• Why Time Synchronization Fails When The Domain Controllers Are Virtual

     

    Virtual machines, will by default have varying ressources, cpu clocks, etc. On a busy system, they may even be denied ressources for short periods of time or during high workloads, VMotion, Backups or may recieve higher cpu ressources than the operating system is even aware it could get. I.e. the operating system believes it has 1 cpu of 2.4 ghz, in reality it is running on a VMware server with 8 cores of 2.4ghz.

    This results in something usually refered to as time drifting, the clock and the "ticks" it uses to keep time will sometimes run a faster or slower. Virtual servers misconfigured has been seen for time synchronization, that were off by several hours. Most time synchronization clients will have a limit on how much the time may differ from the NTP source and still synchronize. Some systems are set for no more than 15 minutes, 1 hour, 15 hours or even synchronize no matter the time difference, this may also prevent synchronizing because the time has drifted too much since last sync.

    The time service (w32time) running on Windows Servers and Domain Controllers, will be well sufficient of keeping time very accurate on a physical machine, with default sync's being done every 45 minutes untill 3 successfull sync's, then every 8 hours. (info on w32time registry settings here) The time service on Domain Controllers, also functions as the time server for all clients in the domain, so do not just disable this service, if You do not need the client functionality!

     

    So basicly we need to ensure that our virtual Domain Controllers and especially our DC with the PDC FSMO role are always synchronized perfectly, otherwise we risk problems with authentication thruout the domain.