How can you configure the NTP setting on the Service Console
Time and virtual machines are not always a good marriage. The time in a virtual machine (VM) can fall behind, because the CPU cycles are divided over the VMs running on an ESX server.
You may have several ways to ensure that the time within a VM keeps running pretty well: using the VMware tools, or using a different timing mechanism. This article is about the first option: timing using the VMware tools.
If you use VMware tools timing, it is important that the time in the Service Console is accurate. This can be achieved by configuring NTP. Additionally, you have to ensure the timing option within the VMware tools is set to on (Checked). As well, it is important to only have one synchronization mechanism per VM to configure, more on this shortly.
Setting timing within the Service Console (+ VMs) consists of five steps:
- Configure the correct time zone within the Service Console
- Configure NTP daemon
- Firewall disabling (Only ESX3)
- Start NTP daemon
- Time synchronization for the VMs
These five steps will be described in detail below:
Step 1: Configure the correct time zone within the Service Console
If you have setup the timezone correctly when setting up your VMware ESX then you can safely skip this step. If you are not sure you can confirm by checking the content of /etc/sysconfig/clock and make sure it contains the following lines with your correct zone:
Zone=”Europe/Amsterdam”
UTC=true
ARC=false
If that mach then you can safely skip this step else you have to proceed with it.
Setting the time zone is as follows:
cp /usr/share/zoneinfo/Europe/Amsterdam /etc/localtime
This ensures that the correct time zone is set.
After that make sure the contents of /etc/sysconfig/clock contains the following lines:
Zone=”Europe/Amsterdam”
UTC=true
ARC=false
Note: This assumed that the hardware clock UTC used, if this is not the case then use UTC = false. As well It assumes that Amsterdam is the desired time Zone.
Step 2: NTP daemon configure
Please note in the following configuration we assummed your Time servers are as follow. Please replace these where ever founded with your NTP Server IPs or name (in many cases its the same as of your domain controllers):
0.pool.ntp.org
1.pool.ntp.org
2.pool.ntp.org
The NTP daemon can be configured as follows:
Ensure the contents of /etc/ntp.conf should contain the following lines:
restrict default kod nomodify notrap
restrict 127.0.0.1
server 0.pool.ntp.org
server 1.pool.ntp.org
server 2.pool.ntp.org
driftfile /var/lib/ntp/drift
The following images show an image of the ntp.conf file after the lines inserted in it. Please note the inserted lines in red.
The contents of /etc/ntp/step-tickers should look like this:
0.pool.ntp.org
1.pool.ntp.org
2.pool.ntp.org
This step-tickers file is used by the program ntpdate. This synchronizes the time for the first time as the ntpd is started or restarted.
Also for NTP servers fill your own choosing.
Step 3: Firewall disabling (ESX 3.x)
Open the NTP Port through the firewall, so the NTP server can be reached:
esxcfg-firewall –e ntpClient
By default, the outgoing port for ntp is blocked. You may also open this port through the graphical interface.
Step 4: NTP daemon start
The NTP daemon can be started now, in addition we should also establish that the NTP daemon will be started automaticly after reboots:
Start NTP daemon:
service ntpd start
Ensure that the next time the server boot up the NTP service will start automatically:
chkconfig –-level 345 ntpd on
If the clock in the Service Consile not synchronized with a time server. Now the Service console clock can be synchronized with the hardwareclock:
hwclock –-systohc
The time on the ESX server runs now!
If all is well, the time on the ESX server is correctly running and aswell the time is adjusted.
In addition, its a good idea that you check the time and get it to sync with the command “ntpq -p” and “ntpdate -q ntpserver.org” after you have been done.
Step 5: Synchronise time on the VMs
The timing of the VMs can be controller by putting the check for timing within VMware tools on. Plus, you must ensure that there is only one synchronisation mechanism active per VM! This means windows machines time service should be stopped if you are going to use VMware tools timing.
