Lync & Active Directory Time when in a Virtual Environment (Hyper-V or VMWare)

I had a problem recently whereby the domains AD time was out of sync across various domain controllers which wreaked havoc across the Lync installation, the biggest issue it caused was that response group calls were getting stuck in the queue and were not routing to agents. I saw plenty of blog posts about time in a virtual environment but none of them seemed to definitively fix the problem offering a myriad of registry key changes so I have documented how I fixed it below.

The problem

AD servers synchronise with there PDC time server (nothing new there) but once they get what it believes is an accurate time from it this moves to being checked every 8 hours. This is fine in a traditional hardware based environment where your domain controllers are running on dedicated pieces of kit but in a virtualisation environment this becomes an issue as you are effectively time sharing the CPU, once your AD server has finished with its rush hour traffic of logons and people opening up file shares at 9 o clock in the morning it will most likely require a lot less resource so your virtualisation platform will start taking CPU cycles from it and your clock will start to drift.

On a normal virtual server drifting time doesn’t normally occur because you will use either Hyper-V or VMWare’s built in tools to synchronise the clock with the physical machine, but on a domain controller this feature MUST be turned off to prevent anomalies in the clock.

Stopping time synchronisation between your guest virtual machine and the host machine.

Hyper V

Select the Hyper V guest server from the Hyper-V management console, select integration services and ensure your “Time Synchronisation” flag is set to unchecked. Press OK and you should be good to go.

image

VMWare

VMWare controls the time synchronisation from within the virtual machine, to change the setting find the Vmware tools icon normally located in the system tray and double click it as per below.

image

Once VMWare tools opens un-tick “Time Synchronisation between the virtual machine and the ESX Server” which will disable the synchronisation.

image

Correcting the first Domain Controller (the PDC Emulator)

Now that the time synchronisation between guest and host has been stopped it is time to sort out the first domain controller, this needs to be your PDC emulator.

The easiest way to find which of your domain controllers is the PDC is to open up Active Directory Users and Computers, right click your domain name i.e. mydomain.com and then select “Operations Masters” from the drop down box.

Once the operations master window appears as per below, select PDC from the tabs and you will see the current operations masters as well as the option to move it to a new server which we don’t want to do so click cancel .

image

Now that we know the operations master server (in my case myserver1.mydomain.com) it is time to take control over its desktop and change some registry settings.

Warning – You are about to change the settings of your domain controllers registry, although these settings should not harm your server operationally it is recommended that you backup your registry prior to making any changes to it.

Open registry editor and navigate to

HKEY_LOCAL_MACHINE | SYSTEM | CurrentControlSet | services | W32Time | Parameters

You should see a window with similar options as below.

The important registry settings are as follows:

Key Name Type Purpose
NTPServer String Value Specify the NTP server you wish the PDC to use, I use the closest public NTP server to my site (in this case Manchester University in the UK), this can be a default one such as time.windows.com. Ensure you follow up the NTP server with the prefix 0x9.

Your NTP server should look something like, “time.windows.com,0x9”

Period DWORD This is the period of time in seconds that the server checks with its time source (in the case of the PDC Emulator it is the public NTP server).
ReliableTimeSource DWORD This needs to be set to the decimal value “1”, this forces your other servers to implicitly trust this server as a reliable source for the time across your domain.

If you see a registry key missing from the above list on your PDC Emulator simply create it with the above type and name.

Once complete your registry should look something like this.

clip_image001

Now that your PDC Emulator is set up and running your will need to restart the “Windows Time” service on your server to ensure the new settings take effect.

Configure Non PDC Domain Controllers

Next we need to go on each domain controller and make a registry change to each of the servers, I recommend looking in “Active Directory Sites and Services” to ensure you don’t miss off a domain controller off as in a large site this can lead to continuing issues with the time.

On each server you will need to create and set the period value in the registry

Again navigate to the registry key

HKEY_LOCAL_MACHINE | SYSTEM | CurrentControlSet | services | W32Time | Parameters

The registry key for this will most likely not exist so you will need to create it as per the table below.

Key Name Type Purpose
Period DWORD This is the period of time in seconds that the server checks with its time source (in the case of the PDC Emulator it is the public NTP server).

Set the value of the period registry key to 300 again so that this server requests a time update every 5 minutes.

image

Once you have completed these changes simply restart the “Windows Time” service as you did on the PDC server and your work on this server is complete. Repeat the above on each non PDC server.

Please note, although there is an NTP Server set on these servers this value is simply ignored as your server is joined to a domain so your PDC overrides this.

Troubleshooting

If your time is out of sync and you wish to force a synchronisation with the PDC emulator, open the command prompt and type the following command

net time \\Server1 /set

Replace \\server1 with the name of your PDC server as found above, this will force it to synchronise with your PDC emulator and from then on it should synchronise

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s