Jan 22 2009
Virtualizing the DC: Windows Time Sync & Hyper-V Powered Domain Controller dilemma
So, why will somebody want to run a Hyper-V Virtual Server with Domain Controller role in production? There are lots of reasons, but the main one is simple: It’s a cool think.
Domain Controllers & Global Catalog Servers are not resource hungry machines in case of small-medium organization. Global Catalog data store is not huge if you have only a few OUs & couple of hundreds objects (groups, users, computers, GPOs and other Active Directory objects). If you talk about geographically spread organization with multiple domains and Global Catalog replications within the forest, it’s wiser to switch to physical machines, but for the sake of this article we will assume that you either administer the infrastructure of a small-medium sized business, want a secondary DC in your network (great candidate for a Virtual Domain Controller) or you just want to be cool (like I am 8-)).
It is kind of strange to think that all computers on your network (both servers & clients) are member of a domain which is controlled from Virtual Server, not to mention that even the Hyper-V host machine is member of the same domain… Really freaks you out, doesn’t it? Well, putting all the fears aside, this scenario is actually doable, and not only that, it’s even working.
So, there we have our freshly installed Hyper-V Guest with your flavor of choice Server OS that can be promoted to a Domain Controller (Windows Server 200X Standard will do the job). After dcpromo and other needed Active Directory services installation (DNS, DHCP, etc), join clients to newly created domain (yes, including the Hyper-V host). You may start now securing your network resources and shares via AD Security Groups, play with GPOs to restrict Solitaire for “Mister Big Boss NO Salary Increases All People Are Resources”’s Secretary, disable Right-clicking and contextual menus for the accounting department and of course replace default Windows start-up sound with your “favorite” track. If lack the inspiration, check here for a TOP20 build by Rolling Stone Magazine (personal favorites from the menu will be number 7, James Blunt – sorry ladies – and number 11, Aqua). James Blunt, however will create a very depressive atmosphere in the office each morning when everybody starts up their PCs.
Everything is just perfect, and time quickly passes by, until one day, “Mister Tight Ass Beer Sucks Outlook Freak” who happens to be you sorry excuse of a manager tells you that “Mister Big Boss NO Salary Increases All People Are Resources” lost a very important meeting with some potential customers because the time on his laptop is 24 minutes behind. “Mister Tight Ass Beer Sucks Outlook Freak” checked, and the time is indeed 24 minutes behind. You are assigned to solve this mystery.
As a skillful IT PRO that you are, you have absolutely no fucking idea what is going on so you ask you mentor, your friend, the one who’s been by your side in the toughest situations and never let you down, the Oracle, the holder of all humanity’s knowledge, “The Program”. The Google. If lucky you find this post and things are solved, however, chances are that you don’t. You learn first that each machine member of a domain is synchronizing regularly it’s time with the domain controller. Which is true. You can tell from the huge number of results Google is displaying stating the same. Good.
Firing of the remote console and changing time on the virtual DC will not fix it. As soon as you click Apply for the new time, the clock will revert back to old time within 1 or maybe 2 seconds (if you’re lucky, but you’re not, cause otherwise you would have found this post). If you’ll try again is like sending another job to a powered off printer queue. Try it 20 more times and the barrier between you and the stupid accountant who wore an “I hack stuff” T-shirt on last casual Friday will be barely distinguishable.
The problem comes from the Hyper-V host. Hyper-V host can offer several services to It’s guests, available after the installation of Hyper-V Integration Services on the guest machine. One of those services offered is “Time Synchronization”. What is happening is simple: Hyper-V Guest with DC role is syncing it’s time with the host machine every few seconds. In the same time, the host (member of the domain) is syncing time with the Virtual DC every X number of minutes (X depends whether last sync was successful).
To get rid of this loop you must tell the DC not to sync it’s time with the Hyper-V host. To to this, on the Hyper-V host, open Server Manager, go to Roles ==> Hyper-V select your Virtual DC and click Settings from the contextual menu (yes, if you didn’t filter the “No right click for n00bs” GPO to Accounting group and link-it to parent domain OU for all Authenticated Users, ask The Google maybe will get you to this post, but that’s not about that)… Where were we? Ah! In the setting of your Hyper-V virtual DC. In the left menu pane (down the bottom) find Integration Services, deselect Time Synchronization and click OK. Virtual machine restart is not required.
