Virtualizing Domain Controllers and the Windows Time Service

Virtualizing Domain Controllers and the Windows Time Service


Ace Fekay, MVP, MCT, MCTIP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2000/2003, MCSA Messaging
Microsoft Certified Trainer
Microsoft MVP: Directory Services


Compiled 8/23/2011
Updated 2/15/2012


 


There are many articles addressing this subject. Some can be confusing, and some have the important tidbits buried within other data. I thought to provide a compilation to get all the facts together to help accomplish your end design goals.


 


.
Virtualized DC Best Practices:


Regarding DC virtualization, please adhere to the following best practices:


1) Do not use imaging software to take an image of the DC.
2) Do not take or apply snapshots of the DC.
3) Do not shut the Virtual Machine down and simply copy the virtual disk as a backup.
4) If you have the ability to “discard changes” as you do if you are running “Virtual Server 2005 R2”, do not enable this type of setting on a DC Virtual Machine.
5) Use NTBACKUP.EXE, WBADMIN.EXE, or any third party software that is available as long as it is certified to be AD-compatible to take system state backups.
6) Only restore a system state to the DC or restore a full backup.
7) Make at least one DC, the PDC Emulator, a physical DC. The PDC is the default time service in the hierarchy and should not be virtualized.


DC’s and VM’s – Avoiding the Do-Over
http://blogs.technet.com/b/askds/archive/2009/06/05/dc-s-and-vm-s-avoiding-the-do-over.aspx


.


Additional considerations if deciding to host a DC in a VM.


Note: This elegant list was originally posted by Florian Frommherz [MVP] in a Microsoft AD newsgroup post on 4/9/2009: http://www.winvistatips.com/dc-vm-t710301.html


  • - Backup/Restore (it is a DC, man – so backup and restore it as you would with physical machines!)
  • VM-Security (although it’s VM, it doesn’t mean it’s less worth protecting than others — it holds the keys to your castle!)
  • Use a _supported_ method/read Microsoft Best Practices.
  • Don’t mess with the hardware
  • Although it’s a VM, you might want to take a look at performance.
  • Depending on what your environment looks and how keen you are on performance/search performance/read+write, you’d have to look into putting the virtual HD on a seperate physical HD.
  • Memory is also a performance killer
  • Make sure the size of your DIT could fit well into the VM’s RAM

.


Things to consider when a Windows Server 2003-based domain controller or a Windows 2000-based domain controller runs in a virtual environment (VPC, HyperV or VMWare) Applies to Windows 2008 & 2008 R2:
http://support.microsoft.com/?id=888794


Even though it’s not recommended to use Snapshot restores, although not officially supported, there is a process that (As long as the tombstone period hasn’t passed) you can restore from an image. This was given out at a deep dive from Microsoft. (By Paul Bergson, MVP Directory Services):
http://blogs.dirteam.com/blogs/paulbergson/archive/2011/01/14/restoring-a-dc-from-a-snapshot.aspx


Running Domain Controllers in Hyper-V
http://technet.microsoft.com/en-us/library/dd363553.aspx


Backup and restore of Active Directory
http://blogs.dirteam.com/blogs/jorge/archive/2006/03/08/597.aspx


Running Domain Controllers in Virtual Server 2005
http://www.microsoft.com/downloads/details.aspx?FamilyID=64DB845D-F7A3-4209-8ED2-E261A117FC6B&displaylang=en


Running Domain Controllers in Hyper-V
http://technet.microsoft.com/en-us/library/virtual_active_directory_domain_controller_virtualization_hyperv(WS.10).aspx


Deployment Considerations for Virtualized Domain Controllers
http://technet.microsoft.com/en-us/library/dd348449(WS.10).aspx


Things to consider when you host Active Directory domain controllers in virtual hosting environments
http://support.microsoft.com/kb/888794


Restore Domain Controllers (be wary of images)
http://technet.microsoft.com/en-us/library/cc526503.aspx


Active Directory virtualization best practices
http://www.techrepublic.com/blog/networking/active-directory-virtualization-best-practices/2433


 .


