Sunday, October 6, 2013

Notes on how to configure an external NTP time source for a VMware ESXi 5.1 Active Directory PDC emulator domain controller

I’ve been asked several times over the past year with how to properly configure an Active Directory controller with the PDC Emulator FSMO role to sync with an external time source and not relying on the synchronization between the virtual machine’s VMware Tools and the ESXi host.  As most AD administrators would know, time is extremely important because of how Kerberos authentication works. I won’t get into the details of Kerberos and the TGT process but for people who are interested, see the following TechNet article:

Kerberos Explained
http://technet.microsoft.com/en-us/library/bb742516.aspx

The bottom line when looking at the importance of time in Active Directory is that the domain controllers will only tolerate a window of 5 minutes of time drift for a client authenticating with if the clock of the client that is authenticating is off than more of that, authentication would fail.  I’ve come across many virtual environments where authentication problems occur because time is not configured properly configured and I thought I’d just dump all of my notes in a blog post as I don’t always remember myself.

VMware outlines time management in the following KB:

Timekeeping best practices for Windows, including NTP (1318)
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1318

In the context of PDC emulators, there are essentially 2 methods:

  1. Synchronize it with the ESXi host’s clock via VMware Tools
  2. Synchronize your PDC emulator with an external time source on the internet

Both of these methods obviously have their advantages and drawbacks but for this blog post, I will put down my notes on how to perform option #2 which is to synchronize the PDC emulator with an external time source.

Begin by determing where the PDC emulator roles sites by using the netdom query fsmo command then log onto the server and run:

w32tm /query /configuration

You should see an output similar to the following:

C:\>w32tm /query /configuration
[Configuration]

EventLogFlags: 2 (Local)
AnnounceFlags: 10 (Local)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 6 (Local)
MaxPollInterval: 10 (Local)
MaxNegPhaseCorrection: 172800 (Local)
MaxPosPhaseCorrection: 172800 (Local)
MaxAllowedPhaseOffset: 300 (Local)

FrequencyCorrectRate: 4 (Local)
PollAdjustFactor: 5 (Local)
LargePhaseOffset: 50000000 (Local)
SpikeWatchPeriod: 900 (Local)
LocalClockDispersion: 10 (Local)
HoldPeriod: 5 (Local)
PhaseCorrectRate: 7 (Local)
UpdateInterval: 100 (Local)

[TimeProviders]

NtpClient (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
CrossSiteSyncFlags: 2 (Local)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Local)
ResolvePeerBackoffMaxTimes: 7 (Local)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 1 (Local)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Local)
Type: NT5DS (Local)

NtpServer (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombinations: 1 (Local)

VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)

C:\>

image

Notice the Type under TimeProviders is listed as: Type: NT5DS (Local)

To change the provider to an external time source such as the pooled NTP servers available from:

NTP Pool Project
http://www.pool.ntp.org

… execute the following:

w32tm /config /manualpeerlist:0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org /syncfromflags:manual /reliable:yes /update

image

Now when you execute:

w32tm /query /configuration

… you should now see the following:

C:\>w32tm /query /configuration
[Configuration]

EventLogFlags: 2 (Local)
AnnounceFlags: 5 (Local)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 6 (Local)
MaxPollInterval: 10 (Local)
MaxNegPhaseCorrection: 172800 (Local)
MaxPosPhaseCorrection: 172800 (Local)
MaxAllowedPhaseOffset: 300 (Local)

FrequencyCorrectRate: 4 (Local)
PollAdjustFactor: 5 (Local)
LargePhaseOffset: 50000000 (Local)
SpikeWatchPeriod: 900 (Local)
LocalClockDispersion: 10 (Local)
HoldPeriod: 5 (Local)
PhaseCorrectRate: 7 (Local)
UpdateInterval: 100 (Local)

[TimeProviders]

NtpClient (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
CrossSiteSyncFlags: 2 (Local)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Local)
ResolvePeerBackoffMaxTimes: 7 (Local)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 1 (Local)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Local)
Type: NTP (Local)
NtpServer: 0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org (Local)

NtpServer (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombinations: 1 (Local)

VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)

C:\>

image

With the NTP settings configured on the PDC emulator, the next step is to disable time synchronization with the VMware Tools for the PDC emulator virtual machine.  The following KB outlines the procedure;

Disabling Time Synchronization (1189)
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1189

What you basically need to do is as follows:

Shutdown the virtual machine, edit the settings, navigate to Options –> General –> Configuration Parameters:

image

Then add the following:

tools.syncTime = 0

time.synchronize.continue = 0

time.synchronize.restore = 0

time.synchronize.resume.disk = 0

time.synchronize.shrink = 0

time.synchronize.tools.startup = 0

time.synchronize.tools.enable = 0

time.synchronize.resume.host = 0

image

Note that when you add the row tools.syncTime = 0, you will notice that it disappears.  As the VMware KB states, if you were to open up the VMX, you should see that the parameter inserted as tools.syncTime = "FALSE".

With these configurations completed, ensure that the time is correct and do a simple test by changing the time to an incorrect value, wait a few minutes and make sure that it reverts back to the correct time.

The following are a few other sites that I find useful for configuring time:

The w32tm command’s switches:

Windows Time Service Tools and Settings
http://technet.microsoft.com/en-us/library/cc773263(v=ws.10).aspx

A tool that tests an NTP server:

NTP Server Tool
http://www.ntp-time-server.com/ntp-server-tool.html

Microsoft’s tools to test ports (handy to test NTP outbound ports ensure that the DC can get out to the internet):

PortQry Command Line Port Scanner Version 2.0
http://www.microsoft.com/en-us/download/details.aspx?id=17148

PortQryUI - User Interface for the PortQry Command Line Port Scanner
http://www.microsoft.com/en-us/download/details.aspx?id=24009

2 comments:

Anonymous said...

Been trying to get this right for a month...... doh! Thanks Terence!

Cindy Dy said...

Thank you for putting an effort to published this article. You've done a great job! Good bless!

Caren
www.gofastek.com