Thread Rating:
  • 88 Vote(s) - 2.9 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Hyper-V Time Drift
#1
So what’s the difference between an “out-of-the-box” installation of Hyper-V Host that is NOT a Domain Member versus one that IS a Domain Member?
Irrespective of whether it is a Server or a PC, when you join a Computer to a Domain the computer is set to sync it’s time with the Domain Controller. This is a no-brainer – if the time difference between a Domain Controller and a Member Computer is out by more than 4-minutes it prevents the Member Computer/Server from logging on (authenticating) with AD (I am sure there must be a Microsoft-logical reason for this but I couldn’t be bothered to find out why).

Our worst enemy: “Time Drift”

This is the default behaviour...

Hyper-V Host NOT a Domain Member (default installation – and using Hyper-V’s “Time synchronisation” between Host and VM)                            
1) Hyper-V Host gets (or should get) its time from an External Time Source.
2) DC Virtual Machine – gets its time from the Hyper-V Host (using the default “Time synchronisation” checkbox enabled on the VM’s properties).
3) Domain Member Virtual Machine – get their time from the DC Virtual Machine.
The problem here is that if you use the “default installation using the default properties of VM” the Domain Member is forced to sync its time with the Hyper-V Host and, because it is a Domain Member, conflicts with syncing its time with the DC – result? “Time drift”
The “Time synchronisation” checkbox must be unchecked on all Virtual Member Computers/Servers.

Hyper-V Host as a Domain Member                                                                                                                                                                                                            
1) Hyper-V Host gets its time from the DC Virtual Machine
2) DC Virtual Machine – gets its time from the Hyper-V Host (you see the problem here?)
The problem is that the DC is syncing its time with the Host and the Host is syncing its time with the DC. This leads to a looping effect and the cause of “time drift”.
3) Domain Member Virtual Machine – get their time from the DC Virtual Machine

Many (or most all) of our Customer’s Hyper-V Host (Physical) Servers are joined to the Domain (necessary because much of the actual data is stored on the Physical Server and NTFS permissions are required to managed access).
So, how do we fix this?
This is pretty straight forward unless previous attempts at modifying the registry to change time source has been made (then must be re-set to defaults in registry and the use of the W32TM command to force the source of time).

So, the result is pretty straight forward:

Hyper-V Host as a Domain Member:
                                                                 
1) Hyper-V Host gets its time from the DC Virtual Machine
2) DC Virtual Machine – gets its time from an External Time Source (pool.ntp.org).
3) Domain Member Virtual Machine – get their time from the DC Virtual Machine

Anyone care to argue this?
#2
Absolutely no arguments here...
Your article is spot-on!

I had been batting for months at various customers over this problem.
After reading this thread I realised that I had missed the most obvious settings of time-sync in a Domain environment.
I feel so stupid - after "undoing" all that I had "done" no more time drift!
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)