Hi all,
I have 2 sites of vSphere and both are connected to NTP server of customer network. Now customer want to reduce NTP traffic from FW side. So i suggest to create one VM for NTP server and will connect both vSphere to this NTP VM. But customer want to explore the vSphere VM for NTP server. It's possible way to create NTP server or there have any good idea for solutions.
Thanks all.
Thx!
Hello,
Comment removed, advice obviously of no interest.
Regards,
Ferdinando
Hi thanks for your replied and can i create NTP server on vSphere VM ? then can sync this server with vSphere ? coz i have 2 sites of vShpere and i plan to create 2 NTP server in same VM of vShpere. or if you have any good idea pls kindly let me know.
Hello,
Comment removed, advice obviously of no interest.
Regards,
Ferdinando
Hi Ferdinando,
I can create NTP server on vSphere VM with different IP address ? than can i sync NTP on this VM ?
Depending on the size, I do is use the core switch or router as the NTP server however, if it's an extremely large infrastructure then a dedicated NTP is provided on a VM. What are you using at the moment? I don't see reducing NTP traffic as a valid request on a firewall though, firewalls have filters and that traffic can be excluded from view using the filters.
If the firewall cannot handle NTP requests then you really need a new firewall. If it's just to centralise NTP as everyone is using an external source then use a dedicated linux VM. Guide attached is for Ubuntu https://geek-university.com/configure-ntp-server/
Build a VM per site or two depending on your needs use the minimum spec these can be tiny VMs. I'd stay away from using Windows, it's implementation of NTP is not compliant with alot of equipment.
Hello,
Comment removed, advice obviously of no interest.
Regards,
Ferdinando
There is no issue creating NTP Server on VM and sync your server to the NTP. Some point needs to be checked:
1. NTP server should be reachable on port UDP/123.
2. If both sites having connectivity to each other like for migration, time should be sync on both the sites and if you want to create two NTP server then both should be in sync.
Regards,
Sachchidanand
Thanks for your support Sachchidanand.
There is not any impact ? if i create NTP server on same VM of vCenter ?
for example site-A (172.30.35.1) and site-B (172.30.36.1) both site have connection already. So i can create NTP setting on both VM of vCenter and can sync the NTP setting right ?
Do you have any idea for any step what i need to care for process ?
Thanks a lot
Steps are very straightforward:
1. Create NTP server, if required on both location and check that both are in sync.
2. Test the NTP server by any windows/linux machine in your network. Check if you client machines are syncing with NTP server.
3. If all goes well, you can sync your vSphere with the NTP server.
Regards,
Sachchidanand
A true enterprise solution would be:
1. Network team enables NTP on their infrastructure (core switch or router) with appropriate firewall rules, only the core switch is allowed to query the standard public ntp servers. Create internal DNS A records for each internal core switch (at least two). DNS will resolve round-robin, example: time.corp.com contains ntp1.corp.com and ntp2.corp.com.
2. Update Windows AD DC queries to use the time.corp.com
3. Point all ESXi hosts NTP source to time.corp.com
4. Point all non-domain devices to NTP source to time.corp.com
Here's a useful script.
ESXi host NTP configuration information
Connect-VIServer -Server avcenter -User myadmin@corp.com
Connect-VIServer -Server bvcenter -User myadmin@corp.com
#
Get-VMHost | Select Name, @{N="NTPServer";E={$_ |Get-VMHostNtpServer}}, @{N="Service is Running?";E={(Get-VmHostService -VMHost $_ | Where-Object {$_.key -eq "ntpd"}).Running}}, @{N="Firewall Rule?";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).Enabled}}, @{N="Firewall Incoming Ports";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).IncomingPorts}}, @{N="Firewall Outgoing Ports";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).OutgoingPorts}}, @{N="Firewall Protocols";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).Protocols}} | Format-Table
Get-VMHost | Select Name, @{N="NTPServer";E={$_ |Get-VMHostNtpServer}}, @{N="Service is Running?";E={(Get-VmHostService -VMHost $_ | Where-Object {$_.key -eq "ntpd"}).Running}}, @{N="Firewall Rule?";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).Enabled}}, @{N="Firewall Incoming Ports";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).IncomingPorts}}, @{N="Firewall Outgoing Ports";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).OutgoingPorts}}, @{N="Firewall Protocols";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).Protocols}} | Out-GridView
#
$FilePath = "C:\temp\NTPESXiHosts.csv"
$FileContent = Import-CSV $FilePath
Foreach ($CsvLine in $FileContent)
{
$esx = $CsvLine.hostname
Write-Host Updating NTP on $esx
$allNtpServers = Get-VMHostNtpServer -VMHost $esx
If ($allNtpServers -ne $Null)
{
Remove-VMHostNtpServer -VMHost $esx -NtpServer $allNtpServers -Confirm:$false
Write-Host "All NTP Servers from $esx have been removed." `n
}
# Add NTP servers separately - you can have multiple Add-VmHostNtpServer cmdlet lines
Add-VmHostNtpServer -VMHost $esx -NtpServer time0.corp.com
Add-VmHostNtpServer -VMHost $esx -NtpServer time1.corp.com
# Set the firewall regulation to allow traffic for NTP lookup
Get-VMHostFirewallException -VMHost $esx | Where {$_.Name -eq "NTP client"} | Set-VMHostFirewallException -Enabled $true
# Start NTP daemon and make it start automatically when needed
Get-VmHostService -VMHost $esx | Where-Object {$_.Key -eq "ntpd"} | Set-VMHostService -Policy "On"
Get-VmHostService -VMHost $esx | Where-Object {$_.Key -eq "ntpd"} | Start-VMHostService
}
#
Get-VMHost | Select Name, @{N="NTPServer";E={$_ |Get-VMHostNtpServer}}, @{N="Service is Running?";E={(Get-VmHostService -VMHost $_ | Where-Object {$_.key -eq "ntpd"}).Running}}, @{N="Firewall Rule?";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).Enabled}}, @{N="Firewall Incoming Ports";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).IncomingPorts}}, @{N="Firewall Outgoing Ports";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).OutgoingPorts}}, @{N="Firewall Protocols";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).Protocols}} | Format-Table
Get-VMHost | Select Name, @{N="NTPServer";E={$_ |Get-VMHostNtpServer}}, @{N="Service is Running?";E={(Get-VmHostService -VMHost $_ | Where-Object {$_.key -eq "ntpd"}).Running}}, @{N="Firewall Rule?";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).Enabled}}, @{N="Firewall Incoming Ports";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).IncomingPorts}}, @{N="Firewall Outgoing Ports";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).OutgoingPorts}}, @{N="Firewall Protocols";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).Protocols}} | Out-GridView