Synchronizing Time on a Forest Root PDC housed within an Entra VM by info.odysseyx@gmail.com August 12, 2024 written by info.odysseyx@gmail.com August 12, 2024 0 comment 24 views 24 Hi everyone! This is Allan Sandoval from the Directory Services team. We have all experienced many changes since the advent of cloud computing and virtualization, and time synchronization technology (Windows Time) is no exception. Today I want to talk about VMICTimeProvider and its impact on virtual machines (VMs) within an Active Directory Domain Services (AD DS) environment. If your domain members and/or domain controllers (DCs) are virtualized, this article will be helpful. Typically, on-premises deployments use a Forest Root Primary Domain Controller (PDC) as the time source for all domain client machines and other DCs. This PDC synchronizes time with a configured external time source, and this setup works well for many customers. But what happens when the DCs are virtualized? VMICTimeProvider allows VMs to synchronize time with the host. This may be useful for some organizations, but you may prefer to synchronize computers from the same time source and maintain your existing AD DS time hierarchy. (What does Microsoft recommend?) If this traditional hierarchy resonates with you, your clients should sync their time with the nearest DC, which in turn should sync its time with the PDC. Azure Virtual Desktops (AVD) syncs with the host by default. You can query the current configured time provider on any Windows computer using one of the following two commands: w32tm /query /source w32tm /query /status Both commands will get you the currently configured time source providers, and if the output says “VM IC Time Synchronization Provider” then your machine is using VMICTimeProvider. If this applies to you and you want to keep the existing ADDS Time hierarchy, you will need to disable VMICTimeProvider on the desired VMs. To do this, you can modify the following registry value, which will effectively disable VMICTimeProvider as a time source on these VMs. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\ VMICTimeProvider\ DWORD: Enabled Value: 0 The default value of this DWORD is 1. To apply this change to your computer, you must restart the W32Time service. You can do this by using the following command from an elevated command prompt: net stop w32time net start w32time After this, you will need to use the ADDS Windows Time settings you previously configured. But it doesn’t end there. Nowadays, it’s not uncommon for DCs to be virtualized. In this case, you need to disable VMICTimeProvider on those DCs so that they get their time from the Forest Root PDC. The Forest Root PDC should also be configured this way, so that it gets its time externally from the configured time source instead of syncing with its own host. You can make this change by modifying the same registry key specified above on the DC. What about physical machines? For additional benefit, you can also deploy this registry key on bare metal machines. This will prevent the Time-Service periodic informational event ID 158 from being logged in the system event log. I recommended this method to a customer who was facing an issue where the Windows VM time was jumping around in an on-prem domain. This was happening despite having configured the time settings via a well-configured Group Policy Object (GPO). The virtualized machine did not follow the GPO settings and instead took the time from the host. This is expected behavior and is referenced here. “w32time prefers time providers in the following priority order: stratum level, root delay, root dispersion, time offset. In most cases, w32time on an Azure VM prefers host time due to the evaluation it must perform to compare the two time sources.“ Time synchronization for Windows VMs in Azure – Azure Virtual Machines | Microsoft Learn If you want to leverage the existing on-premises ADDS time hierarchy, we recommend disabling VMICTimeProvider. This will cause the machines to not sync time with the host and instead follow the designed time hierarchy, which will ensure that the time across the domain is stable and accurate. References: Timing Mechanism for Active Directory Windows Virtual Machines in Azure – Azure Virtual Machines | Mic… Time synchronization for Windows VMs in Azure – Azure Virtual Machines | Microsoft Learn Configure an authoritative time server with Group Policy using WMI filtering – Microsoft Community… Source link Share 0 FacebookTwitterPinterestEmail info.odysseyx@gmail.com previous post Benchmark Testing puts you on the path to peak API Performance next post AI Governance Framework for Nonprofits You may also like AI teachers, raises greater concerns for students than administrators: study April 16, 2025 NTT -up Upgrade 2025 Event: A showcase of possibilities without purpose April 14, 2025 Intel and others can help Western car manufacturers to compete with China April 14, 2025 Personal data collection targets the mobile app for hackers Fat for hackers April 9, 2025 Gartner detects 12 disruptive technologies for future business systems April 8, 2025 Intel Vision 2025: A bold jump with lip-boo tan in Helme April 7, 2025 Leave a Comment Cancel Reply Save my name, email, and website in this browser for the next time I comment.