If you are using ESXi/ESX 4.1 Update 1 or later, you can use this workaround:
When using Active Directory integration in ESXi/ESX 4.1 and newer, it is important to synchronize time between ESXi/ESX and the directory service to facilitate the Kerberos security protocol.
ESXi/ESX support synchronization of time with an external NTPv3 or NTPv4 server compliant with RFC 5905 and RFC 1305. Microsoft Windows 2003 and newer use the W32Time service to synchronize time for windows clients and facilitate the Kerberos v5 protocol. For more information, see the Microsoft Knowledge Base article 939322 and How the Windows Time Service Works.
By default, an unsynced Windows server chooses a 10-second dispersion and adds to the dispersion on each poll interval that it remains in sync. An ESXi/ESX host, by default, does not accept any NTP reply with a root dispersion greater than 1.5 seconds.
The preceding links were correct as of April 16, 2013. If you find a link is broken, provide feedback and a VMware employee will update the link.
Configure Windows NTP Client
ESXi/ESX requires an accurate time source to synchronize with. To use a Windows 2003 or newer server, it should be configured to get its time from an accurate upstream NTP server. For more information, see the Microsoft Knowledge Base article 816042.
The preceding link was correct as of April 16, 2013. If you find a link is broken, provide feedback and a VMware employee will update the link.
Use the registry editor on the Windows server to make the configuration changes:
Note: This procedure modifies the Windows registry. Before making any registry modifications, ensure that you have a current and valid backup of the registry and the virtual machine. For more information on backing up and restoring the registry, see the Microsoft Knowledge Base article 136393.
Enable NTP mode:
Enable the NTP Client:
Specify the upstream NTP servers to sync from:
NtpServervalue to a list of at least 3 NTP servers.
Example: You might set the value to:
1.pool.ntp.org,0x1 2.pool.ntp.org,0x1 3.pool.ntp.org,0x1
Note: On a Windows 2008 Domain Controller,
NtpServeris located in
Specify a 15-minute update interval:
Restart the W32time service for the changes to take effect.
Configure ESXi/ESX NTP and Likewise Clients
Configure ESXi/ESX to synchronize time with the Windows server Active Directory Domain Controller:
Connect to the ESXi/ESX host or vCenter Server using the vSphere Client.
Click the ESXi/ESX host in the inventory.
Click the Configuration tab.
Under the Software heading, click Time Configuration.
Ensure that the NTP Client Enabled option is selected.
Click NTP Settings.
Click Add and specify the fully qualified domain name or IP address of the Windows server Domain Controller(s).
Click OK to save the changes.
Additional configuration must be done from the command line.
Open a console to the ESXi/ESX host. For more information, see Connecting to an ESX host using a SSH client (1019852) or Using Tech Support Mode in ESXi 4.1 and ESXi 5.0 (1017910).
/etc/ntp.conffile in a text editor. For more information, see Editing configuration files in VMware ESXi and ESX (1017022).
tos maxdistcommand on its own line:
tos maxdist 30
Save and close the configuration file.
/etc/likewise/lsassd.conffile writable by running the command:
chmod +w /etc/likewise/lsassd.conf
/etc/likewise/lsassd.conffile in a text editor. For more information, see Editing configuration files in VMware ESXi and ESX (1017022).
sync-system-timeoption, uncomment it, and set the value to
sync-system-time = no
Save and close the configuration file.
On ESXi, save the configuration changes to the boot bank so they persist across reboots by running the command:
lsassdservices for the configuration changes to take effect by running the commands:
service lsassd restart
service ntpd restart
Note: To restart the
lsassdservices on an ESXi host, run these commands:
lsassd services do not restart, consider restarting the management agents first. For more information about restarting the management agents, see Restarting the Management agents on an ESX or ESXi Server (1003490).
Once the configuration changes are complete, ensure that the time is synchronized between the ESXi/ESX host and the Windows server. For more information, see Troubleshooting NTP on ESX and ESXi (1005092).