Let Active Directory Manage It Please

Time Synchronization for Virtual Domain Controllers running on either Hyper-V or VMware Virtualization Platforms should be managed by Active Directory.

There are several reasons as to why we should let Active Directory manage Time Sync for Virtual Domain Controllers, but first we need to look at the applications running inside a Virtual Machine.

An application VM vs. a Domain Controller VM

Let’s say we have a Client/Server Application running in a VM. The application uses Kerberos protocols for authenticating client computers connecting to the VM.   As part of the configuration, you set up Hyper-V/VMware Host as the reliable time source for the Virtual Machine by selecting built-in options available in the Virtualization product and also configure Host to sync time from an external NTP Server.

In the above scenario, since the application does not provide time sync functionality, we configure the VM to synchronize the time from the Host, and Host is configured to sync time from an external time source. That’s all perfectly fine.

On the other hand, for a Virtual Domain Controller, it’s not necessary to configure reliable time source because Domain Controllers already know where to sync the time from (by querying DNS and default time configuration). This is how Active Directory has been designed to deal with time sync issues. If Hyper-V/VMware Host is configured as a reliable time source for Virtual Domain Controllers then consider the following business/technical challenges:

  • If Windows Time Service crashes on the Virtualization Host, the Virtual Domain Controllers will go out of sync, resulting in replication errors, client logon failures, and so on.
  • You must also ensure/monitor that the Virtualization Host is able to sync time with its reliable time source (NTP Server) in a timely manner. It is an administrative overhead to maintain Time Source for Virtualization Host alone.
  • Configuring Host as a reliable time source for critical business services require that we document properly and recover from disaster easily. The SMBs may not be able to do it properly as opposed to Large Organizations.

Virtualization Host acts as the time provider for Virtual Machines running on it regardless of what is running inside the Virtual Machine. The Time sync option for Virtualization Host is designed for applications which do not have any idea as to how to sync and where to sync from.

So in a nutshell, for Virtual Domain Controllers, we have both options available (e.g. Configuring Virtualization Host as the time source or let Active Directory manage it) but it is recommended that we let Active Directory manage the time sync for Virtual Domain Controllers considering challenges/risks highlighted above.