Synchronizing ESXi/ESX time with a Microsoft Domain Controller
search cancel

Synchronizing ESXi/ESX time with a Microsoft Domain Controller

book

Article ID: 313888

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Symptoms:
An ESXi/ESX host configured to use a Microsoft Windows 2003 or newer Domain Controller as a time source never synchronizes its clock with a default configuration.

Environment

VMware ESX 4.1.x
VMware ESX Server 1.x
VMware ESXi 4.1.x Embedded
VMware vSphere ESXi 7.0.0
VMware vSphere 7.0.x
VMware ESX Server 2.1.x
VMware ESX Server 2.5.x
VMware vSphere ESXi 5.1
VMware vSphere ESXi 6.7
VMware ESXi 4.1.x Installable
VMware vSphere ESXi 5.5
VMware ESX Server 3.5.x
VMware ESX Server 1.5.x
VMware ESX Server 2.0.x
VMware vSphere ESXi 5.0
VMware ESX Server 3.0.x
VMware vSphere ESXi 6.0
VMware vSphere ESXi 6.5

Resolution

Workaround

If you are using ESXi/ESX 4.1 Update 1 or later, you can use this workaround:

When using Active Directory integration in ESXi/ESX 4.1 and newer, it is important to synchronize time between ESXi/ESX and the directory service to facilitate the Kerberos security protocol.

You should leave the default settings when ESXi is joined to the domain and not to configure NTP, If you want to use NTP then the active directory server must be configured to use a reliable time source (NTP) itself.

ESXi/ESX support synchronization of time with an external NTPv3 or NTPv4 server compliant with RFC 5905 and RFC 1305. Microsoft Windows 2003 and newer use the W32Time service to synchronize time for windows clients and facilitate the Kerberos v5 protocol. For more information, see the Microsoft Knowledge Base article 939322 and How the Windows Time Service Works.

By default, an unsynced Windows server chooses a 10-second dispersion and adds to the dispersion on each poll interval that it remains in sync. An ESXi/ESX host, by default, does not accept any NTP reply with a root dispersion greater than 1.5 seconds.

The preceding links were correct as of April 16, 2013. If you find a link is broken, provide feedback and a VMware employee will update the link.

Configure Windows NTP Client

ESXi/ESX requires an accurate time source to synchronize with. To use a Windows 2003 or newer server, it should be configured to get its time from an accurate upstream NTP server. For more information, see the Microsoft Knowledge Base article 816042.

The preceding link was correct as of April 16, 2013. If you find a link is broken, provide feedback and a VMware employee will update the link.

Use the registry editor on the Windows server to make the configuration changes:

Note: This procedure modifies the Windows registry. Before making any registry modifications, ensure that you have a current and valid backup of the registry and the virtual machine.
 
  1. Enable NTP mode:
     
    1. Locate HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
    2. Set the Type value to NTP.
  2. Enable the NTP Client:
     
    1. Locate HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
    2. Set the AnnounceFlags value to 5.
  3. Specify the upstream NTP servers to sync from:
     
    1. Locate HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders
    2. Set the NtpServer value to a list of at least 3 NTP servers.

      Example: You might set the value to:

      1.pool.ntp.org,0x1 2.pool.ntp.org,0x1 3.pool.ntp.org,0x1

      Note: On a Windows 2008 Domain Controller, NtpServer is located in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters.
  4. Specify a 15-minute update interval:
     
    1. Locate HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient
    2. Set the SpecialPollInterval value to 900.
  5. Restart the W32time service for the changes to take effect.
 

Configure ESXi/ESX NTP and Likewise Clients

vSphere Client
 
Configure ESXi/ESX to synchronize time with the Windows server Active Directory Domain Controller:
 
  1. Connect to the ESXi/ESX host or vCenter Server using the vSphere Client.
  2. Click the ESXi/ESX host in the inventory.
  3. Click the Configuration tab.
  4. Under the Software heading, click Time Configuration.
  5. Click Properties.
  6. Ensure that the NTP Client Enabled option is selected.
  7. Click Options.
  8. Click NTP Settings.
  9. Click Add and specify the fully qualified domain name or IP address of the Windows server Domain Controller(s).
  10. Click OK.
  11. Click OK to save the changes.
 
vSphere Web Client
  1. Log in to the vSphere Web Client with administrator credentials.
  2. Click on Hosts and Clusters.
  3. Select the ESXi host from the list
  4. Click Manage > Settings.
  5. Expand System and select Time Configurations.
  6. Click Edit.
  7. Enter the Windows server Domain Controller(s) information.
Additional configuration must be done from the command line.

