Hi Friends,
Need your big help in this issue, in our environment all the Domain Controllers (Windows Server 2008R2 & Windows Server 2012R2) were in one single forest domain are Vmware Virtual Machines including the PDCe.
We started to see the domain time sync hierarchy broken between PDCe and other Domain controllers. and also observed, when to DCs rebooting they are left with huge time difference and causing the time sync issue.
Currently what we observing few DCs are syncing time with PDCe successfully and advertising themselves as a time servers. But 80% Non-PDC DCs were got broken, i mean, they are trying to see the time source from ESXi Host and getting response too.
But, how can we force Non-PDC DCs to fetch from peers DCs or PDCe?
How can we force a DC which should sync for time source from a specific peer Domain Controller.
So far the below mentioned actions are performed on the DCs.
1. Verified the PDCe and found, it's configured to fetch time from the External NTP and it is functional and advertising as time source.
2. Verified the Registry settings, all were good.. all the non PDC DCs set with : NS5DS
3. In all the VM DCs, we verified below command to see whether DCs configured to check the time with Host. but the command output is "Disabled"
C:\>"Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe" timesync status
Disabled
We ran the below commands to configure a backup Domain controllers for automatic domain time synchronization
a. Open a Command Prompt.
b. Type the following command and then press ENTER:
w32tm /config /syncfromflags: domhier /update
c. Type the following command and then press ENTER:
net stop w32time
d. Type the following command and then press ENTER:
net start w32time.
Finally we re-registered the w32tm service on the DCs and tried above commands also but no luck.
==
We ran the W32tm /Monitor command, but few DCs result showing as below..
member.domain.com [x.x.x.x]:
ICMP: error IP_REQ_TIMED_OUT - no response in 1000ms
NTP: error ERROR_TIMEOUT - no response from server in 1000msDC3.domain.com [x.x.x.x]:
ICMP: 4ms delay.
NTP: -1.2811858s offset from dc2.domain.com
RefID: unspecified / unsynchronized [0.0.0.0]
We planned to propose below action plan to be implemented to edit .vmx files of VM system Domain Controllers.
As per the KB Article : https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1189
Add configuration options in the virtual machines .vmx file:
- Power off the virtual machine.
- Connect to the host with an SSH session. For more information, see Using ESXi Shell in ESXi 5.x (2004746).
- Open the virtual machines configuration file, located at
/vmfs/volumes/datastore_name/vm_name/vm_name.vmxusing a text editor. For more information, see Editing configuration files in VMware ESXi and ESX (1017022). - Set these options to zero. If the entries do not exist, add them.Note: 0 = disabled, 1 = enabled.
tools.syncTime = "0"time.synchronize.continue = "0"time.synchronize.restore = "0"time.synchronize.resume.disk = "0"time.synchronize.shrink = "0"time.synchronize.tools.startup = "0"time.synchronize.tools.enable = "0"time.synchronize.resume.host = "0"
Ravi Ch