Design considerations for Virtual Machine Time Synchronization

  By , ,
Share this:

 

Here are some guidelines and considerations related to time synchronization for your Virtual Machines design. It seems to be a simple topic and covered well online, however I think it deserves a better attention as I’ve seen  huge complications in some environments caused by misunderstanding and miss-configuration.

Design Decision:

Do not use VMware tools synchronization, instead use guest time synchronization mechanisms.

Justification:

Using in-­guest timekeeping mechanisms is especially significant for Windows virtual machines which are members of an Active Directory domain because the authentication protocol used by Active Directory, Kerberos, is time sensitive for security reasons. The Windows Domain NTP server should be configured to get its time from an external time source server.

Guests in general should be configured to get their time from AD domain controllers. If not possible then the guests should be configured to use an external NTP source. If this is not practical from a security perspective (exp: you cannot open firewall ports to an external source), then synchronization with host can be an alternative.

Another supporting reason for avoiding VMware tools synchronization is the possible problem caused by excessive CPU overcommitment which can lead to a timekeeping drift at un-correctable rates by the guests.

Implications:

All templates will need to be pre­configured to use an NTP source within the guest OS and the existing VMs will need to be updated to use the same NTP source.

Important notes:

Pay special attention to Domain Controllers and other time sensitive applications, where it is advised to disable time synchronization completely, by adding these lines to the .vmx file of the particular VMs:

tools.syncTime = “FALSE”
time.synchronize.continue = “FALSE”
time.synchronize.restore = “FALSE”
time.synchronize.resume.disk = “FALSE”
time.synchronize.shrink = “FALSE”
time.synchronize.tools.startup = “FALSE”

Update: A related host design decision that should be considered is using same NTP source for the all ESXi host servers themselves, so you won’t be facing issues in case of VMs miss-configuration.

The following two tabs change content below.
My Twitter profileMy Facebook profileMy Google+ profileMy LinkedIn profile

Aylin Sali

Virtualization Engineer at Stealth mode Startup
Aylin Sali is a virtualization and cloud enthusiast, with 10 years of IT experience. During his past 7 years with IBM he focused on combining virtualization with LEAN thinking Six Sigma techniques for service improvement. Aylin is a vExpert 2014 and holds several industry respected certifications such as VMware VCAP5 DCA & DCD, ITIL v3, NetApp NCDA, Microsoft MCITP.
My Twitter profileMy Facebook profileMy Google+ profileMy LinkedIn profile

Latest posts by Aylin Sali (see all)

About Aylin Sali

Aylin Sali is a virtualization and cloud enthusiast, with 10 years of IT experience. During his past 7 years with IBM he focused on combining virtualization with LEAN thinking Six Sigma techniques for service improvement. Aylin is a vExpert 2014 and holds several industry respected certifications such as VMware VCAP5 DCA & DCD, ITIL v3, NetApp NCDA, Microsoft MCITP.
Tagged  , , , , .
Bookmark the permalink.

2 Comments

  1. Dusan
    August 22, 2014 at 8:56 am

    I would also highlight importance of using same NTP source for the all ESXi host servers themselves, so you won’t be facing issues in case of VMs missconfiguration

    Reply
    • Aylin Sali
      August 22, 2014 at 10:35 am

      Thanks for your comment Dusan. I agree with that, the reason I did not mention it is because I wanted to keep the article focused on timekeeping for VMs. I updated the post highlighting the recommendation, just to avoid any misunderstanding.

      Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.