have VMM environment running at the moment, and can’t write the exact step here at the moment, but I will try to add it as soon as I can).
Navigate to Integration Services and uncheck Time Synchronization. This will disable the VM time sync with the underlying hypervisor and guest OS would now sync time only with time source it is configured to use.
Please ensure that Time Sync integration service is disabled on all VMs that are acting as domain controllers in the environment.