Clock Sync Issue on ESXi 5.0 Ent + running 2.0.1 RELEASE x64
The OS sync's but the BIOS is default to UTC time. I have the same exact issue with my FreeNAS boxes too so I think this is a BSD problem not a PF problem but hope someone has a fix.
I want to either manually set the BIOS time or override/force the BIOS time either back to the ESXi Host or up to the PFsense OS. Right now PfSense knows it's in NYC but the BIOS thinks it's in UTC so 4 hours off and it's screwing with all kinds of syncs.
what does the bios time have to do with sync of what?
I am running pfsense on esxi 5, and not seeing any issues with time.
Wed Aug 15 16:12:07 CDT 2012
remote refid st t when poll reach delay offset jitter
*esxi.local.lan 22.214.171.124 2 u 11 64 377 0.889 7.160 5.935
Since they moved to full blown ntp vs that openntp crap - have had no issues at all with pfsense keeping time.
I actually have setup ntpd on my esxi 5 host, and letting it sync to strat 1 servers, and its even a member of pool.ntp.org both ipv4 and ipv6 – and it its been doing a great job. I have to restart the service every now and then -- because it seems to go into some mode where it doesn't sync with its servers any more and starts to drift. But normally its within a few ms of the strat 1 servers.
um - maybe they did not port back the move to ntpd vs openntp to 2.01? Im running 2.1
I only run the RELEASE versions for production environment.
It's messing with Active Directory sync. The BIOS clock and the OS clock and the AD server's clocks need to all be sync'd or else it messes with Kerberos and it won't sync. All of my BSD based OS'es are forcing the BIOS clock back to UTC time and it isn't updating properly.
All I want to know is if anyone has found a way either in ESXi or in PfSense Shell/CLI to force a time override on the BIOS clock to sync with the NTP servers of the PfSense OS.
ESXi defaults the BIOS to UTC, not much you can do about it (ESX allowed you to localize the BIOS time to a local time, but that went away with ESXi, and it helps for vMotioning, which may not apply to you, but it does to a lot of people.) Your local Virtual Infrastructure client will translate this (for logs and whatnot) to your local time zone, but the virtual machine's BIOS is still fed UTC for it's initial time seed (and syncs if you have that enabled.)
Lots of VMware timekeeping specific info here: http://www.vmware.com/files/pdf/techpaper/Timekeeping-In-VirtualMachines.pdf
If it's time-zones that's your issue, the below link is probably your friend, if it's fluctuation, the above link is probably your friend. Read both?
BSD should be able to translate a UTC timezone BIOS to a local time zone, some info here: http://forums.freebsd.org/showthread.php?t=9254
You certainly can set your ESXi host to any NTP server you want. Under "Home -> Inventory -> Hosts and Clusters" click on your host (it may be in a folder or cluster, hopefully you know where you hid your host) select the "Configuration" tab, under Software click on Time Configuration. "Properties…" is at the top right. After you make changes, you may need to give the NTP service an extra restart, the check box to "Restart NTP service to apply changes" doesn't always work right.
I would not, however, try to trick ESXi by setting an altered NTP server that may be adjusted for your time zone (aka, hacking an NTP server to serve "UTC" time as actually +4 to simply make your life "easier".) That can mess up your logging in ESXi and your VI client may continually be 4 hours off as it tries to adjust from what it thinks is UTC to your local time zone. Other virtual machines may not take well to that either for the same reasons.
Unless I'm misunderstanding your issue(s). The BIOS time doesn't need to be synced to local time as long as the OS knows that the BIOS time is UTC and adjusts correctly. If I recall correctly, most identity negotiations are actually based on UTC or clearly express their time zone adjustments, otherwise you couldn't authenticate across time zones (which many companies have to do) and nothing outside the OS, as it relates to authentication, cares about the BIOS time. System time that the OS uses is what is important. I'm fairly certain your OS's just need to understand that the BIOS is UTC and stop trying to fight time zones, which the FreeBSD link should help you fix.
FYI- 2.0.2 which will be released any time now, does have the ntpd change in it.
The release images have been generated it's just waiting on getting signed, put up on the servers, mirrors, etc, etc.
I still don't see how the bios clock comes into play for your AD kerberos issues? Yes I agree 100% your OS clocks need to be in sync for kerberos. But I have never seen any instance when the bios being in UTC or Local had to do with that?
You can run the normal ntpd on pfsense - it is there, or you can even just install the freebsd package for it. Just because pfsense tries to use openntp, does not mean you can use ntp.. even if your version of pfsense has not made the change to ntp.
If you OS knows what time it is, in the correct timezone - I don't see what bios being UTC or local has to do with anything related to AD or kerberos?
be set to either localtime or universal time at the BIOS level
^^^^^^^^ Third bullet in the doc.
All I know is that if I change all the timezones to match the BIOS and the OS all to UTC it all works and AD sync's.
If I let the times be proper (OS vs. BIOS) it doesn't work.
Might be related to this: