The problem is the bleeding obvious: the time on the domain controller (which holds the PDC role as it is the only domain controller in my miniature network) is not correctly synchronized anymore after a while. I noticed that it starts with small deviations at first, but very soon, this accumulates to very large deviations. The skew between the "real time" and the DC's time seems to increase in a nonlinear fashion. Also, the DC uses bridged networking so external timesources such as "time.windows.com" are reachable at all times.
I still have to figure out if this is due to the fact that this is a virtualized domain controller on VMWare Server; I cannot remember seeing this problem elsewhere (not on a VMWare ESX or on physical installations of a domain controller). Anyway, here is the solution to the problem, you might find it useful at a given point in time:
- First of all, inside the virtual machine, ensure that the option "Time synchronization between the virtual machine and the host operating system" is disabled. In my setup, this could potentially lead to a loopback since the host OS is in fact a member of the domain of which it is hosting the domain controller (and PDC emulator) in a virtual machine.
- Secondly, I had not configured the domain controller to use an external time source. The procedure is detailed at Microsoft's Knowledgebase article 816042, but in essence, it comes down to setting the following registry values under HKLM\SYSTEM\CurrentControlSet\Services\W32Time\:
- Parameters\Type = "NTP"
- Parameters\NtpServer = "time.windows.com,0x1"
- Config\AnnounceFlags = "5"
- TimeProviders\NtpServer\Enabled = "1"
- TimeProviders\NtpClient\SpecialPollInterval = "60"
- Finally, you need to restart the W32Time service at the domain controller using net stop W32Time followed by net start W32Time.
On your clients, use w32tm /resync to reset the time according to your domain controller (you can also use this command at the domain controller to immediatelly poll the NTP server you specified).