Time Sync (NTP) for ESX Hosts on Private IPs
For security reasons it is good practice to assign the ESX (vSphere) servers a private IP instead of a public IP. The private IP increases the security of the server since it is not accessible directly over the Internet. However, the ESX server on a private address (IP) cannot sync with the public time server. The same applies to the virtual center (vCenter) if it is also assigned a private IP (and no public IP).
It is important to the proper functioning of the ESX servers and vCenter for their timeclocks to be in sync, but using a private address precludes utilizing a publicly available NTP server. The solution to this problem is to use an NTP server that has both a private and public IP. The private IP of the NTP server must be on the same subnet as the ESX or vCenter server for this to work. Once you have an NTP server that is dual homed, then the next task is to update the vCenter server and the ESX servers. The following assumes that the NTP server is on private IP 192.168.0.9.
In order to update the ESX servers, you can update them directly via the console or you can use Virtual Center (vCenter), by simply clicking on "Configuration >> Time Configuration >> Properties":
Now click on the "Options" button and then select NTP Settings. There you will be able to add the NTP server's IP address. You should also remove any other NTP servers that you don't need such as 127.127.0.0.1.
Make sure the "NTP Client Enabled" checkbox is selected because otherwise, the firewall port 123 will remain closed and NTP will fail. To see the failure condition more clearly, I logged onto one of the ESX servers to see the error message produced when attempting to start up the NTP daemon:
Shutting down ntpd: [FAILED]
ntpd: Synchronizing with time server: [FAILED]
Starting ntpd: [ OK ]
In order to update vCenter so that it too is reliant on an NTP server on a private IP, you'll need to use regedit (registry editor). There are many other documents on the Internet that talk about how to do this, so I will recap here:
For more details google "NTP server registry update" or view this article:
Change this registry entry to "NTP":
Change this registry to "5":
Change this registry to the IP of the NTP server (i.e., 192.168.0.9)
Finally, restart the network time services:
net stop w32time
net start w32time
Give it a few minutes and the clock will then show the synchronization with the NTP server on the private IP:
Now the servers are more secure on a private IP address AND they are in sync by using a dual-homed NTP server.