How-to: Time Synchronisation for UCS in Virtual Environments
Step 1 (default)
Sync time to hypervisor at startup (enabled by default, see here)
Step 2 (default)
Enable Network Time Protocol Daemon (ntpd) on UCS (default).
The ucr variables timeserver, timeserver2, timeserver3 and timeserver4 are used as references.
Domain clients like Windows sync their time to the domain controllers (Win AD or UCS).
Step 3
Disable permanent time synchronization from the hypervisor (ESXi, …) if enabled. Using time sync at boot is fine and enabled by default.
Set timeserver variables in UCS to sync to an external ntp-server (local or internet, ideally use multiple ones).
ucr set timeserver=0.de.pool.ntp.org
ucr set timeserver2=1.de.pool.ntp.org
ucr set timeserver3=2.de.pool.ntp.org
ucr set timeserver4=3.de.pool.ntp.org
systemctl restart ntp
Note
UCS systems by default install ntpd and synchronize to the UCS master. The mentioned ucr variables define additional servers from where they will sync time. Do NOT use UCS hosts for these variables.
Step 4
Configure UCS (at least) backup servers accordingly
Step 5
Monitor time synchronization with the tool “ntpq”.
root@backup:~# ntpq
ntpq> pe
remote refid st t when poll reach delay offset jitter
==============================================================================
LOCAL(0) .LOCL. 9 l 8h 64 0 0.000 0.000 0.000
*master.multi.uc LOCAL(0) 6 u 916 1024 377 0.250 0.013 0.032
The sings in the first column indicate the current state. In details the most common items there are:
*: currently preferred server with most accurate time+second best servers.#3rd best-4th best.5th bestxTime seems to be faulty. No synchronization from this host will happen
Recommended NTP Configuration for UCS in Virtual Environments
A robust and consistent time synchronization setup is critical in UCS environments, especially when running in virtualized infrastructures.
The following configuration provides a best-practice approach for Primary Domain Controllers (PDC) and Backup Domain Controllers (BDC).
Configuration Example
Primary Domain Controller (PDC)
The PDC should synchronize time with reliable external NTP sources:
ucr set timeserver="0.de.pool.ntp.org iburst" \
timeserver2="1.de.pool.ntp.org iburst" \
timeserver3="ptbtime1.ptb.de iburst"
systemctl restart ntp
Backup Domain Controller (BDC)
The BDC should primarily use the PDC as its time source to ensure internal consistency, while keeping external servers as fallback:
ucr set timeserver="<IP-OF-PDC> iburst prefer" \
timeserver2="0.de.pool.ntp.org iburst" \
timeserver3="1.de.pool.ntp.org iburst"
systemctl restart ntp
The prefer option ensures that the NTP daemon prioritizes the PDC as long as it is reachable, even if external servers might technically offer a lower stratum.
Notes on Default UCS Configuration
In some environments, internal NTP servers are used by default, for example:
ucr search --brief timeserver
timeserver2: univention.de burst
timeserver3: univention.de burst
timeserver: 192.168.0.240 burst
A key aspect here is the use of the burst parameter.
Difference Between burst and iburst
-
burst
Sends 8 packets during every polling interval.
Use with caution: When used with public NTP servers, this may be interpreted as abusive behavior (similar to a DoS attack) and can lead to blocking. -
iburst (Initial Burst)
Sends 8 packets only during the initial synchronization phase.
Best practice: Significantly accelerates time synchronization after system startup or restart.
Verification
After restarting the NTP service, verify the synchronization status:
ntpq -pn
Interpretation of the output:
-
*(asterisk):
Indicates the currently selected synchronization source
→ On a BDC, this should be the PDC -
+(plus):
Indicates candidate servers (fallback sources)
→ These will take over if the preferred source becomes unavailable
This configuration ensures:
- Consistent time across all UCS systems
- Fast initial synchronization after reboot
- Reliable fallback mechanisms in case of failures