Knowledgebase:
How to resolve incorrect time with Windows Domain Controller running as a VMware Guest
Posted by rbTech Staff, Last modified by rbTech Staff on 30 October 2015 09:16 AM

Like most MSPs we've been doing a lot of virtualization in the past couple years.  We kept bumping up against a simple problem that resulted in frustration and wasted time, where the new Windows Domain controller (usually a Windows 2012 server), running as a VM guest, would insist that the time was something other than the correct time.  It was usually off by roughly our UTC offset, and after much googling and frustration, we settled on a standard of practice that is simple, replicable, and apparently not well documented.

The most important, and most overlooked, fact is that the Domain Controller really needs to be the definitive source for time for the entire network.  It needs to sync directly to NTP servers and not the hardware clock of the machine it's on whether it's a virtual machine or a physical server.

So that means *don't* set VMware Tools to sync time for the guest.  There are several frustating limitations to the VMware tools time sync that make it the wrong tool for the job.  VMware defaults to having time sync disabled on Windows Server guests for a good reason.

That does mean that you'll need to set your Domain Controller to get it's time synchronization directly from teh Internet (or a definitive clock source).

Fortunately this is simple to do.  Fire up a cmd prompt (or if you're lazy and used to running Powershell, you can run cmd from within your powershell (!!)) and run the following:

C:\net stop w32time

C:\> w32tm /config /syncfromflags:manual /manualpeerlist:”0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org”

C:\>w32tm /config /reliable:yes

C:\>net start w32time

C:\>w32tm /query /configuration

Those commands will set the appropriate registry keys so that your server will get the time directly from teh Internet and not the hardware clock or VMware tools.
Once you've gotten the DC time to be correct (don't forget to check your timezone), then the other machines will update automatically in time, or you can force an update thusly:
 
C:\>w32tm /resync
 
That prompts the local computer to sync to it's configured time source.  If it's a Domain Member, then it will sync to the previously configured and updated Domain Controller(s), and the time will be correct.
 
 

 

(46 vote(s))
Helpful
Not helpful

Comments (19)
Jared Thomas
09 September 2015 01:34 PM
These directions work for Server 2012 but the process for Server 2008 R2 is different. For 2008 R2, follow the directions in this KB from Microsoft: https://support.microsoft.com/en-us/kb/816042. Go to the section marked "Configuring the Windows Time service to use an external time source" and follow the directions to do it manually; the Fix-it didn't work on a couple systems that I tried.
Jared Thomas
10 September 2015 01:37 PM
Another important note: in a domain where there are multiple domain controllers, this process should only be done on the PDC emulator for the entire forest. Any other domain controllers should use the command "w32tm /config /syncfromflags:domhier /update" instead which will tell the DC to check with the PDC.
Jared Thomas
11 September 2015 12:08 PM
OK, one final note. If you or anyone else has changed the time settings on a server using group policy or registry modification, making the above changes via the w32tm command doesn't work properly. To blow away all changes to NTP on a Windows server, do the following:
net stop w32time
w32tm /unregister
w32tm /register
net start w32time
The "official" line from Microsoft is to use the w32tm command to make these adjustments rather than the other options if possible.
Kenneth Hardin
26 February 2016 03:58 PM
Worked perfectly! Thank You
mikedoe
31 May 2016 04:07 AM
Great! Worked perfectly. Was having a stressful morning trying to figure this out. VM's!!
Paul Derbyshire
04 August 2016 05:53 AM
These are my notes taken from MPECS Inc. Blog. Thank you. This works on Server 2008 > 2012 R2

On any Hyper-V VM:

1. Hyper-V Integration Services: Time Synchronization remains enabled.
2. Registry edit to allow the VM to pick up its time from the Hyper-V host only while booting:
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider /v Enabled /t reg_dword /d 0
## Copy and paste the above into Notepad to make sure there are no line breaks as it is all in one line##
3. Edit the Windows Time registry settings to make the time service poll more frequently:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time\Config
• "MaxAllowedPhaseOffset"=dword:00000001
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient
• "SpecialPollInterval"=dword:00000120
(We start with an interval of 120 Seconds)

Pasted from <http://blog.mpecsinc.ca/2011/01/hyper-v-preparing-high-load-vm-for-time.html>


On primary DC:
w32tm /config /manualpeerlist:pool.ntp.org /syncfromflags:manual /reliable:yes; w32tm /config /update; net stop w32time; net start w32time; w32tm /resync /rediscover

Once the above commands have been run on SBS or the PDC, it may take a bit before the settings settle into place.
The following command will tell us what the time service is up to as far as where the machine is getting its time from:
w32tm /query /source

On any other DCs the following needs to be run:
w32tm /config /syncfromflags:domhier /reliable:no; w32tm /config /update; net stop w32time; net start w32time; w32tm /resync /rediscover

On any member servers:
w32tm /config /syncfromflags:domhier; w32tm /config /update; net stop w32time; net start w32time; w32tm /resync /rediscover

Pasted from <http://blog.mpecsinc.ca/2010/01/sbs-2008-physical-and-hyper-v-set-up.html>
Immaculate
05 October 2016 04:17 AM
this works thankyou for sharing
TechAmature
15 November 2016 02:16 PM
This worked perfectly and I am running Windows Server 2008 R2 Std. x64 SP1
fuad bashir
22 January 2018 09:47 PM
TechAmature,
I have same windows platform with you. Domain controller server time is not telly(1 hour back) with current time.
And it happen very frequent lately. I changed it manually in date and time settings,but it only a temporary solution. Appreciation if you can share your solution here
sai satish
28 March 2017 07:25 AM
Guys this is the solution Go to -->start-->type "Services" -->Click SERVICES one tab will open..
you can search the "WINDOWS TIME" Click that option....another window will open...
"STARTUP TYPE" Option is there....you can change "AUTOMATICALLY" clock OK....After Restart the system...
...

Rubin Bennett
06 April 2017 12:18 PM
@sai satish, this would just disable the Windows Time service which is a Very Bad Idea especially on a domain controller. Don't do this.
Richard Sharpe
07 May 2017 08:15 AM
Guys would the above solution also works for a windows server 2003 domain controller? The time is behind by about 7 minutes. I did a NET TIME change and it appeared to have worked but after approximately 4 minutes the time was again behind. Really desperate to find a workable solution as it is causing severe inconvenience on my network. Much thanks.
Joe
15 June 2017 11:04 PM
This fixed my problem in my 2012 domain. Thank you.
Sat
21 November 2017 12:14 PM
This is a great solution. I have 2 x sever 2016 Standard serving as DCs.
I had on of them DC shutdown for 1 month. I turned it on and guess what? during the 1 month, daylight savings time forwarded the clock an hour ahead. So the dc was stuck with the 1 hour behind time.


Thanks to Rubin, I was able to update the time.
Jamesjohn PS
03 December 2017 12:26 AM
Wow! just wow! thank you so much for saving my life. lol
Wilson Hong
27 December 2017 09:37 PM
Thank you.
Emile Neuhaus
23 January 2018 04:48 AM
It worked for me on a Windows Server 2016, after a reboot. Thank you very much !
Davomg
26 August 2018 02:44 AM
Worked well on Server 2012 R2 with the original instructions! :)
Jeff Amin
15 September 2018 11:41 PM
Great! It worked on windows server 2012 R2. Thanks.
Post a new comment
 
 
Full Name:
Email:
Comments:
CAPTCHA Verification 
 
Please enter the text you see in the image into the textbox below (we use this to prevent automated submissions).