Hyper-V Time Synchronization, Right
In a Windows domains the flexible single master operations (FSMO) role is considered the authoritative time source for the entire domain.
Every computer in the domain gets its time from that source. By default, a virtual machine is configured to get its time directly from the Hyper-V host. This eliminates unessesary time synchronization network traffic and assist with state type operations, resumes, checkpoints/snapshots, merges, etc.
There is a maximum time differential of 5 minutes between a client and server in a Kerberos conversation, results from unsynchronized times vary wildly. Windows desktop might be a few days behind and only bark of warnings and errors. An Exchange Server system will panic at a very small time offset. There is also a maximum amount of time beyond which a domain controller will not update a client that asks for a time synchronization.
This problem is directly solved for Hyper-V guests via the Hyper-V Time Synchronization Service.
Time Synchronization for Virtualized Domain Controllers
- The PDC emulator, whether virtual or physical, should be synchronizing its time from a known valid external source, such as authoritative Internet-based systems or a dedicated hardware clock.
- The PDC emulator, if virtualized, must not be synchronized to the hypervisor.
- While not as critical, other virtualized domain controllers besides the PDC emulator should also not be synchronized to the hypervisor. If left at defaults, they will synchronize directly from the PDC emulator.
- All hypervisors’ management operating systems should synchronize from the domain.
- All other guests should synchronize from the hypervisor.
- As indicated in the linked article, all physical machines should synchronize from the domain.