.


==========
Virtualized DCs and PDC Physical Availability


Recommended to have at least the PDC Emulator is a physical machine


For virtualization (VMWare or HyperV), it’s recommended to have at least the DC holding the PDC Emulator role to be a physical DC, and install as many virtualized DCs as you want, taking consideration your server’s hardware performance limits. Many don’t follow this in small installations due to budget, but just be aware of the above facts.


There are multiple, best practice reasons for this recommendation, some of them are common sense:


  • The PDC Emulator is the time source for the domain.
  • The PDC Emulator in the forest root domain is the time source for its own domain and the rest of the forest.
  • Single point of failure of the VM host machine, which if joined to the domain, there would be no way to authenticate during a host recovery
  • Ideally have multiple DCs in different regions, so there is no single location that can become a single point of failure, platform, or loss of data center
  • If you have multiple domains (childs, trees, etc), it’s recommended the PDC from each domain is a physical machine.

In summary, you can have as many replica virtual DCs for a domain, but it’s recommended that the PDC Emulator is a physical machine. The only other scenario I see where this is not entirely necessary is when the infrastructure is dispursed with multiple regions.


Basically, the whole idea behind this is to have a DC somewhere to fall back on.


Good link to read, which touches base on the above:


Running Domain Controllers in Hyper-V
http://technet.microsoft.com/en-us/library/d2cae85b-41ac-497f-8cd1-5fbaa6740ffe%28v=ws.10%29


.


.



 .


.


==========
HyperV, Virtual DCs, and Time Sync


.


Time Service on a VM Host


However, the time service is also an important issue. The host’s time service may interfere with the PDC Emulator’s time service role, because it is the default time server for the forest time hierachy.


This is because the Windows Time service is essential to the successful operation of Kerberos version 5 authentication and, therefore, to AD DS-based authentication. If the time skew between machines is more than 5 minutes (including any connected VPN client), it will faile authentication, logon, etc. This is a security feature to thwart authentication sequence play back. Any Kerberos-aware application, including most security services, relies on time synchronization between the computers that are participating in the authentication request.


Host time synchronization makes it possible for guest operating systems to synchronize their system clocks with the system clock of the host operating system. Because domain controllers have their own time synchronization mechanism, host time synchronization must be handled differently in a virtualized environment. If domain controllers synchronize time from their own source and also synchronize time from the host, the domain controller time can change frequently. Because many domain controller tasks are tied to the system time, a jump in the system time could cause lingering objects to be left in the directory and replication to be stopped.


You can disable host time synchronization in the virtual machine settings in the Integration Services section of the Hyper-V Manager by clearing the Time Synchronization check box. Hang in there, this is explained below.


.


HyperV’s feature to Partially Disable the HyperV Time Service



If any DCs are virtualized, Microsoft recommend to not disable complete time sync with HyperV integration services, rather ‘partially disable’ the time service. This is described in the following TechNet article:



Running Domain Controllers in Hyper-V
Updated: April 11, 2011, Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Virtualization:
Partially disable HyperV Time Synch
“For virtual machines that are configured as domain controllers, it is recommended that you partially disable time synchronization between the host system and guest operating system acting as a domain controller. This enables your guest domain controller to synchronize time for the domain hierarchy, but protects it from having a time skew if it is restored from a Saved state.”


To partially disable the Hyper-V time synchronization provider, leave Time synchronization enabled under Integration Services and run the following command from an elevated command prompt on the guest domain controller:”
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider /v Enabled /t reg_dword /d 0
http://technet.microsoft.com/en-us/library/virtual_active_directory_domain_controller_virtualization_hyperv(WS.10).aspx


How to Virtualize Active Directory Domain Controllers (Part 1)
This article states to disable Hyperv’s Time Service. However, it’s been updated (based on the above links) to partially keep it enabled using the registry entry to adjust time service specifics (shown in first link above).
http://blogs.technet.com/b/askds/archive/2010/06/10/how-to-virtualize-active-directory-domain-controllers-part-1.aspx



.

