The question of how to handle virtual Domain Controllers has been around for quite some time. The answer really depends on what product you have decided to use as your virtualisation platform: Microsoft or VMWare. Regardless of the product you have choosen, you will still have to make the same decision when it comes to Domain Controllers: How will I handle Time Synchronisation? Before I go into the details there is one thing that both companies agree on. Do not let your VMs use more than one method for Time Sync as this could lead to numerous time changes ... and you most definitely do not want this happening on Domain Controllers.
Right, so how do the two approaches differ? Well, keeping in mind that both agree you should only use one method for time sync here are the two approaches:
- Microsoft: Time Synchronisation from the VM to the host via integration services or VMWare tools should be disabled for all Domain Controllers. Use the normal domain hierarchy for Domain Controllers with the exception of the PDC in the forest root. Configure the PDC to use an external NTP source
- VMWare: In general, VMWare recommend disabling W32time (for non DC's) and using the VMWare tools to sync time with the host. For Domain controllers they still say to use VMWare tools but instead of disabling the W32time service they recommend running the Windows Time service in a server-only mode. Additionally, install the NTP Daemon on the ESX host and have it sync with an external NTP source.
Microsoft do not recommend sync'ing with the physical host whereas VMWare recommend that you do. So, from a supportability stance, which option do you choose? No surprise, but I would recommend starting with the Microsoft approach regardless of whether you are using ESX or not. Why? Well, from a support perspective following the VMWare approach means that you have to stop time sync from working as it should in a normal Active Directory Domain. In short, you make your Active Directory more or less unsupportable. If you run into problems and try and open a support case, you are putting yourself at a distinct disadvantage.