In this moment you can change the time on your DC and the time will remain changed… Ha! worked like a charm. Shortly after all the clients will get the correct time from the DC. This is fine, but you will want a sort of automation for updating time on the virtual DC, because in this moment the solely source for your DC to get the correct time and pass that to his clients is you.
Therefore, the following registry entries will redirect your DC to sync time. If you have internet access from your LAN you’ll want your DC to sync time from an external network time protocol server (NTP server) for this setup, modify the following registry keys on your Domain Controller:
- “HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type” change value to “NTP“
- “HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags” change value to “5“
- “HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer” change value to “1“
- “HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer” change value to “time.windows.com,0×1“
- “HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollInterval” change value to “3600” decimal
- “HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxPosPhaseCorrection” change value to “3600” decimal
- “HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxNegPhaseCorrection” change value to “3600” decimal
- quit regedit and cmd for: “net stop w32time && net start w32time“
There you go… Now “Mister Big Boss NO Salary Increases All People Are Resources” will never miss an appointment again. And you are once again the IT hero… but still, no salary increase.
No related posts.
Related posts brought to you by Yet Another Related Posts Plugin.
Related Websites -
10 Benefits of Hosting your Own Blog If you want to create an edge over many of the other bloggers on the web, then one of the best things that you can do is host your own blog. There are a number of benefits of hosting your own blog over having some other service host your blog....... -
Virtual Office Hosted PBX Small Business Phones By utilizing the versatile communication features of virtual office hosted PBX small business phone systems, your small business organization can be represented as a large corporation among your business clients and other competitors. This communication service helps to establish virtual business offices in any place of your preference without...... - Managed Hosting Services Explained This article explains what is meant by the term "managed hosting". Who should use it and what are the benefits? When the capacity and features of a shared server are no longer enough, you may want to consider moving to a dedicated server with managed hosting. Managed hosting solutions are......
-
Tips for Improving Blog Popularity There are a number of different things that you can do to increase your blog popularity. Here is a look at some of the tops that you can't pass up. Include an Author Biography People who are reading your blog will enjoy being able to put a face to the...... - Hosted PBX Small Business Phone Numbers Hosted PBX small business phone numbers are an ideal choice for SOHO company owners who wish to expand their business beyond their present region of operation in an economical way. These hosted PBX phone numbers help small businesses as well as medium businesses to achieve an impressive corporate address......
Loading ...
Woot, I loved the style of this article ^^
well done! that was funny but solved my problem.
Style is amusing to read, content is clearing an essential part of the “chicken and egg” paradox of a W2K8 core server parent and it’s subsequently starting virtual W2K8 child trying to be a good DC. It helped! Thanks a lot.
Outstanding article. I found it after 2 hours of research and was exactly what I needed to send me in the right direction.
A very similar solution exists for Virtual Server 2005 users (like me). There’s a “Host time synchronization” checkbox under the Virtual Machine Additions section of each virtual machine.
Fred – thanks for the tip. That setting is hidden away and took some finding. MS were telling me I needed to edit each .vmc file..
PERFECT !!!! Best written article I’v read in a long time
Problem we’ve found is after the DC reboots, the Hyper-V puts in a half-ass entry for the NTP source, crashing the w32time service.
On client, in HKLM\System\CurrentControlSet\Services\W32Time\TimeProviders
delete the 3rd folder (not nptclient or ntpserver). Then start time service and it’s fine, until the next reboot.
Definately have the time sync with host option turned off, and it stays off.
Thanks, MS site was no help. I would never of thought of checking for time sync between Guest and Host OS.
Thanks again for the information.
I wanna be cool!
I’ve created a VM DC off my hyper-v host; it works and can get to the web. Created a 2nd VM, joined it to the domain. But I try joining the host to the domain, and get a “cannot find the path” error.
??? Thoughts?
DNS errors…DNS ERRORS!! Arrr…got it working, so you can disregard my last post.
Now I’m cool, too!
In step 3. “HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer” change value to “1“
What value are we changing?