vSphere 7’s vMotion interface notifies for time differences between vSphere hosts

Reading Time: 3 minutes

Virtualizing Domain Controllers

In the series Virtualizing Domain Controllers on vSphere, I explained the importance of proper time synchronization for virtualized Active Directory Domain Controllers and how to keep these Domain Controllers on trusted vSphere hosts only. Recent versions of the VMware Tools have time synchronization disabled by default. This means the reliance on proper time on vSphere hosts increases and confusion among Active Directory might increase, too.

In vSphere 7.0, VMware therefore introduced a new feature to help administrators make the right choices when vMotion’ing virtualized Domain Controllers, and other VMs.

 

Recommendations when vMotion’ing virtualized Domain Controllers

Using vMotion with virtualized Domain Controllers is fully supported by VMware. All the normal recommendations apply to virtualized Domain Controllers when comparing them to other virtual machines. However, a couple more recommendations apply:

  • Time differences between the vSphere hosts should be as little as possible.
  • Time differences between the vSphere hosts should be less than 5 minutes to avoid Kerberos errors.

These recommendations apply regardless if the option to Synchronize guest time with host is enabled or not in VMware Tools. The option only governs periodic time synchronization and not when you perform specific actions, like a vMotion. I explained this here.

 

Impact of vMotion’ing a virtualized Domain Controller to a vSphere host with incorrect time

As vSphere has no knowledge of the functionality of a virtual machine, it may not know the impact of the time difference on every specific virtual machine, but when you vMotion a virtualized Domain Controller between vSphere hosts with time differences exceeding five minutes:

  • Domain Controllers may provide member servers and domain-joined devices wrong time,, resulting in Kerberos authentication failures when these devices communicate to other Domain Controllers that have the correct time.
  • In environments with high volumes of changes to objects in Active Directory, replicating changes might fail from the Domain Controller with incorrect time as these changes are indicated as losing last writes, due to incorrect time stamps (when incorrect time is later than the correct time) or changes from other Domain Controllers failing (when the incorrect time is earlier than the correct time).

 

What’s New in vSphere 7.0

In vSphere 7.0, VMware introduced a notification in the vMotion interface notifies for time differences between vSphere hosts, when these time differences exceed 5 minutes, in the Compatibility field:

vMotionCompatibility

Now, when you vMotion a virtualized Domain Controller from a vSphere host with correct time to a vSphere host with incorrect time, the interface will notify you.

 

Recommendation

I recommend administrators to keep an eye out in the improved vMotion interface for detected time differences between vSphere hosts.

If correct time cannot be restored simply on the vSphere hosts with incorrect time and the time difference exceeds 5 minutes, refrain from vMotion’ing a virtualized Domain Controller to the vSphere host with incorrect time to avoid the above issues.

Further reading

Managing Active Directory Time Synchronization on VMware vSphere
Keeping virtual Domain Controllers apart on trusted VMware vSphere hosts

Posted on August 17, 2020 by Sander Berkouwer in Active Directory, VMware, VMware vExpert

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.