Roger's Security Blog

As Chief Security Advisor of Microsoft EMEA - lets share interesting security information

Time Sync on Virtual DCs

Time Sync on Virtual DCs

  • Comments 3
  • Likes

I was recently caught in a tricky problem: The clock of one of my host servers ran out of sync.. – significantly. The core problem was that my Mediacenter (which is domain integrated) started to record about 6-8 minutes too late but this is not the reason why I post.

The actual reason was that I tried to resolve this: My DCs are virtualized – one on a Hyper-V server and one on a Virtual Server. As both have the corresponding add-ins installed, by default the guest synchronizes the time with the host. If the host clock is now not accurate anymore, this is transferred to the guest (which is a DC and which then synchronizes this across the whole infrastructure). As this happens slowly, I did not realize this until my Mediacenter did not capture the whole news anymore…

Now I checked the time server settings of my DC and it synchronizes its clock with time.windows.com and NTP is open for the DC – therefore the synchronization is successful, resets the clock to the right time and then the Hyper-V Integration Services kick in and set the clock back to the time of the host (which is wrong) and the wrong time is again synchronized across the network smile_sad. (I hope this was now confusing enough)

What I did now – and what I would suggest that you do that (at least with the knowledge I have today) – is disabling the time synchronization between host and guest at least for DCs as they update their time from the time server as described above. Since then, my time is correct again.

Roger

P.S. As you know – I am Swiss. And one of the worst thing which could happen to a Swiss is an incorrect watch smile_wink

Comments
  • It would be really funny to see you are having an incorrect watch with an incorrect timing...

  • Your right Yousuf.  That would be a very big HAHAHA

  • Neatly explained. I'd been struggling to get my head around this problem. Please accept my belated thanks!

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment