Time synchronization in an all virtual environment guide

I have been asked a lot about how to configure time in your domain when all the Domain Controllers (DCs) are virtual and running on Microsoft Hyper-V. People will say just stick to a physical DC. However, sometimes this is not an option. In this article, I am going to walk you through the best way to set up time synchronization.

Why is time synchronization important?

When the OS boots up, it looks for a source to find the current time. This is fine when you have a physical box, as it will use the system clock. Virtual machines do not have a system clock. Instead, they will ask the Hyper-V for the current time. When a VM has fully booted up, it will then use the domain hierarchy (if set up) to synchronize its clock at regular intervals.

Let us imagine that all our DCs are down, or having issues and not responding in a timely manner. This is when time can start to shift. This will cause the virtual DCs to synchronize with the time on the Hyper-V host causing the time to be inaccurate. This will start a knock-on effect resulting in all machines in the domain to have the wrong time. This will then cause issues with Kerberos, logins, some websites and more.

How to set up time synchronization correctly

First, we need to check that all virtual DCs are allowed to use the time synchronization Hyper-V integration component during startup and only during startup. This can be done via Hyper-V settings on each host.

We then need to add a registry entry on all DCs to make sure they will not use the Hyper-V integration services for time synchronization once booted. In an elevated PowerShell window, type:

New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider -Name Enabled -Value 0 –Force

Now that has been set up, we need to make sure that the DC that holds the PDC Emulator FSMO role is synchronizing with an external time source. To find out what DC is the PDC in an elevated PowerShell window, type:

Get-ADDomain | Select-Object DistinguishedName, PDCEmulator

Now we know what the PDC server is, we can set up time synchronization to use an external time source. Log on to your DC hosting the PDC, open an elevated PowerShell window and type:


w32tm /config /manualpeerlist:"uk.pool.ntp.org" /syncfromflags:manual /reliable:yes /update
w32tm /config /update
Stop-Service w32time
sleep(5)
Start-Service w32time
w32tm /resync /rediscover
w32tm /query /source

You should change the above code to a time server in your region. Go here: http://www.pool.ntp.org/en/ to find one.

Now we can configure all the other DCs to use the PDC as their time source. This can be done via an elevated PowerShell window on each DC by using the following:


w32tm /config /syncfromflags:domhier /reliable:no
w32tm /config /update
Stop-Service w32time
sleep(5)
Start-Service w32time
w32tm /resync /rediscover
w32tm /query /source

And that’s it. The best way to configure time synchronization in an all-virtual environment.

If you have any questions or thoughts, drop a message below.

Exit mobile version