VMware vSphere

 View Only
Expand all | Collapse all

advice for vSphere NTP setting

  • 1.  advice for vSphere NTP setting

    Posted Aug 14, 2023 05:49 PM

    Hi all,

        I have 2 sites of vSphere and both are connected to NTP server of customer network. Now customer want to reduce NTP traffic from FW side. So i suggest to create one VM for NTP server and will connect both vSphere to this NTP VM. But customer want to explore the vSphere VM for NTP server. It's possible way to create NTP server or there have any good idea for solutions. 

     

    Thanks all. 



  • 2.  RE: advice for vSphere NTP setting

    Posted Aug 14, 2023 06:00 PM

    Thx!



  • 3.  RE: advice for vSphere NTP setting

    Posted Aug 14, 2023 06:21 PM

    Hello,


    Comment removed, advice obviously of no interest.


    Regards,
    Ferdinando



  • 4.  RE: advice for vSphere NTP setting

    Posted Aug 15, 2023 02:29 AM

    Hi thanks for your replied and can i create NTP server on vSphere VM ? then can sync this server with vSphere ? coz i have 2 sites of vShpere and i plan to create 2 NTP server in same VM of vShpere. or if you have any good idea pls kindly let me know. 



  • 5.  RE: advice for vSphere NTP setting

    Posted Aug 15, 2023 06:16 AM

    Hello,


    Comment removed, advice obviously of no interest.


    Regards,
    Ferdinando



  • 6.  RE: advice for vSphere NTP setting

    Posted Aug 15, 2023 06:50 AM

    Hi Ferdinando,

               I can create NTP server on vSphere VM with different IP address ? than can i sync NTP on this VM ? 



  • 7.  RE: advice for vSphere NTP setting

    Posted Aug 15, 2023 06:51 AM

    Depending on the size, I do is use the core switch or router as the NTP server however, if it's an extremely large infrastructure then a dedicated NTP is provided on a VM. What are you using at the moment? I don't see reducing NTP traffic as a valid request on a firewall though, firewalls have filters and that traffic can be excluded from view using the filters. 

    If the firewall cannot handle NTP requests then you really need a new firewall. If it's just to centralise NTP as everyone is using an external source then use a dedicated linux VM. Guide attached is for Ubuntu https://geek-university.com/configure-ntp-server/

    Build a VM per site or two depending on your needs use the minimum spec these can be tiny VMs. I'd stay away from using Windows, it's implementation of NTP is not compliant with alot of equipment. 



  • 8.  RE: advice for vSphere NTP setting

    Posted Aug 15, 2023 08:26 AM

    Hello,


    Comment removed, advice obviously of no interest.


    Regards,
    Ferdinando



  • 9.  RE: advice for vSphere NTP setting

    Posted Aug 15, 2023 08:52 AM

    There is no issue creating NTP Server on VM and sync your server to the NTP. Some point needs to be checked:

    1. NTP server should be reachable on port UDP/123.

    2. If both sites having connectivity to each other like for migration, time should be sync on both the sites and if you want to create two NTP server then both should be in sync.

    Regards,

    Sachchidanand



  • 10.  RE: advice for vSphere NTP setting

    Posted Aug 15, 2023 10:14 AM

    Thanks for your support Sachchidanand.

    There is not any impact ? if i create NTP server on same VM of vCenter ? 

    for example site-A (172.30.35.1) and site-B (172.30.36.1) both site have connection already. So i can create NTP setting on both VM of vCenter and can sync the NTP setting right ? 

    Do you have any idea for any step what i need to care for process ? 

     

    Thanks a lot



  • 11.  RE: advice for vSphere NTP setting

    Posted Aug 15, 2023 01:49 PM

    Steps are very straightforward:

    1. Create NTP server, if required on both location and check that both are in sync.

    2. Test the NTP server by any windows/linux machine in your network. Check if you client machines are syncing with NTP server.

    3. If all goes well, you can sync your vSphere with the NTP server.

    Regards,

    Sachchidanand 



  • 12.  RE: advice for vSphere NTP setting

    Posted Aug 17, 2023 02:16 PM

    A true enterprise solution would be:

    1. Network team enables NTP on their infrastructure (core switch or router) with appropriate firewall rules, only the core switch is allowed to query the standard public ntp servers. Create internal DNS A records for each internal core switch (at least two). DNS will resolve round-robin, example: time.corp.com contains ntp1.corp.com and ntp2.corp.com.

