How to properly sync time for 3 Hyper-V machines, with Host NOT on domain of the VMs?

Question

I understand that for production use, if you have a Hyper-V Domain Controller VM, and the host is on the domain as well, you should have the DC VM reach out to an external source for date/time, and then in turn other machines will sync up to that DC VM.

However, I and a colleague are trying to create a lab exercise, involving 3 Hyper-V VMs which are using an Internal-only VM network switch, so there's no communication with the outside world. There is one domain controller VM, and two other windows server VMs connected to the domain. The host itself is NOT on the domain that the VMs are on, and I don't want it to be. All the VMs and the host machine are using Server 2012 R2.

We intend to use the VMs for a clustering exercise, and for that, all VMs need to have synchronized times.

My colleague, who should be knowledgeable about VMs, claims that in order for time synchronization between all 3 VMs to work properly, the Host machine must be part of the domain used by the VM. I think my colleague is worried about the domain controller VM having one time, and the other two VMs pulling time from the hardware.

My question is, for our VMs to all have synchronized times to each other, should we:

A) enable time synchronization on all 3 virtual machines (in the Integration Services screen of the Hyper-V Manager)

B) enable time synchronization on only 1 or 2 virtual machines - if so which ones

C) disable time synchronization on all 3 virtual machines

If there's not a way to avoid time drift with my described scenario, some time drift is acceptable as long as all 3 VMs have the same amount of drift and are still all in sync for time with each other.

If I were to guess what I should do, based on browsing similar questions, I would say that I should disable the time synchronization on the DC VM, but enable it on the other two VMs. But in that case, are the other two VMs going to have their time synced to the host hardware time, or the DC VM time? I want the latter outcome, and definitely not the former.

Thanks for your help!

Answer 1

I should disable the time synchronization on the DC VM, but enable it on the other two VMs.

That is backwards. The most important thing is all of the member computers need to synchronize time with the domain controller, using domhier/NT5DS. Even if the time is not accurate.

Given that this is a test environment and you would never do this in production, you may configure the domain controller virtual to synchronize with the host, and all remaining virtuals synchronize with the domain controller using the usual and customary domhier/NT5DS configuration.

Alternatively, you could have a virtual configured as a dedicated router. There are multiple options, such as Windows/RRAS or VyOS.

Answer 2

My question is, for our VMs to all have synchronized times to each other, should we:

A) enable time synchronization on all 3 virtual machines (in the Integration Services screen of the Hyper-V Manager)

B) enable time synchronization on only 1 or 2 virtual machines - if so which ones

C) disable time synchronization on all 3 virtual machines

I would recommend that you enable time sync for only the domain controller VM(s) via Hyper-V integration services. By default, the domain member systems will sync their time from the domain controller, which is the desired behavior.

The only thing that really matters in the described scenario is that the domain member VMs have time agreement with the domain controller to within five minutes (standard Kerberos consideration). The host isn't relevant, and doesn't need to be a part of the domain. Strictly speaking, you can go with option C (disabling time sync on all 3), but I suspect you'd like to have a reasonably accurate time. As long as the host is providing a time to the domain controller, the domain members will sync to the DC VM, and you'll get the desired outcome.

Answer 3

In your scenario it would be perfectly reasonable for the DC VM to have the Time Synchronization Integration Service enabled so that this VM syncs with the host. All other domain joined VM's should sync with the domain hierarchy (NT5DS), which is the default and requires no action on your part. You should disable the Time Synchronization Integration Service on these other domain joined VM's.

When a virtual machine starts up, it gets it's initial time from the host, because VM's don't have real time clocks from which to get their initial time. Thereafter, VM's will sync time either with the host (if configured to do so), with the domain hierarchy (if joined to an AD domain), or with whatever other time source you configure them to sync with.