How to resolve incorrect time with Windows Domain Controller running as a VMware Guest
Posted by rbTech Staff, Last modified by rbTech Staff on 30 October 2015 09:16 AM
Like most MSPs we've been doing a lot of virtualization in the past couple years. We kept bumping up against a simple problem that resulted in frustration and wasted time, where the new Windows Domain controller (usually a Windows 2012 server), running as a VM guest, would insist that the time was something other than the correct time. It was usually off by roughly our UTC offset, and after much googling and frustration, we settled on a standard of practice that is simple, replicable, and apparently not well documented.
The most important, and most overlooked, fact is that the Domain Controller really needs to be the definitive source for time for the entire network. It needs to sync directly to NTP servers and not the hardware clock of the machine it's on whether it's a virtual machine or a physical server.
So that means *don't* set VMware Tools to sync time for the guest. There are several frustating limitations to the VMware tools time sync that make it the wrong tool for the job. VMware defaults to having time sync disabled on Windows Server guests for a good reason.
That does mean that you'll need to set your Domain Controller to get it's time synchronization directly from teh Internet (or a definitive clock source).
Fortunately this is simple to do. Fire up a cmd prompt (or if you're lazy and used to running Powershell, you can run cmd from within your powershell (!!)) and run the following:
C:\net stop w32time
C:\> w32tm /config /syncfromflags:manual /manualpeerlist:”0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org”
C:\>w32tm /config /reliable:yes
C:\>net start w32time
C:\>w32tm /query /configuration
Those commands will set the appropriate registry keys so that your server will get the time directly from teh Internet and not the hardware clock or VMware tools.
Once you've gotten the DC time to be correct (don't forget to check your timezone), then the other machines will update automatically in time, or you can force an update thusly:
That prompts the local computer to sync to it's configured time source. If it's a Domain Member, then it will sync to the previously configured and updated Domain Controller(s), and the time will be correct.