Server Time Sync

karl bracken

Ok so this has been bothering me all week!

We have 2 physical hyper V servers running 8 VMs between, each physical server has a Domain controller on it running in a VM and all servers are 2008R2

The VM PDC is set to NTP and to sync with time.microsoft.com and the rest including the physical servers are NT5DS

when i run w32tm /query /status

im getting VM IC Time Synchronization Provider on both VM DCs, what is that?
When i look at the events im getting an error 12something or 13something i cant remember right now, complaining about DNS so it looks like my PDC is not getting out?

I have followed MS details on setting up an external time source and made all registry changes but i think the DNS is getting me....

Any thoughts?

What does VM IC Time Synchronization Provider mean?
Im also assuming if i run w32tm /query /status on the PDC it should say the external time source as source?

Cheers

Head The Wall

This may help you

Active Directory Time Synchronization Problems with Hyper-V

How do I re-enable the VM IC Time Synchronization Provider for a Hyper-V client?

karl bracken

Thanks for the info,

I have had a read through them and gave it a go and when i tried

w32tm /resync /rediscover

I got "did not resync because no time data was available " and an event ID 134 in the logs any ideas on that?

kaisersoze

have to checked firewall to see if traffic is flowing?
Its unlikely a proxy will allow port 123 traffic, required for ntp
So you need to make sure there are correct routes and nat to get out to the NTP server you have configured.

Other thing you could consider is have time server on network and sync to it and have it updating ever x minutes

karl bracken

On further inspection i can see an inbound rule for UDP 123,

Active Directory Domain Controller - W32Time (NTP-UDP-In) calling %systemroot%\System32\svchost.exe

But no outbound rule, im assuming i need both set up which i will do in work tomorrow

For the outbound should it not be calling: %systemroot%\System32\w32tm.exe

In specify profiles, Domain, Private, Public should i leave public unticked?
You also mentioned NTP do i need to set another rule for that as well?

Cheers.

kaisersoze

I dont know what firewall you have.

In general, I wouldnt concern yourself about the inbound rules..Its the request for time is initiated outbound from the server

If I were you, I would temporarily allow all traffic to the time source and fileter the logs to see whats going on.

I suspect your problem is a nat issue.

Do a trace route or ping to the time source and see how its getting there.

Its likely your server is trying to go out via the default route..

By allowing all traffic from dc, you should be able to follow the traffic and see what rules you need to allow outbound. But dont modify your inbound rules. There should be no need.

rule will look something like this.

dc to ntp server permit port 123

as you dc is using a private internet address you will probably need a nat which will look something like this

if dc tries to access ntpserver.com mas behind public address

hope it makes sense

karl bracken wrote: »

On further inspection i can see an inbound rule for UDP 123,

Active Directory Domain Controller - W32Time (NTP-UDP-In) calling %systemroot%\System32\svchost.exe

But no outbound rule, im assuming i need both set up which i will do in work tomorrow

For the outbound should it not be calling: %systemroot%\System32\w32tm.exe

In specify profiles, Domain, Private, Public should i leave public unticked?
You also mentioned NTP do i need to set another rule for that as well?

Cheers.

karl bracken

Hey Kaiser,

Thanks for the info unfortunately some of the info is a little over my head and i have been training all week so did not get as much time as i would have liked to look into your suggestions, i did get a chance to run a few commands and test some things maybe this may help in solving my issue! We use a windows firewall prob should have mentioned that.

On the VM PDC I checked the Windows firewall and there was no outbound UDP 123 so I set one up to call System32\w32tm.exe, is this correct?

On the VM which is the PDC today i ran:

w32tm /config /manualpeerlist:“0.pool.ntp.org,0x1” /syncfromflags:MANUAL /reliable:yes
w32tm /config /update
w32tm /resync
w32tm /resync /rediscover and start and stop

All said successful but when I ran w32tm /query /status I still had a source of “vm ic time synchronization provider”
In the registry 0.pool.ntp.org,0x1 is now the value for NTP Server. I can ping 0.pool.ntp.org from the PDC but still cant ping time.windows.com which I thought was strange!

The time is being set by one of the hosts I am sure of that but it is set to NT5DS and it /query /status is telling me its using the PDC, do I need to run some commands on the host to get it to resync to the VM PDC?

I have seen the reg add command




HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider /v Enabled /t reg_dword /d 0
and I assume this needs to be done on all DC’s including PDC?
I am wondering does the w32tm /config /syncfromflags:DOMHIER
/update also need to be run on the PDC or just all other DC’s?Thanks for your time, pardon the pun!

kaisersoze

Its possible the vmtools is syncing the time with the physical host?

Try syncing with time.tcd.ie

I would suggest using VM IP address in firewall rules and allow and DC's and vm's sync locally from the physical hosts.

karl bracken

Thanks for all the advice I think I finally have it but I will leave for a few days to confirm and then I will update what I done to fix

karl bracken

I have finally got it working!
The goal of this is to help people out who are starting at the beginning of setting a Domains time.

In this example all Servers, Primary Domain Controller (PDC), other Domain Controllers (DC) and other servers are running Windows 2008 R2 and are virtualised with Hyper-V.

First things first you will read to disable the 'Time Synchronization Integration Service' on any virtual machine within Hyper-V but instead you should manipulate the Windows Time Service (w32tm service) from within the virtual DC, you should not disable this because when a VM restarts this will cause problems, it should be done with w32tm.
http://blogs.msdn.com/b/virtual_pc_guy/archive/2010/11/19/time-synchronization-in-hyper-v.aspx

You will need to find out what server is the PDC and running FSMO roles. Run this:
netdom query fsmo
The result should be your PDC and this is where you make most of your changes.

Make sure in the firewall there is an “Outbound” rule on UDP123 and the program is %SystemRoot%\System32\w32tm.exe just browse to windows directory and find the exe for time

This is where the registry changes go down!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time

Make sure the PDC under config in the above registry address is set to NTP for “type“and all other servers are NT5DS, this means NTP is the daddy!
Best practise here is to have the PDC look externally for time and everything sync to it.

Run this on all domain controllers (including PDC), it will partially disable windows time so it does not look at the host machine for time, important because we are virtualised.
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider /v Enabled /t reg_dword /d 0

You can go to the ntp.org http://support.ntp.org/bin/view/Servers/WebHome
site to find a server closest to you to sync your external time. I recommend not using Microsoft as they are heavily used and can slip out because of this.

Below command will set the PDC to look externally but also check the registry settings as defined here to sync externally (you need to do both)
http://support.microsoft.com/kb/816042

Run this on PDC
w32tm /config /manualpeerlist:“0.pool.ntp.org,0x1” /syncfromflags:MANUAL /reliable:yes
w32tm /config /update
w32tm /resync
w32tm /resync /rediscover

Run these 2 commands at any time on any server to see their source and when they last updated, these will be used throughout this exercise to make sure your PDC and other servers are getting time from the right place
w32tm /query /status
w32tm /query /source

Then run this on all DC except the PDC, it will make them look at the PDC for time and resync to it
w32tm /config /syncfromflags:DOMHIER /update
net stop w32time
net start w32time
w32tm /resync /force

Issues:
When you run the Status or Source query give them a minute or 2 after changes, you should not be looking at the Local CMOS Clock and you should not be using vm ic time synchronization provider as source either.

If successful the PDC should read the external site you have set and the other servers should say the PDC as source

Hope this helps people good luck!