When deploying virtual servers on ESX and ESXi hosts you may notice that the time on your servers can drift, this is due to the way that the operating system keeps time by using the server’s hardware. We need a solution to keep the time of our servers correct.
The Network Time Protocol is used to synchronise the clocks of a client to a time server.
We have a couple of methods available to ensure the correct time of our guest servers. The first is to get the guest servers to synchronise with the underlying host. The first thing, then, to do is to make sure out hosts are at the right time.
1. We’ll first SSH to out host servers and login, making sure that we either login as root or su from a less priviliged user. By default the NTP client isn’t allowed out through the firewall, so we need to permit this with the command “esxcfg-firewall -e ntpClient“.
2. Now we’re logged in we can enable the NTPD service, this is the service that will be responsible for keeping accurate time to the NTP servers we specify. We enable the service to run at startup with the command “/sbin/chkconfig ntpd on“. We then need to setup NTP by editing the ntp.conf file.
3. We now open this configuration file with our favourate text editor (VI, of course) “vi /etc/ntp.conf” and press “i” to get into “insert” mode. We then enter the following into the file:
restrict 127.0.0.1 server 0.uk.pool.ntp.org server 1.uk.pool.ntp.org server 2.uk.pool.ntp.org server 3.uk.pool.ntp.org server 127.127.1.0 fudge 127.127.1.0 stratum 10 driftfile /var/lib/ntp/drift broadcastdelay 0.008
The “restrict 127.0.0.1″ option only permits the server itself to synchronise the clocks with itself. Without this, the server could potentially be used by anyone as an ntp server. We then specify the servers we wish to synchronise with. You can find a list of servers at http://www.ntp.org or your ISP may offer a time server to use. The “server 127.127.1.0″ defines the local clock and “fudge 127.127.1.0 stratum 10″ sets the distance of the server, almost like the priority to 10, so that the other servers defined will be used before the local clock is used. The “driftfile /var/lib/ntp/drift” specifies the name and location of the driftfile, this file is used to record the drift rate to this file, this helps speed up the synchronisation with the NTP server. “Broadcastdelay” specifies the ammount of delay in the network between the client and the server. The default when we don’t specify a value is 0.004 seconds.
When we’re done we type “Esc” followed by “w” for write and “q” for quit to save and exit the file.
4. We now need to start the ntpd service on out host. We do this with the command “/etc/init.d/ntpd start“. The service will start and begin to bring our server clock to the right time. It may take a while to do this. Instead of changing the clock to the correct time immediately, NTP makes slight changes to the clock. This is to stop some applications having a fit. We can, however, change the time immediately with the command “ntpdate -u ntpserver” where ntpserver is a valid NTP server. In my case, I might use 0.uk.pool.ntp.org.
5. Now that our host(s) have to correct time we can set the guest server to use the host as a time source in VMware Tools. Once we open theVMware tools dialogue box, we can see on the first tab an option called “Time synchronization between the virtual machine and the ESX server.” If we select this, the guest server will use the host to keep time.
Our second method is to get the guest server to use time servers directly. We can do this easily with w32tm.
1. For this method we do not need to set the host server to use an accurate time source, so we can just jump straight onto the guest. We first need to start by determining the server that holds the PDC fsmo role, we can do this with the command “netdom query fsmo“. This is the results of the command that we get running it on the domain controller that we provisioned in the post Creating a Domain Controller.
Not surprisingly, the server we are on is the PDC (in the post NT4 world the concept of PDC’s and BDC’s dont exist, but the fsmo role is there for backwards compatability and is a PDC emulator), as it is the only server in our domain.
2. We now start by stopping the w32time service with the command “net stop w32time”. Now the service is stopped, we can use the command “w32tm /config /syncfromflags:manual /manualpeerlist:”server1, server2, server3“” where server1, server2, and server3 are valid NTP servers, at least one is required. Note: the list of servers are surrounded by quotation marks “. Breaking down this command we see “/config” this means that we want to configure w32tm, “/syncfromflags:manual” specifies the NTP server that the computer should query for time, in our case “manual“, so we now need so specify our manual list. This is where “/manualpeerlist:”server1, etc, etc“” comes in.
3. Our next command is “w32tm /config /reliable:yes“. This allows the server to announce itself as a reliable time source on the network and other servers and PCs in our domain will use this server to keep time.
4. Finally, we need to start the e32time service again. The command for this is “net start w32time“. Altogether, the commands look like this. I’ve only included two servers here to keep the length of the line short.
n short.et stop w32time w32tm /config /syncfromflags:manual /manualpeerlist:"0.uk.pool.ntp.org, 1.uk.pool.ntp.org" w32tm /config /reliable:yes net start w32time
And a screenshot:
We’ve seen how to set up our VMware ESX hosts to query NTP servers for the correct time, and to allow our Windows guests to syncronise with the host server. We also saw how to configure the guest server to query NTP servicers directly. This is ideal because it can be used on physical servers. We can also use the method implemented on the ESX host to configure our Linux servers, we just don’t need to use the command “esxcfg-firewall -e ntpClient” as it won’t be an ESX server. We may need to open a port in iptables or any other firewall we may be running to allow the NTP client access to the NTP server.
I hope you found this post informative, please leave a comment if you have any questions or feedback.