Aperture

So, why will somebody want to run a Hyper-V Virtual Server with Domain Controller role in production? There are lots of reasons, but the main one is simple: It’s a cool think.

Domain Controllers & Global Catalog Servers are not resource hungry machines in case of small-medium organization. Global Catalog data store is not huge if you have only a few OUs & couple of hundreds objects (groups, users, computers, GPOs and other Active Directory objects).  If you talk about geographically spread organization with multiple domains and Global Catalog replications within the forest, it’s wiser to switch to physical machines, but for the sake of this article we will assume that you either administer the infrastructure of a small-medium sized business, want a secondary DC in your network (great candidate for a Virtual Domain Controller) or you just want to be cool (like I am 8-)).

It is kind of strange to think that all computers on your network (both servers & clients) are member of a domain which is controlled from Virtual Server, not to mention that even the Hyper-V host machine is member of the same domain… Really freaks you out, doesn’t it? Well, putting all the fears aside, this scenario is actually doable, and not only that, it’s even working.

So, there we have our freshly installed Hyper-V Guest with your flavor of choice Server OS that can be promoted to a Domain Controller (Windows Server 200X Standard will do the job). After dcpromo and other needed Active Directory services installation (DNS, DHCP, etc), join clients to newly created domain (yes, including the Hyper-V host). You may start now securing your network resources and shares via AD Security Groups, play with GPOs to restrict Solitaire for “Mister Big Boss NO Salary Increases All People Are Resources”‘s Secretary, disable Right-clicking and contextual menus for the accounting department and of course replace default Windows start-up sound with your “favorite” track. If lack the inspiration, check here for a TOP20 build by Rolling Stone Magazine (personal favorites from the menu will be number 7, James Blunt – sorry ladies – and number 11, Aqua). James Blunt, however will create a very depressive atmosphere in the office each morning when everybody starts up their PCs.

Everything is just perfect, and time quickly passes by, until one day, “Mister Tight Ass Beer Sucks Outlook Freak” who happens to be you sorry excuse of a manager tells you that “Mister Big Boss NO Salary Increases All People Are Resources” lost a very important meeting with some potential customers because the time on his laptop is 24 minutes behind. “Mister Tight Ass Beer Sucks Outlook Freak” checked, and the time is indeed 24 minutes behind. You are assigned to solve this mystery.

As a skillful IT PRO that you are, you have absolutely no fucking idea what is going on so you ask you mentor, your friend, the one who’s been by your side in the toughest situations and never let you down, the Oracle, the holder of all humanity’s knowledge, “The Program”. The Google. If lucky you find this post and things are solved, however, chances are that you don’t. You learn first that each machine member of a domain is synchronizing regularly it’s time with the domain controller. Which is true. You can tell from the huge number of results Google is displaying stating the same. Good.

Firing of the remote console and changing time on the virtual DC will not fix it. As soon as you click Apply for the new time, the clock will revert back to old time within 1 or maybe 2 seconds (if you’re lucky, but you’re not, cause otherwise you would have found this post). If you’ll try again is like sending another job to a powered off printer queue. Try it 20 more times and the barrier between you and the stupid accountant who wore an “I hack stuff” T-shirt on last casual Friday will be barely distinguishable.

The problem comes from the Hyper-V host. Hyper-V host can offer several services to It’s guests, available after the installation of Hyper-V Integration Services on the guest machine. One of those services offered is “Time Synchronization”. What is happening is simple: Hyper-V Guest with DC role is syncing it’s time with the host machine every few seconds. In the same time, the host (member of the domain) is syncing time with the Virtual DC every X number of minutes (X depends whether last sync was successful).

To get rid of this loop you must tell the DC not to sync it’s time with the Hyper-V host. To to this, on the Hyper-V host, open Server Manager, go to Roles ==> Hyper-V select your Virtual DC and click Settings from the contextual menu (yes, if you didn’t filter the “No right click for n00bs” GPO to Accounting group and link-it to parent domain OU for all Authenticated Users, ask The Google maybe will get you to this post, but that’s not about that)… Where were we? Ah! In the setting of your Hyper-V virtual DC. In the left menu pane (down the bottom) find Integration Services, deselect Time Synchronization and click OK. Virtual machine restart is not required.

In this moment you can change the time on your DC and the time will remain changed… Ha! worked like a charm. Shortly after all the clients will get the correct time from the DC. This is fine, but you will want a sort of automation for updating time on the virtual DC, because in this moment the solely source for your DC to get the correct time and pass that to his clients is you.

Therefore, the following registry entries will redirect your DC to sync time. If you have internet access from your LAN you’ll want your DC to sync time from an external network time protocol server (NTP server) for this setup, modify the following registry keys on your Domain Controller:

1. “HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type” change value to “NTP“
2. “HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags” change value to “5“
3. “HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer” change value to “1“
4. “HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer” change value to “time.windows.com,0×1“
5. “HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollInterval” change value to “3600” decimal
6. “HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxPosPhaseCorrection” change value to “3600” decimal
7. “HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxNegPhaseCorrection” change value to “3600” decimal
8. quit regedit and cmd for: “net stop w32time && net start w32time“

There you go… Now “Mister Big Boss NO Salary Increases All People Are Resources” will never miss an appointment again. And you are once again the IT hero… but still, no salary increase.

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.