Synchronizing Time on a Forest Root PDC housed within an Entra VM by info.odysseyx@gmail.com August 12, 2024 written by info.odysseyx@gmail.com August 12, 2024 0 comment 5 views 5 Hi everyone! This is Allan Sandoval from the Directory Services team. We have all experienced many changes since the advent of cloud computing and virtualization, and time synchronization technology (Windows Time) is no exception. Today I want to talk about VMICTimeProvider and its impact on virtual machines (VMs) within an Active Directory Domain Services (AD DS) environment. If your domain members and/or domain controllers (DCs) are virtualized, this article will be helpful. Typically, on-premises deployments use a Forest Root Primary Domain Controller (PDC) as the time source for all domain client machines and other DCs. This PDC synchronizes time with a configured external time source, and this setup works well for many customers. But what happens when the DCs are virtualized? VMICTimeProvider allows VMs to synchronize time with the host. This may be useful for some organizations, but you may prefer to synchronize computers from the same time source and maintain your existing AD DS time hierarchy. (What does Microsoft recommend?) If this traditional hierarchy resonates with you, your clients should sync their time with the nearest DC, which in turn should sync its time with the PDC. Azure Virtual Desktops (AVD) syncs with the host by default. You can query the current configured time provider on any Windows computer using one of the following two commands: w32tm /query /source w32tm /query /status Both commands will get you the currently configured time source providers, and if the output says “VM IC Time Synchronization Provider” then your machine is using VMICTimeProvider. If this applies to you and you want to keep the existing ADDS Time hierarchy, you will need to disable VMICTimeProvider on the desired VMs. To do this, you can modify the following registry value, which will effectively disable VMICTimeProvider as a time source on these VMs. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\ VMICTimeProvider\ DWORD: Enabled Value: 0 The default value of this DWORD is 1. To apply this change to your computer, you must restart the W32Time service. You can do this by using the following command from an elevated command prompt: net stop w32time net start w32time After this, you will need to use the ADDS Windows Time settings you previously configured. But it doesn’t end there. Nowadays, it’s not uncommon for DCs to be virtualized. In this case, you need to disable VMICTimeProvider on those DCs so that they get their time from the Forest Root PDC. The Forest Root PDC should also be configured this way, so that it gets its time externally from the configured time source instead of syncing with its own host. You can make this change by modifying the same registry key specified above on the DC. What about physical machines? For additional benefit, you can also deploy this registry key on bare metal machines. This will prevent the Time-Service periodic informational event ID 158 from being logged in the system event log. I recommended this method to a customer who was facing an issue where the Windows VM time was jumping around in an on-prem domain. This was happening despite having configured the time settings via a well-configured Group Policy Object (GPO). The virtualized machine did not follow the GPO settings and instead took the time from the host. This is expected behavior and is referenced here. “w32time prefers time providers in the following priority order: stratum level, root delay, root dispersion, time offset. In most cases, w32time on an Azure VM prefers host time due to the evaluation it must perform to compare the two time sources.“ Time synchronization for Windows VMs in Azure – Azure Virtual Machines | Microsoft Learn If you want to leverage the existing on-premises ADDS time hierarchy, we recommend disabling VMICTimeProvider. This will cause the machines to not sync time with the host and instead follow the designed time hierarchy, which will ensure that the time across the domain is stable and accurate. References: Timing Mechanism for Active Directory Windows Virtual Machines in Azure – Azure Virtual Machines | Mic… Time synchronization for Windows VMs in Azure – Azure Virtual Machines | Microsoft Learn Configure an authoritative time server with Group Policy using WMI filtering – Microsoft Community… Source link Share 0 FacebookTwitterPinterestEmail info.odysseyx@gmail.com previous post Benchmark Testing puts you on the path to peak API Performance next post AI Governance Framework for Nonprofits You may also like Copilot for Microsoft Fabric – Starter Series Healthcare Focus September 12, 2024 More ways to sell through the marketplace with professional services September 11, 2024 Two upcoming Copilot and M365 for SMB Community offerings September 11, 2024 Copilot for Microsoft 365 Adoption Trainings September 11, 2024 Omdia’s perspective on Microsoft’s SSE solution September 11, 2024 Extend Viva Connections with pre-built 3rd party Adaptive cards September 11, 2024 Leave a Comment Cancel Reply Save my name, email, and website in this browser for the next time I comment.