Home NewsX Synchronizing Time on a Forest Root PDC housed within an Entra VM

Synchronizing Time on a Forest Root PDC housed within an Entra VM

by info.odysseyx@gmail.com
0 comment 5 views


Hi everyone! This is Allan Sandoval from the Directory Services team.

We have all experienced many changes since the advent of cloud computing and virtualization, and time synchronization technology (Windows Time) is no exception.

Today I want to talk about VMICTimeProvider and its impact on virtual machines (VMs) within an Active Directory Domain Services (AD DS) environment. If your domain members and/or domain controllers (DCs) are virtualized, this article will be helpful.

Typically, on-premises deployments use a Forest Root Primary Domain Controller (PDC) as the time source for all domain client machines and other DCs. This PDC synchronizes time with a configured external time source, and this setup works well for many customers. But what happens when the DCs are virtualized?

VMICTimeProvider allows VMs to synchronize time with the host. This may be useful for some organizations, but you may prefer to synchronize computers from the same time source and maintain your existing AD DS time hierarchy. (What does Microsoft recommend?) If this traditional hierarchy resonates with you, your clients should sync their time with the nearest DC, which in turn should sync its time with the PDC.

Azure Virtual Desktops (AVD) syncs with the host by default. You can query the current configured time provider on any Windows computer using one of the following two commands:

w32tm /query /source

Alan Sandoval_0-1722884246612.png

w32tm /query /status 

Alan Sandoval_1-1722884246615.png

Both commands will get you the currently configured time source providers, and if the output says “VM IC Time Synchronization Provider” then your machine is using VMICTimeProvider.

If this applies to you and you want to keep the existing ADDS Time hierarchy, you will need to disable VMICTimeProvider on the desired VMs. To do this, you can modify the following registry value, which will effectively disable VMICTimeProvider as a time source on these VMs.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\ VMICTimeProvider\

DWORD: Enabled

Value: 0

The default value of this DWORD is 1.

To apply this change to your computer, you must restart the W32Time service. You can do this by using the following command from an elevated command prompt:

net stop w32time 
net start w32time 

Alan Sandoval_2-1722884246615.png

After this, you will need to use the ADDS Windows Time settings you previously configured.

But it doesn’t end there. Nowadays, it’s not uncommon for DCs to be virtualized. In this case, you need to disable VMICTimeProvider on those DCs so that they get their time from the Forest Root PDC. The Forest Root PDC should also be configured this way, so that it gets its time externally from the configured time source instead of syncing with its own host. You can make this change by modifying the same registry key specified above on the DC.

What about physical machines?

For additional benefit, you can also deploy this registry key on bare metal machines. This will prevent the Time-Service periodic informational event ID 158 from being logged in the system event log.

I recommended this method to a customer who was facing an issue where the Windows VM time was jumping around in an on-prem domain. This was happening despite having configured the time settings via a well-configured Group Policy Object (GPO). The virtualized machine did not follow the GPO settings and instead took the time from the host. This is expected behavior and is referenced here.

w32time prefers time providers in the following priority order: stratum level, root delay, root dispersion, time offset. In most cases, w32time on an Azure VM prefers host time due to the evaluation it must perform to compare the two time sources.

Time synchronization for Windows VMs in Azure – Azure Virtual Machines | Microsoft Learn

If you want to leverage the existing on-premises ADDS time hierarchy, we recommend disabling VMICTimeProvider. This will cause the machines to not sync time with the host and instead follow the designed time hierarchy, which will ensure that the time across the domain is stable and accurate.

References:

Timing Mechanism for Active Directory Windows Virtual Machines in Azure – Azure Virtual Machines | Mic…

Time synchronization for Windows VMs in Azure – Azure Virtual Machines | Microsoft Learn

Configure an authoritative time server with Group Policy using WMI filtering – Microsoft Community…





Source link

You may also like

Leave a Comment

Our Company

Welcome to OdysseyX, your one-stop destination for the latest news and opportunities across various domains.

Newsletter

Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Laest News

@2024 – All Right Reserved. Designed and Developed by OdysseyX