Time Sync on virtualized DCs: My experience

Here are the notes I came up with after researching and building VM DCs infrastructure for a customer.

1. Disable VM Host Time Provider on all DCs via the following registry fix:

reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider /v Enabled /t reg_dword /d 0

2. Create GPO that only applies to the PDC emulator with the settings to sync time externally:

WMI Filter: Select * from Win32_ComputerSystem where DomainRole = 5

(it will prompt with error on 2012R2 but will still work)

Open the GPO for edit and go to: Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers, then Configure Windows NTP Client policy plus Enable Windows NTP Client policy. Set NTP Sync Time to:

0.pool.ntp.org,0x1 1.pool.ntp.org,0x1 2.pool.ntp.org,0x1 time.nist.gov,0xa

(NtpServer contains a space-delimited line of time source servers with the format: Name-or-IP,server-flag)

3. Disable external NTP provider on Hiper-V Hosts. Set “Windows Time” service To Auto (was set to Manual on Hosts for some reason)

4. Join Hyper-V Hosts to the Domain.

5. Don’t disable VM Host Time provider on other VM Servers (Domain members)

6. Don’t disable VM Host Time Provider on 2012R2 template image.

7. Now the Time resolution flow is:

Non-DC: VM Guest Server => Host Server=>DC=>PDC=>External NTP Provider

DC: VM Guest Server => PDC=>External NTP Provider

WS or other Non-VM Domain Members: DC=>PDC=>External NTP Provider

8. Use these commands for testing:

w32tm /query /status

w32tm /query /source

w32tm /query /configuration

w32tm /monitor

Question: “I thought there was a way to have your cake and eat it, too – you could “partially” disable the VM Host Time Provider after the OS started up (a registry change) but still have the VM Host Time Provider available for initial boot of the VM.”

That’s exactly it – look under my step #1 – it’s a registry change on all DCs…. So Guest=>Host time sync is only disabled on OS level, while still enabled inside the integration services and take care of any reboot situations.



Leave a Reply