Check and Configure Time Service Datacenter-wide
I once had an opportunity to improve and standardize ESXi host time synchronization in an environment with hundreds of hosts. There had been issues with time sync and drift that needed to be addressed. To fix this I turned to PowerCLI to do a quick and dirty dump of the configuredNTP settings on each of the hosts in the Datacenter.
Get-VMHost | Get-VMHostService |Where-Object {$_.key -eq "ntpd"}
This commandlet returns output which gets us part of the way to the solution, but we can refine it and make it better.
We already know the key, we explicitly searched for ntpd. Same with label, we know we’re looking for the NTP service. Policy and Running are of interest to us.
- Running: True means the NTP service is started, False means it is stopped. Simple enough.
- Policy: Values can be on, off, and automatic. These map directly to the GUI settings for how to start and stop a service.
On is “Start and stop with host”, Off is “Start and stop manually”, and automatic is “Start automatically…”
I want my list to show me less info and include the hostname. Select-Object to the rescue.
Get-VMHost | Get-VMHostService |Where-Object {$_.key -eq "ntpd"}| Select-Object VMHost, Policy, Running
So now we get a more human friendly output
Now we can see if the services are running and how they start and stop with the hosts.
At this point the output told me I should execute the codes against the whole datacenter. It may only be a few hosts in your environment that need configuration but I wanted to make sure everything was set properly. I used a set of commands I found on the VMware forums as a starting point and applied them datacenter wide. In the following example replace TIMESERVER with the hostname or IP address of the time server you use, just leave the quotation marks.
Get-VMHost | Add-VmHostNtpServer -NtpServer "TIMESERVER"
Get-VMHost | Get-VMHostFirewallException | where {$_.Name -eq "NTP client"} | Set-VMHostFirewallException -Enabled:$true
Get-VMHost | Get-VmHostService | Where-Object {$_.key -eq "ntpd"} | Start-VMHostService
Get-VMHost | Get-VmHostService | Where-Object {$_.key -eq "ntpd"} | Set-VMHostService -policy "on"
Those commands set the time server on each host, open the firewall for the NTP Client, Start the time service, and set it to start and stop with host.
If you only have a couple of hosts to correct here’s how I would do it, remember to replace the variables with your actual host’s name and time server. Leave the quotation marks though:
$servername = "HOSTNAME"
$timeserver = "TIMESERVER"
Add-VmHostNtpServer -VMhost $servername -NtpServer $timeserver
Get-VMHostFirewallException -VMhost $servername | where {$_.Name -eq "NTP client"} | Set-VMHostFirewallException -Enabled:$true
Get-VmHostService -VMHost $servername | Where-Object {$_.key -eq "ntpd"} | Start-VMHostService
Get-VmHostService -VMHost $servername | Where-Object {$_.key -eq "ntpd"} | Set-VMHostService -policy "on
There you have it, you’ve set up NTP and saved the world from angry kerberos authentication errors.