In the case of a Domain Controller time service can not be stopped, you would for the next option to choose:
It is possible to use third-party software to synchronize with an external source outside of a forest, and still use W32Time to securely distribute time within the forest. You can do this by disabling synchronization while leaving W32Time active on the server. To do this, stop W32Time and install the third-party software on the PDC emulator in the forest root. Then disable the third-party software’s ability to serve time by setting the value for the Type entry to “NoSync” in the registry, and then restart W32Time. (HKEY LOCAL MACHINESYSTEMCurrentControlSetServicesW32TimeParametersType) The domain will be securely synchronized to the PDC emulator’s clock, while the PDC emulator’s clock will be using the third-party software to synchronize with an accurate source outside of the forest. .
(Source: microsoft.com)
This way you can make a successful DC sync with VMware Tools. If you prefer for member servers to automatically synchronize with these DCs.
Enjoy the correct timing on your VMs :).
Please leave me comments on here if you need any further help, or if you have something to add.
Hi,
You are the man. Your step by step guide worked from the first try. Keep up the good work. Thanks a lot.
Yours,
John
Hi there Wow what a fantastic article about Ntp Server! Your keen insight into Ntp Server is informative and creative. I look forward to reading other articles you have. Thanks.
Do you know what would be the time zone for US East Coast. I tried putting ZONE=”America/New_York” but I am still showing CA time :((
Hi, I have configured on the same way, but there is problem with the time in Virtual machines.
I have Virtual machines running RHEL 5, I have synchronized the time through vmware-toolbox , It get synchronize at the same moment but after 2,3 days the time becomes faster. Again I have to run vmware-toolbox to check the options but the in vmware tool properties Time Synchronization between Virtual Machines and ESX Server is always checked in. Also I checked from the ESX Server, Tools.synctime=True . ESX has correct time, It synchronized with NTP Server.
When I check out and Check in the same flag ( Time Synchronization between the virtual machine and ESX Server) from VMware Tool properties, It gets synchronized but again after few days the time becomes faster than ESX Server.
Hi Suja,
I would recommend two things:
1- Make sure that you have an updated version of VMware tools installed on these Redhat virtual machines.
2- Ensure you don’t have any other type of NTP/time synchronization enabled by RedHat in addition to the VMware tool synchronization. I am pretty sure Redhat has some method of time synchronization enabled in it & you might need to disable that.
Enjoy,
mrvirtualization
Hi mysza78,
I am not sure what the time zone for US East Coast in VMware ESX, but I can help you find it out by following the below instructions.
Find the desired time zone under the directory /usr/share/zoneinfo for example for US/Pacific you will find the file to be /usr/share/zoneinfo/US/Pacific for that you will use ZONE=”US/Pacific” as you see its nothing more than the path to the time file in the ESX server. If you follow these steps for your desired zone you should be in the right direction.
Enjoy,
mrvirtualization
Hello,
Thanks for the great article, I have a question about the time synchronization in the ESX farm.
MY esx farm are behind a firewall that’s totally restricted and no ESX server or any host on that zone allowed to access the internet. But, in the production network where we are setting are able to access the internet.
I would like to have a physical server running as an NTP Server on then production site, and configure the ESX server to pick the time from that server using port 123 only.
Is this ideal?
Thanks,
S.Hussain
Hi Hussain,
It should not be any problem to achieve that kind of setup. Actually few of my customers are using their Active Directory Domain controllers as their NTP Servers. DCs run NTP Service by default. You really don’t need any server connected to the internet to forbid your virtual machines from time slipping. You can just have one physical machine setup with the correct time and set it up as an NTP server. Then use the IP of that machine in the place of 0.pool.ntp.org. You just has to always ensure the time is correct on that NTP server that all. If you connect that server and make it synchronize with the internet well and good it will be more accurate, but even if you don’t time will not slip as it will always match your NTP Server. I hope that helps.
mrvirtualization,
Thanks for your reply, The pServer which I’m planning to use as an NTP Server is joined to the domain, which is totally virtualized AD Domain. So, in this case, this server by default will be it’s time from the DC, however if I configure that server with net time /setsntp:”0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org” and then point the ESX Hosts behind the firewall zone to the Windows NTP Server, and then change the VMTools Settings inside the VMs to Synchronize the time from Host.
Thanks,
S.Hussain