“It’s Simple!” – Time Configuration in Active Directory
First, let me say that I am really pleased to start this series which I wanted to call "It's Simple!" aiming to simplify things a little bit and make them easier to assimilate.
Now back to our topic, shall we?
So you said Time Configuration right? Why should we care at the first place?
It's simple! Active Directory can't work correctly (or at all) if the clock is not synchronized around domain controllers/member machines.
For example, in Kerberos V5, computers that are more than 5 minutes out of sync will not authenticate (which is configurable by GPO: Maximum tolerance for computer clock synchronization in Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy).
Another example is replication, Active Directory uses time stamps to resolve replication conflicts.
Now, let's see how time should be configured in Active Directory:
- In Active Directory, we use the Windows Time service for clock synchronization: W32Time,
- All member machines synchronizes with any domain controller,
- In a domain, all domain controllers synchronize from the PDC Emulator of that domain: using NT5DS (which simply means: follow the domain hierarchy and get me my PDC emulator)
- The PDC Emulator of a domain should synchronize with any domain controller of the parent domain: using NTP,
- The PDC Emulator of the root domain in a forest should synchronize with an external time server (could be clock device, a router, another standalone server, an internet time server…)
But how do I configure time in my Active Directory?
Well, it's simple! Normally it should be set correctly if we don't modify it in purpose,
Otherwise, we do provide some tools for that: w32tm.exe command-line utility and GPO
Run the following command on the PDC emulator:
w32tm /config /manualpeerlist: timeserver /syncfromflags:manual /reliable:yes /update
(where timeserver is a –space delimited– list of your time source servers)
Once done, restart W32Time service.
Run the following command on all other DCs (that are not PDC):
w32tm /config /syncfromflags:domhier /update
Once done, restart W32Time service.
Using GPO with WMI filter
Using a GPO is always better to automate as much as possible (and of course in case we had to transfer the PDC role to another DC):
Create a GPO and link it to the Domain Controllers container
Set a WMI filter to target the PDC emulator, using the following syntax:
Select * from Win32_ComputerSystem where DomainRole = 5
Open the GPO for edition and go to: Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers then Configure Windows NTP Client + Enable Windows NTP Client
Quick note: NtpServer contains a space-delimited time source servers with the format: Name-or-IP,server-flag
All non-PDC domain controllers should be set to NT5DS (domain hierarchy).
Creating a global settings GPO
- Create a GPO and link it to Domain Controllers organizational unit,
- Edit the settings under: Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers then Global Configuration Settings
- Depending on the use, you may leave the default values.
You can check the registry entries if the domain controller is using NTP (should be on PDC) or NT5DS (on non-PDC):
Find the value of Type under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
You can also check for time advertisement on the PDC by running this command w32tm.exe /resync /rediscover /no_wait, then check for Event ID 139
To check the source time server: w32tm /query /status
- Please note that we recommend using w32tm command-line utility instead of "net time" command (why?),
- We recommend using w32tm or GPO tools to configure time services instead of registry tool,
- The PDC should not synchronize with itself (RFC 1305),
- More details on the WMI filter here and GPO time settings here.
- About NtpServer value syntax and server flags here and here.
Hope its simple now!
Imed Boukhaf from NEPA team.