Here are some guidelines and considerations related to time synchronization for your Virtual Machines design. It seems to be a simple topic and covered well online, however I think it deserves a better attention as I’ve seen huge complications in some environments caused by misunderstanding and miss-configuration.
Design Decision:
Do not use VMware tools synchronization, instead use guest time synchronization mechanisms.
Justification:
Using in-guest timekeeping mechanisms is especially significant for Windows virtual machines which are members of an Active Directory domain because the authentication protocol used by Active Directory, Kerberos, is time sensitive for security reasons. The Windows Domain NTP server should be configured to get its time from an external time source server.
Guests in general should be configured to get their time from AD domain controllers. If not possible then the guests should be configured to use an external NTP source. If this is not practical from a security perspective (exp: you cannot open firewall ports to an external source), then synchronization with host can be an alternative.
Another supporting reason for avoiding VMware tools synchronization is the possible problem caused by excessive CPU overcommitment which can lead to a timekeeping drift at un-correctable rates by the guests.
Implications:
All templates will need to be preconfigured to use an NTP source within the guest OS and the existing VMs will need to be updated to use the same NTP source.
Important notes:
Pay special attention to Domain Controllers and other time sensitive applications, where it is advised to disable time synchronization completely, by adding these lines to the .vmx file of the particular VMs:
tools.syncTime = “FALSE” time.synchronize.continue = “FALSE” time.synchronize.restore = “FALSE” time.synchronize.resume.disk = “FALSE” time.synchronize.shrink = “FALSE” time.synchronize.tools.startup = “FALSE”
Update: A related host design decision that should be considered is using same NTP source for the all ESXi host servers themselves, so you won’t be facing issues in case of VMs miss-configuration.
Aylin Sali
Latest posts by Aylin Sali (see all)
- Design considerations for Virtual Machine Time Synchronization - August 20, 2014
I would also highlight importance of using same NTP source for the all ESXi host servers themselves, so you won’t be facing issues in case of VMs missconfiguration
Thanks for your comment Dusan. I agree with that, the reason I did not mention it is because I wanted to keep the article focused on timekeeping for VMs. I updated the post highlighting the recommendation, just to avoid any misunderstanding.