I came into work today to find my Domain Controller (DC) in chaos. The Primary Domain Controller (PDCe) had inexplicably set its clock six months into the future, and I really want to get to the bottom of this. It's running a Server Core instance of Windows Server 2022 on a clustered Hyper-V hypervisor, and I had time sync disabled in the VM settings. Event logs suggest the time change happened because the system time was synchronized with the hardware clock. I was under the impression that when time sync is off, it wouldn't sync with the hardware clock. The DC was built in 2022 and hasn't had issues until now. Any thoughts on what might have triggered this?
6 Answers
You actually need time sync enabled in your VM's settings for it to get a proper hardware clock sync during boot. However, remember to disable the Hyper-V time sync service inside your Windows VM so it doesn't mess with ongoing syncs. Check this Reddit link for further clarification: https://www.reddit.com/r/sysadmin/comments/l4o3c9/comment/gkptb2e/
Don't forget that VMs rely on the hypervisor's clock when they are suspended and resumed. Make sure all your hypervisors have the correct time; if one is off, it could affect your DC.
When you bring a VM out of a pause state (like when you create a snapshot or do a vMotion), it can sync its time with the VM host. To avoid this, ensure that your VM host and the PDCe sync time from a reliable NTP source. That should help prevent your time slip issues.
Just be cautious about suspending DCs or taking snapshots, as that can lead to time sync problems.
It’s usually good to sync with the host, so consider that for peace of mind. Sometimes issues arise from unnecessary complexities in time settings.
Your issue might be related to something called secure time seeding. Windows Server has specific behaviors regarding time sync. Check this detailed guide for more info: https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/client-clock-reverts-to-previous-time.
I've experienced this before, and the fix is straightforward: stop relying on your PDC as the sole time source. Make sure all your Domain Controllers and clients point to internal NTP servers instead. This way, you only have one time source to avoid discrepancies.
Although it's important to sync both host and VM, avoid periodic time sync functions on domain-joined VMs. They should rely solely on NTP for accuracy.