Operating systems in general keep time by counting the “ticks” from the processor (I’m sure that is a vast oversimplification of process). Virtual machines unfortunately don’t have unfettered and unlimited access to the processor which results in their “tick count” and internal clocks to quickly drift. If a virtual machine needs to interact with other systems – like Active Directory – a wildly incorrect time stamp can cause unwanted results. In the Active Directory example, logging onto a virtual machine that is a member of the domain becomes impossible if the time skew is too much.
Fortunately with VMware ESX servers, there are two simple steps to correct this issue. First, install VMware tools on the virtual machines and select the option for virtual clock to continuously synch with the ESX host. This by-passes the tick-count process and feeds the correct time to the virtual operating system continously.
The second part is to configure NTP on the ESX service console. This is slightly more complicated, but can be accomplished without too much difficulty. On the ESX server, there is a service console that looks and acts suspiciously like a Linux OS. And part of that service console is just itching to activate NTP. Unfortunately, you can just say “NTP powers, activate,” but rather you have to go through a few simple steps:
Configuring NTP on the ESX Service Console
1. Edit the /etc/ntp.conf file
Personally, I just rename the file to ntp.old, and create a new blank ntp.conf file. In the configuration file, I basically tell it that a) only accept commands from itself, b) give the time to people that ask, but not much else, and c) lists the IP addresses of the NTP clocks to synchronize with.
restrict default kod nomodify notrap
2. Edit the /etc/ntp/step-tickers file and type the names of the NTP devices (one server per line)
3. Allow NTP packets through the service console firewall
esxcfg-firewall –enableService ntpClient
4. Configure ntpd to start on boot
chkconfig –level 345 ntpd on
5. Start the ntp serviceservice ntpd start
6. Finally, you should synchronize the hardware clock with NTPhwclock –systohc
For fun, you can watch the how well your ESX server is keeping time by typing:watch “ntpq -p”
I don’t pretend to be an expert on NTP, all I know is that the above configuration settings have worked well for me. If you want to learn more about the secrets of NTP, http://support.ntp.org is a good place to start.
I’m assuming that you have a few functioning NTP services on your network (Linux boxes and various network routers are often configured to run NTP), or that your servers can access the public NTP clocks scattered across the net. One word of caution: don’t point the NTP service at a Windows 2003 server since Windows uses SNTP (and SNTP is just different enough to mess up the synchronization process).