I’ve been asked several times over the past year with how to properly configure an Active Directory controller with the PDC Emulator FSMO role to sync with an external time source and not relying on the synchronization between the virtual machine’s VMware Tools and the ESXi host. As most AD administrators would know, time is extremely important because of how Kerberos authentication works. I won’t get into the details of Kerberos and the TGT process but for people who are interested, see the following TechNet article:
Kerberos Explained
http://technet.microsoft.com/en-us/library/bb742516.aspx
The bottom line when looking at the importance of time in Active Directory is that the domain controllers will only tolerate a window of 5 minutes of time drift for a client authenticating with if the clock of the client that is authenticating is off than more of that, authentication would fail. I’ve come across many virtual environments where authentication problems occur because time is not configured properly configured and I thought I’d just dump all of my notes in a blog post as I don’t always remember myself.
VMware outlines time management in the following KB:
Timekeeping best practices for Windows, including NTP (1318)
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1318
In the context of PDC emulators, there are essentially 2 methods:
- Synchronize it with the ESXi host’s clock via VMware Tools
- Synchronize your PDC emulator with an external time source on the internet
Both of these methods obviously have their advantages and drawbacks but for this blog post, I will put down my notes on how to perform option #2 which is to synchronize the PDC emulator with an external time source.
Begin by determing where the PDC emulator roles sites by using the netdom query fsmo command then log onto the server and run:
w32tm /query /configuration
You should see an output similar to the following:
C:\>w32tm /query /configuration
[Configuration]
EventLogFlags: 2 (Local)
AnnounceFlags: 10 (Local)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 6 (Local)
MaxPollInterval: 10 (Local)
MaxNegPhaseCorrection: 172800 (Local)
MaxPosPhaseCorrection: 172800 (Local)
MaxAllowedPhaseOffset: 300 (Local)
FrequencyCorrectRate: 4 (Local)
PollAdjustFactor: 5 (Local)
LargePhaseOffset: 50000000 (Local)
SpikeWatchPeriod: 900 (Local)
LocalClockDispersion: 10 (Local)
HoldPeriod: 5 (Local)
PhaseCorrectRate: 7 (Local)
UpdateInterval: 100 (Local)
[TimeProviders]
NtpClient (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
CrossSiteSyncFlags: 2 (Local)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Local)
ResolvePeerBackoffMaxTimes: 7 (Local)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 1 (Local)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Local)
Type: NT5DS (Local)
NtpServer (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombinations: 1 (Local)
VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
C:\>
Notice the Type under TimeProviders is listed as: Type: NT5DS (Local)
To change the provider to an external time source such as the pooled NTP servers available from:
NTP Pool Projecthttp://www.pool.ntp.org
… execute the following:
w32tm /config /manualpeerlist:0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org /syncfromflags:manual /reliable:yes /update
Now when you execute:
w32tm /query /configuration
… you should now see the following:
C:\>w32tm /query /configuration
[Configuration]
EventLogFlags: 2 (Local)
AnnounceFlags: 5 (Local)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 6 (Local)
MaxPollInterval: 10 (Local)
MaxNegPhaseCorrection: 172800 (Local)
MaxPosPhaseCorrection: 172800 (Local)
MaxAllowedPhaseOffset: 300 (Local)
FrequencyCorrectRate: 4 (Local)
PollAdjustFactor: 5 (Local)
LargePhaseOffset: 50000000 (Local)
SpikeWatchPeriod: 900 (Local)
LocalClockDispersion: 10 (Local)
HoldPeriod: 5 (Local)
PhaseCorrectRate: 7 (Local)
UpdateInterval: 100 (Local)
[TimeProviders]
NtpClient (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
CrossSiteSyncFlags: 2 (Local)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Local)
ResolvePeerBackoffMaxTimes: 7 (Local)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 1 (Local)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Local)
Type: NTP (Local)
NtpServer: 0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org (Local)
NtpServer (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombinations: 1 (Local)
VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
C:\>
With the NTP settings configured on the PDC emulator, the next step is to disable time synchronization with the VMware Tools for the PDC emulator virtual machine. The following KB outlines the procedure;
Disabling Time Synchronization (1189)
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1189
What you basically need to do is as follows:
Shutdown the virtual machine, edit the settings, navigate to Options –> General –> Configuration Parameters:
Then add the following:
tools.syncTime = 0
time.synchronize.continue = 0
time.synchronize.restore = 0
time.synchronize.resume.disk = 0
time.synchronize.shrink = 0
time.synchronize.tools.startup = 0
time.synchronize.tools.enable = 0
time.synchronize.resume.host = 0
Note that when you add the row tools.syncTime = 0, you will notice that it disappears. As the VMware KB states, if you were to open up the VMX, you should see that the parameter inserted as tools.syncTime = "FALSE".
With these configurations completed, ensure that the time is correct and do a simple test by changing the time to an incorrect value, wait a few minutes and make sure that it reverts back to the correct time.
The following are a few other sites that I find useful for configuring time:
The w32tm command’s switches:
Windows Time Service Tools and Settings
http://technet.microsoft.com/en-us/library/cc773263(v=ws.10).aspx
A tool that tests an NTP server:
NTP Server Tool
http://www.ntp-time-server.com/ntp-server-tool.html
Microsoft’s tools to test ports (handy to test NTP outbound ports ensure that the DC can get out to the internet):
PortQry Command Line Port Scanner Version 2.0
http://www.microsoft.com/en-us/download/details.aspx?id=17148
PortQryUI - User Interface for the PortQry Command Line Port Scanner
http://www.microsoft.com/en-us/download/details.aspx?id=24009
2 comments:
Been trying to get this right for a month...... doh! Thanks Terence!
Thank you for putting an effort to published this article. You've done a great job! Good bless!
Caren
www.gofastek.com
Post a Comment