NTP configuration considerations for VMware/Windows systems

System: VMware vCSA 6.0/ESXi 5.5 & Windows Server 2008R2/2012R2

- last updated on -

About: The purpose of this document is to provide an overview of the NTP configuration required in order to synchronize the clocks on a VMware+Windows infrastructure.

How: There are two main types of NTP configurations that might need implementing, based on whether or not NTP authentication is a requirement.

NTP configuration (without authentication)

  1. For the vCSA, one would access its management page (VAMI) at the https://vCSA_IP_address:5480 URL, login using the root account, go to the `Time` section in the `Navigator` pane and set the time synchronization mode to `NTP`, then provide the necessary details.

  2. In order to configure the ESXi hosts, one can either use the vSphere fat Client, as per this KB article, or the vSphere Web Client, as per the vSphere 5.5 documentation; the set-up manner is quite similar, only the interface differs.

  3. As for Windows machines, one would have to use the w32tm.exe command-line tool - it needs to be invoked from an elevated Command Prompt with the following assortment of flags:

    w32tm.exe /config /update /manualpeerlist:"IP_addr_#1 IP_addr_#2 IP_addr_#3" /syncfromflags:manual

    notes:

    • no quotes are needed if only one ‘peer’ is provided; if multiple peers are provided, the addresses need to be separated by space characters

    • alternatively, the time synchronization can be set via GPO - see this TechNet article for more details

    • one can also find an interesting read from VMware regarding the timekeeping best practices for Windows

NTP configuration (with authentication)

  1. No VMware documentation has been found that would indicate that NTP authentication is supported for the ESXi hosts - however, the NTP Client included with the hypervisor seemed to be capable of such a facility and it was determined empirically that the ESXi 5.5 NTP package does indeed support the NTPv4 authentication.

    2. The set-up, however, is quite specific: after configuring the ESXi NTP Client as described in the above section (without authentication), one would have to login via SSH to the ESXi host and modify the /etc/ntp.conf and /etc/ntp.keys files so that they will look like the below samples.

    /etc/ntp.conf 
    restrict default kod nomodify notrap nopeer notrust
restrict 127.0.0.1
server [ip address redacted] iburst key 1
driftfile /etc/ntp.drift
keys /etc/ntp.keys
trustedkey 1

    /etc/ntp.keys 
    1 M [key redacted]

    Once the NTP configuration is in place on the host, the NTP daemon needs to be restarted (/etc/init.d/ntpd restart) and, finally, the NTP server’s configuration file needs to be amended with the restrict ESXi_IP_address nomodify noquery notrust directive (this might differ from implementation to implementation - in this case it was true for the NTP server that came with AIX 6/7).

  2. The W32TM.exe tool is not a full NTP implementation and seems to be incapable of supporting NTP authentication (outside of an Active Directory domain, in which NTP authentication is provided via Windows specific mechanisms, which are not standard-compliant and operable with an NTP server). In this case (DMZ Windows systems), the systems can be configured (via GPO would be easiest, as the suggested configuration is the default one in this case) to synchronize their time with Microsoft’s time servers; since the machines are placed in the DMZ, this should work without a need to intervene on the Internet facing firewalls (this also ensures that the NTP time sources have a known identity - still, no authentication is provided in this case, as membership to an AD domain would be needed for that). Alternatively, a third-party NTP client package could be used, and the Windows Time service disabled.