Sunday, November 4, 2007

Virtualized Domain Controller's time synchronization issues

At home, I use the excellent VMWare Server to run my own little network with domain controller and SoftGrid server, like most of us do. Due to circumstances, I regularly reinstall the entire network, and a single problem keeps on recurring: the times on all my computers go nuts after about a week of running properly synchronized. Quite annoying if some of your client PC's have a TV-card with a thight recording schedule ;).

The problem is the bleeding obvious: the time on the domain controller (which holds the PDC role as it is the only domain controller in my miniature network) is not correctly synchronized anymore after a while. I noticed that it starts with small deviations at first, but very soon, this accumulates to very large deviations. The skew between the "real time" and the DC's time seems to increase in a nonlinear fashion. Also, the DC uses bridged networking so external timesources such as "time.windows.com" are reachable at all times.

I still have to figure out if this is due to the fact that this is a virtualized domain controller on VMWare Server; I cannot remember seeing this problem elsewhere (not on a VMWare ESX or on physical installations of a domain controller). Anyway, here is the solution to the problem, you might find it useful at a given point in time:
  • First of all, inside the virtual machine, ensure that the option "Time synchronization between the virtual machine and the host operating system" is disabled. In my setup, this could potentially lead to a loopback since the host OS is in fact a member of the domain of which it is hosting the domain controller (and PDC emulator) in a virtual machine.



  • Secondly, I had not configured the domain controller to use an external time source. The procedure is detailed at Microsoft's Knowledgebase article 816042, but in essence, it comes down to setting the following registry values under HKLM\SYSTEM\CurrentControlSet\Services\W32Time\:

    • Parameters\Type = "NTP"

    • Parameters\NtpServer = "time.windows.com,0x1"

    • Config\AnnounceFlags = "5"

    • TimeProviders\NtpServer\Enabled = "1"

    • TimeProviders\NtpClient\SpecialPollInterval = "60"


  • Finally, you need to restart the W32Time service at the domain controller using net stop W32Time followed by net start W32Time.

On your clients, use w32tm /resync to reset the time according to your domain controller (you can also use this command at the domain controller to immediatelly poll the NTP server you specified).

2 comments:

Anonymous said...

For those of you using Virtual Server 2005, there’s a “Host time synchronization” checkbox under the Virtual Machine Additions section of each virtual machine. You may need to uncheck this to solve your problem.

Anonymous said...

You realize the SpecialPollInterval is in seconds, right?

Unless your time drifts extremely fast, 60 seconds seems a little excessive. Why not try 900 (15 min).