Time Synchronization in Hyper-V, by Ben Armstrong, MSFT


MSDN Blogs > Virtual PC Guy’s Blog >
Ben Armstrong, Virtualization Program Manager, [MSFT]
Talking about core virtualization at Microsoft (Hyper-V, Virtual PC and Virtual Server).


Question #6 – Wait a minute!  My virtual machine should be synchronizing to the domain (or an external server) – but when I run that command it tells me that the Hyper-V time synchronization provider is being used!  How do I fix this!
Talking about core virtualization at Microsoft (Hyper-V, Virtual PC and Virtual Server).
http://blogs.msdn.com/b/virtual_pc_guy/archive/2010/11/19/time-synchronization-in-hyper-v.aspx


.


The following was quoted from Nina Liu, MSFT, in the following TechNet Forum Thread:


Technet Thread: “Hyper-v domain controller machines not synchronize time with AD servers”  (7/8//2011)
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/4624a76d-32f7-4c54-8803-48906e3a2767


“For virtual machines that are configured as domain controllers, it is recommended that you partially disable time synchronization between the host system and guest operating system acting as a domain controller. This enables your guest domain controller to synchronize time for the domain hierarchy, but protects it from having a time skew if it is restored from a Saved state. Also, please make sure that your domain does have a correctly configured authoritative time source.”


 


Windows Time Service Technical Reference (search the page for the string ‘virtual’)
http://technet.microsoft.com/en-us/library/cc773061(WS.10).aspx


 .


.


 


==========
VMWare, Virtual DCs, and Time Sync:


The time service on the VMWare host may cause problems with time sync if the PDC Emulator is a virtual machine.


As mentioned above, in HyperV, we can partially disable the time sync. I’m not sure if there is a feature in VMWare to “partially” disable it, therefore I would recommend to disable it. FYI, VMWare has recommended disabling the time utility on the host and allow Windows to handle time sync. The following is quoted from VMWare KB 1318.


VMWare engineers actually suggest to disable the VM Host time service, since it doesn’t have a ‘partial disable’ feature that HyperV does.


VMWare KB1318: Timekeeping best practices for Windows, including NTP:
Quoted:
“When using w32time or NTP in the guest, disable VMware Tools periodic time synchronization.”
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1318


More specific VMWare info:
Timekeeping in VMware Virtual Machines – VMware® ESX® 4.0
http://www.vmware.com/files/pdf/Timekeeping-In-VirtualMachines.pdf


 .


 .


And most of all…


You must still configure an external time source on your PDC Emulator. More info on how to configure it, and troubleshooting tips, in my Time Service blog:


Configuring the Windows Time Service for Windows 2000, 2003, 2008 and newer, explanation of the time service hierarchy, and more
Published by Ace Fekay, MCT, MVP DS on Sep 18, 2009 at 8:14 PM 3050 1
http://msmvps.com/blogs/acefekay/archive/2009/09/18/configuring-the-windows-time-service-for-windows-server.aspx


 


 


If you find any of this information is in error, please let me know.


Thanks,
Ace Fekay

4 thoughts on “Virtualizing Domain Controllers and the Windows Time Service

  1. Can you clarify the advice on time sync for DCs in Hyper-V? Referencing the Technet article ( http://technet.microsoft.com/en-us/library/virtual_active_directory_domain_controller_virtualization_hyperv(WS.10).aspx ), it says both to disable the time sync via Integration Services, and to partially disable it. There’s an update note that says the current recommendation is to disable the time sync option, yet both recommendations are in the article. What’s the latest advice?

  2. In regards to a PDC that’s running on a VMware host, it is possible to disable the time sync on just one guest OS through VMware Tools, so you could disable it only for the PDC, but leave it enabled for the others.

    I do not know, however, if it is possible to have the hosts/ESXi’s use the PDC as *their* source for time. I attempted this but was unable to get it to work. Could be other factors at play.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>