VMware ESXi 5.1 will not sync time with Windows 2008 R2 NTP Domain Controller


I ran into a problem yesterday that I know I have never had before, which now makes me wonder about my last couple of vSphere installs.  I was building a new cluster, set my first ESXi server up and built my first Domain Controller, configured it to sync with pool.ntp.org servers and set my host to sync with it.  Done right?  No not in this case.   Since checking the KB is always my first stop, I found KB1035833 which pointed me to two configuration files I had to edit manually (e.g. via SSH not the vSphere Client).

First, make sure this is actually the problem you are having.  Make sure your Windows firewall and ESXi firewall are set to allow UDP123.  There is also a handy little utility to check if everything is setup correctly that you can download here.  Now if all seems correct, start SSH on your ESXi host if you have not already done so by doing the following:

  • Go to Security Profile and click Properties.
  • On the top right corner (in the services section) click Properties…
  • Find and click on SSH and click the Options button and click the Start button.
  • Open PuTTY or your preferred terminal client and connect to your host.
  • Accept the certificate and type the following commands to make a copy and edit your ntp.conf file:

cp /etc/ntp.conf /etc/ntp.conf.bak
vi /etc/ntp.conf

  • Using the arrow keys, position the cursor at the end of the last line and hit i on your keyboard.  This will place you in edit mode in VI.
  • Enter a new line and type tos maxdist 30
  • Hit ESC on your keyboard to come out of edit mode then type a : and press X to save and exit.
  • Now type the following to edit the lsassd.conf file:

cp /etc/likewise/lsassd.conf /etc/likewise/lsassd.conf.bak
chmod +w /etc/likewise/lsassd.conf
vi /etc/likewise/lsassd.conf

  • Using the arrow keys, find  #sync-system-time
  • Position your cursor on the s of sync, hit i, hit the backspace button to delete the #
  • Hit ESC
  • Hit ESC on your keyboard to come out of edit mode then type a : and press X to save and exit.
  • Type the following command

/sbin/auto-backup.sh

  • This will ensure all changes persist after a restart.
  • Now at this point the time on my host updated though for good measure restart the two services

./etc/init.d/lsassd restart
./etc/init.d/ntpd restart

Finally, I would stop the SSH service until the next time you need it, or if you security policies allow make sure its set to start automatically.

Conclusion

I know I have never had to do this before, this isn’t an extra check box.  I will certainly be going back to check my other hosts but I know this has worked without these additional changes before.  Hope this helped if you are having problems!