ESX/ESXi 4.x and 5.x
  1. Open a console to the ESXi/ESX host. For more information, see Connecting to an ESX host using a SSH client (1019852) or Using Tech Support Mode in ESXi 4.1 and ESXi 5.0 (1017910).
     
  2. Open the /etc/ntp.conf file in a text editor. For more information, see Editing configuration files in VMware ESXi and ESX (1017022).
     
  3. Add the tos maxdist command on its own line:

    tos maxdist 30
     
  4. Save and close the configuration file.
     
  5. Make the /etc/likewise/lsassd.conf file writable by running the command:

    chmod +w /etc/likewise/lsassd.conf
     
  6. Open the /etc/likewise/lsassd.conf file in a text editor. For more information, see Editing configuration files in VMware ESXi and ESX (1017022).
     
  7. Locate the sync-system-time option, uncomment it, and set the value to no:

    sync-system-time = no
     
  8. Save and close the configuration file.
     
  9. On ESXi, save the configuration changes to the boot bank so they persist across reboots by running the command:

    /sbin/auto-backup.sh
     
  10. Restart the ntpd and lsassd services for the configuration changes to take effect by running the commands:

    service lsassd restart
    service ntpd restart

    Note: To restart the ntpd and lsassd services on an ESXi host, run these commands:

    /etc/init.d/lsassd restart
    /etc/init.d/ntpd restart
     
If the ntpd and lsassd services do not restart, consider restarting the management agents first. For more information about restarting the management agents, see Restarting the Management agents on an ESX or ESXi Server (1003490).
 
ESXi 6.x/ 7.0.1/ 7.0.2
  1. Connect to the ESXi host using an SSH session. For more information, see Using ESXi Shell in ESXi 5.x and 6.0 (2004746).
  2. Open the /etc/ntp.conf file in a text editor. For more information, see Editing configuration files in VMware ESXi and ESX (1017022).
     
  3. Add the tos maxdist command on its own line:

    tos maxdist 30
     
  4. Save and close the configuration file.
  5. Run this command to access the likewise shell:

    /usr/lib/vmware/likewise/bin/lwregshell

    Note: If the command fails with the error:

    lwregshell (error = 40700 - LWREG_ERROR_NO_SUCH_KEY_OR_VALUE)

    Run this command to start the likewise service and then run the command to access the likewise shell:

    /etc/init.d/lwsmd start
     
  6. Navigate to the HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory directory with this command:

    cd HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory
     
  7. Run this command to change the synchronization time:

    set_value SyncSystemTime 0
     
  8. Exit the shell by typing quit and pressing Enter.
  9. Refresh the lsass service with this command:

    /usr/lib/vmware/likewise/bin/lwsm refresh lsass

    For example:

    /usr/lib/vmware/likewise/bin/lwsm refresh lsass

    Refreshing service: lsass
     
  10. To verify the changes to the registry key, run this command:

    /usr/lib/vmware/likewise/bin/lwregshell list_values "[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]"
ESXi 7.0.3, see vSphere ESXi 7.0 U3 and later versions NTP configuration steps loading a text file containing NTP configuration commands (87488)


Once the configuration changes are complete, ensure that the time is synchronized between the ESXi/ESX host and the Windows server. For more information, see Troubleshooting NTP on ESX and ESXi (1005092).

Additional Information

vSphere ESXi 7.0 U3 and later versions configuration files for NTP and PTP can no longer be edited (87176)
Restarting the Management agents in ESXi
Troubleshooting NTP on ESX and ESXi 4.x / 5.x / 6.x
Editing configuration files in VMware ESXi and ESX
Using Tech Support Mode in ESXi 4.1, ESXi 5.x, and ESXi 6.x
Connecting to an ESX host using an SSH client
Installing and Configuring NTP on an ESX host
Using ESXi Shell in ESXi 5.x and 6.x
Sincronización de tiempo de ESXi/ESX con Microsoft Domain Controller
Microsoft ドメイン コントローラを使用して ESXi/ESX の時刻を同期する
使 ESXi/ESX 时间与 Microsoft 域控制器同步

Powered by Wolken Software