How can you configure the NTP setting on the Service Console
Time and virtual machines are not always a good marriage. The time in a virtual machine (VM) can fall behind, because the CPU cycles are divided over the VMs running on an ESX server.
You may have several ways to ensure that the time within a VM keeps running pretty well: using the VMware tools, or using a different timing mechanism. This article is about the first option: timing using the VMware tools.
If you use VMware tools timing, it is important that the time in the Service Console is accurate. This can be achieved by configuring NTP. Additionally, you have to ensure the timing option within the VMware tools is set to on (Checked). As well, it is important to only have one synchronization mechanism per VM to configure, more on this shortly.
Setting timing within the Service Console (+ VMs) consists of five steps:
- Configure the correct time zone within the Service Console
- Configure NTP daemon
- Firewall disabling (Only ESX3)
- Start NTP daemon
- Time synchronization for the VMs
These five steps will be described in detail below:
Step 1: Configure the correct time zone within the Service Console
If you have setup the timezone correctly when setting up your VMware ESX then you can safely skip this step. If you are not sure you can confirm by checking the content of /etc/sysconfig/clock and make sure it contains the following lines with your correct zone:
Zone=”Europe/Amsterdam”
UTC=true
ARC=false
If that mach then you can safely skip this step else you have to proceed with it.
Setting the time zone is as follows:
cp /usr/share/zoneinfo/Europe/Amsterdam /etc/localtime
This ensures that the correct time zone is set.
After that make sure the contents of /etc/sysconfig/clock contains the following lines:
Zone=”Europe/Amsterdam”
UTC=true
ARC=false
Note: This assumed that the hardware clock UTC used, if this is not the case then use UTC = false. As well It assumes that Amsterdam is the desired time Zone.
Step 2: NTP daemon configure
Please note in the following configuration we assummed your Time servers are as follow. Please replace these where ever founded with your NTP Server IPs or name (in many cases its the same as of your domain controllers):
0.pool.ntp.org
1.pool.ntp.org
2.pool.ntp.org
The NTP daemon can be configured as follows:
Ensure the contents of /etc/ntp.conf should contain the following lines:
restrict default kod nomodify notrap
restrict 127.0.0.1
server 0.pool.ntp.org
server 1.pool.ntp.org
server 2.pool.ntp.org
driftfile /var/lib/ntp/drift
The following images show an image of the ntp.conf file after the lines inserted in it. Please note the inserted lines in red.
The contents of /etc/ntp/step-tickers should look like this:
0.pool.ntp.org
1.pool.ntp.org
2.pool.ntp.org
This step-tickers file is used by the program ntpdate. This synchronizes the time for the first time as the ntpd is started or restarted.
Also for NTP servers fill your own choosing.
Step 3: Firewall disabling (ESX 3.x)
Open the NTP Port through the firewall, so the NTP server can be reached:
esxcfg-firewall –e ntpClient
By default, the outgoing port for ntp is blocked. You may also open this port through the graphical interface.
Step 4: NTP daemon start
The NTP daemon can be started now, in addition we should also establish that the NTP daemon will be started automaticly after reboots:
Start NTP daemon:
service ntpd start
Ensure that the next time the server boot up the NTP service will start automatically:
chkconfig –-level 345 ntpd on
If the clock in the Service Consile not synchronized with a time server. Now the Service console clock can be synchronized with the hardwareclock:
hwclock –-systohc
The time on the ESX server runs now!
If all is well, the time on the ESX server is correctly running and aswell the time is adjusted.
In addition, its a good idea that you check the time and get it to sync with the command “ntpq -p” and “ntpdate -q ntpserver.org” after you have been done.
Step 5: Synchronise time on the VMs
The timing of the VMs can be controller by putting the check for timing within VMware tools on. Plus, you must ensure that there is only one synchronisation mechanism active per VM! This means windows machines time service should be stopped if you are going to use VMware tools timing.
In the case of a Domain Controller time service can not be stopped, you would for the next option to choose:
It is possible to use third-party software to synchronize with an external source outside of a forest, and still use W32Time to securely distribute time within the forest. You can do this by disabling synchronization while leaving W32Time active on the server. To do this, stop W32Time and install the third-party software on the PDC emulator in the forest root. Then disable the third-party software’s ability to serve time by setting the value for the Type entry to “NoSync” in the registry, and then restart W32Time. (HKEY LOCAL MACHINESYSTEMCurrentControlSetServicesW32TimeParametersType) The domain will be securely synchronized to the PDC emulator’s clock, while the PDC emulator’s clock will be using the third-party software to synchronize with an accurate source outside of the forest. .
(Source: microsoft.com)
This way you can make a successful DC sync with VMware Tools. If you prefer for member servers to automatically synchronize with these DCs.
Enjoy the correct timing on your VMs :).
Please leave me comments on here if you need any further help, or if you have something to add.