    2. Update Windows AD DC queries to use the time.corp.com

    3. Point all ESXi hosts NTP source to time.corp.com 

    4. Point all non-domain devices to NTP source to time.corp.com



  • 13.  RE: advice for vSphere NTP setting

    Posted Aug 17, 2023 02:19 PM

    Here's a useful script.

    ESXi host NTP configuration information
    	Connect-VIServer -Server avcenter -User myadmin@corp.com
    	Connect-VIServer -Server bvcenter -User myadmin@corp.com
    	#
    	Get-VMHost | Select Name, @{N="NTPServer";E={$_ |Get-VMHostNtpServer}}, @{N="Service is Running?";E={(Get-VmHostService -VMHost $_ | Where-Object {$_.key -eq "ntpd"}).Running}}, @{N="Firewall Rule?";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).Enabled}}, @{N="Firewall Incoming Ports";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).IncomingPorts}}, @{N="Firewall Outgoing Ports";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).OutgoingPorts}}, @{N="Firewall Protocols";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).Protocols}} | Format-Table
    	Get-VMHost | Select Name, @{N="NTPServer";E={$_ |Get-VMHostNtpServer}}, @{N="Service is Running?";E={(Get-VmHostService -VMHost $_ | Where-Object {$_.key -eq "ntpd"}).Running}}, @{N="Firewall Rule?";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).Enabled}}, @{N="Firewall Incoming Ports";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).IncomingPorts}}, @{N="Firewall Outgoing Ports";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).OutgoingPorts}}, @{N="Firewall Protocols";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).Protocols}} | Out-GridView
    	#
    	$FilePath = "C:\temp\NTPESXiHosts.csv"
    	$FileContent = Import-CSV $FilePath
    	Foreach ($CsvLine in $FileContent)
    		{
    		$esx = $CsvLine.hostname
    		Write-Host Updating NTP on $esx
    		$allNtpServers = Get-VMHostNtpServer -VMHost $esx
    		If ($allNtpServers -ne $Null) 
    			{
    			Remove-VMHostNtpServer -VMHost $esx -NtpServer $allNtpServers -Confirm:$false 
    			Write-Host "All NTP Servers from $esx have been removed." `n
    			}
    		# Add NTP servers separately - you can have multiple Add-VmHostNtpServer cmdlet lines 
    		Add-VmHostNtpServer -VMHost $esx -NtpServer time0.corp.com
    		Add-VmHostNtpServer -VMHost $esx -NtpServer time1.corp.com
    		# Set the firewall regulation to allow traffic for NTP lookup  
    		Get-VMHostFirewallException -VMHost $esx | Where {$_.Name -eq "NTP client"} | Set-VMHostFirewallException -Enabled $true
    		# Start NTP daemon and make it start automatically when needed  
    		Get-VmHostService -VMHost $esx | Where-Object {$_.Key -eq "ntpd"} | Set-VMHostService -Policy "On"
    		Get-VmHostService -VMHost $esx | Where-Object {$_.Key -eq "ntpd"} | Start-VMHostService
    		}
    	#
    	Get-VMHost | Select Name, @{N="NTPServer";E={$_ |Get-VMHostNtpServer}}, @{N="Service is Running?";E={(Get-VmHostService -VMHost $_ | Where-Object {$_.key -eq "ntpd"}).Running}}, @{N="Firewall Rule?";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).Enabled}}, @{N="Firewall Incoming Ports";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).IncomingPorts}}, @{N="Firewall Outgoing Ports";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).OutgoingPorts}}, @{N="Firewall Protocols";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).Protocols}} | Format-Table
    	Get-VMHost | Select Name, @{N="NTPServer";E={$_ |Get-VMHostNtpServer}}, @{N="Service is Running?";E={(Get-VmHostService -VMHost $_ | Where-Object {$_.key -eq "ntpd"}).Running}}, @{N="Firewall Rule?";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).Enabled}}, @{N="Firewall Incoming Ports";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).IncomingPorts}}, @{N="Firewall Outgoing Ports";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).OutgoingPorts}}, @{N="Firewall Protocols";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).Protocols}} | Out-GridView