Re: advice for vSphere NTP setting

nyeinzaw89 · ‎08-14-2023

Hi all,

I have 2 sites of vSphere and both are connected to NTP server of customer network. Now customer want to reduce NTP traffic from FW side. So i suggest to create one VM for NTP server and will connect both vSphere to this NTP VM. But customer want to explore the vSphere VM for NTP server. It's possible way to create NTP server or there have any good idea for solutions.

Thanks all.

lucas_balbino · ‎08-14-2023

Thx!

Kinnison · ‎08-14-2023

Hello,

Comment removed, advice obviously of no interest.

Regards,
Ferdinando

nyeinzaw89 · ‎08-14-2023

Hi thanks for your replied and can i create NTP server on vSphere VM ? then can sync this server with vSphere ? coz i have 2 sites of vShpere and i plan to create 2 NTP server in same VM of vShpere. or if you have any good idea pls kindly let me know.

Kinnison · ‎08-14-2023

Hello,

Comment removed, advice obviously of no interest.

Regards,
Ferdinando

nyeinzaw89 · ‎08-14-2023

Hi Ferdinando,

I can create NTP server on vSphere VM with different IP address ? than can i sync NTP on this VM ?

bmcb555 · ‎08-14-2023

Depending on the size, I do is use the core switch or router as the NTP server however, if it's an extremely large infrastructure then a dedicated NTP is provided on a VM. What are you using at the moment? I don't see reducing NTP traffic as a valid request on a firewall though, firewalls have filters and that traffic can be excluded from view using the filters.

If the firewall cannot handle NTP requests then you really need a new firewall. If it's just to centralise NTP as everyone is using an external source then use a dedicated linux VM. Guide attached is for Ubuntu https://geek-university.com/configure-ntp-server/

Build a VM per site or two depending on your needs use the minimum spec these can be tiny VMs. I'd stay away from using Windows, it's implementation of NTP is not compliant with alot of equipment.

Kinnison · ‎08-15-2023

Hello,

Comment removed, advice obviously of no interest.

Regards,
Ferdinando

Sachchidanand · ‎08-15-2023

There is no issue creating NTP Server on VM and sync your server to the NTP. Some point needs to be checked:

1. NTP server should be reachable on port UDP/123.

2. If both sites having connectivity to each other like for migration, time should be sync on both the sites and if you want to create two NTP server then both should be in sync.

Regards,

Sachchidanand

nyeinzaw89 · ‎08-15-2023

Thanks for your support Sachchidanand.

There is not any impact ? if i create NTP server on same VM of vCenter ?

for example site-A (172.30.35.1) and site-B (172.30.36.1) both site have connection already. So i can create NTP setting on both VM of vCenter and can sync the NTP setting right ?

Do you have any idea for any step what i need to care for process ?

Thanks a lot

Sachchidanand · ‎08-15-2023

Steps are very straightforward:

1. Create NTP server, if required on both location and check that both are in sync.

2. Test the NTP server by any windows/linux machine in your network. Check if you client machines are syncing with NTP server.

3. If all goes well, you can sync your vSphere with the NTP server.

Regards,

Sachchidanand

GeoPerkins · ‎08-17-2023

A true enterprise solution would be:

1. Network team enables NTP on their infrastructure (core switch or router) with appropriate firewall rules, only the core switch is allowed to query the standard public ntp servers. Create internal DNS A records for each internal core switch (at least two). DNS will resolve round-robin, example: time.corp.com contains ntp1.corp.com and ntp2.corp.com.

2. Update Windows AD DC queries to use the time.corp.com

3. Point all ESXi hosts NTP source to time.corp.com

4. Point all non-domain devices to NTP source to time.corp.com

GeoPerkins · ‎08-17-2023

Here's a useful script.

ESXi host NTP configuration information
	Connect-VIServer -Server avcenter -User myadmin@corp.com
	Connect-VIServer -Server bvcenter -User myadmin@corp.com
	#
	Get-VMHost | Select Name, @{N="NTPServer";E={$_ |Get-VMHostNtpServer}}, @{N="Service is Running?";E={(Get-VmHostService -VMHost $_ | Where-Object {$_.key -eq "ntpd"}).Running}}, @{N="Firewall Rule?";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).Enabled}}, @{N="Firewall Incoming Ports";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).IncomingPorts}}, @{N="Firewall Outgoing Ports";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).OutgoingPorts}}, @{N="Firewall Protocols";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).Protocols}} | Format-Table
	Get-VMHost | Select Name, @{N="NTPServer";E={$_ |Get-VMHostNtpServer}}, @{N="Service is Running?";E={(Get-VmHostService -VMHost $_ | Where-Object {$_.key -eq "ntpd"}).Running}}, @{N="Firewall Rule?";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).Enabled}}, @{N="Firewall Incoming Ports";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).IncomingPorts}}, @{N="Firewall Outgoing Ports";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).OutgoingPorts}}, @{N="Firewall Protocols";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).Protocols}} | Out-GridView
	#
	$FilePath = "C:\temp\NTPESXiHosts.csv"
	$FileContent = Import-CSV $FilePath
	Foreach ($CsvLine in $FileContent)
		{
		$esx = $CsvLine.hostname
		Write-Host Updating NTP on $esx
		$allNtpServers = Get-VMHostNtpServer -VMHost $esx
		If ($allNtpServers -ne $Null) 
			{
			Remove-VMHostNtpServer -VMHost $esx -NtpServer $allNtpServers -Confirm:$false 
			Write-Host "All NTP Servers from $esx have been removed." `n
			}
		# Add NTP servers separately - you can have multiple Add-VmHostNtpServer cmdlet lines 
		Add-VmHostNtpServer -VMHost $esx -NtpServer time0.corp.com
		Add-VmHostNtpServer -VMHost $esx -NtpServer time1.corp.com
		# Set the firewall regulation to allow traffic for NTP lookup  
		Get-VMHostFirewallException -VMHost $esx | Where {$_.Name -eq "NTP client"} | Set-VMHostFirewallException -Enabled $true
		# Start NTP daemon and make it start automatically when needed  
		Get-VmHostService -VMHost $esx | Where-Object {$_.Key -eq "ntpd"} | Set-VMHostService -Policy "On"
		Get-VmHostService -VMHost $esx | Where-Object {$_.Key -eq "ntpd"} | Start-VMHostService
		}
	#
	Get-VMHost | Select Name, @{N="NTPServer";E={$_ |Get-VMHostNtpServer}}, @{N="Service is Running?";E={(Get-VmHostService -VMHost $_ | Where-Object {$_.key -eq "ntpd"}).Running}}, @{N="Firewall Rule?";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).Enabled}}, @{N="Firewall Incoming Ports";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).IncomingPorts}}, @{N="Firewall Outgoing Ports";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).OutgoingPorts}}, @{N="Firewall Protocols";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).Protocols}} | Format-Table
	Get-VMHost | Select Name, @{N="NTPServer";E={$_ |Get-VMHostNtpServer}}, @{N="Service is Running?";E={(Get-VmHostService -VMHost $_ | Where-Object {$_.key -eq "ntpd"}).Running}}, @{N="Firewall Rule?";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).Enabled}}, @{N="Firewall Incoming Ports";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).IncomingPorts}}, @{N="Firewall Outgoing Ports";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).OutgoingPorts}}, @{N="Firewall Protocols";E={(Get-VMHostFirewallException -VMHost $_ | where {$_.Name -eq "NTP client"}).Protocols}} | Out-GridView