Active Directory: Time Synchronization
Introduction
In an Active Directory domain, it is very important for all clocks to be within 5 minutes of each other (by default) due to the implementation of the Kerberos protocol for authentication.
Also, Active Directory uses multi-master replication model between Domain Controllers. So it is important that changes made at a later actual time on one DC don’t get overwritten by similar changes on another DC, whose time is set wrong thus making it look like the most recent change.
In this article, we would discuss the AD Time Synchronization architecture, how to configure an external time source and various other aspects of the Windows Time Service.
We also recommend checking this TechNet article, which gives a very good insight of the Windows Time Service:
https://technet.microsoft.com/en-us/library/cc773013(WS.10).aspx
**
**
Network Time Protocol (NTP)
Network Time Protocol (NTP) is the default time synchronization protocol used by the Windows Time Service (WTS) in Windows servers and workstations.
NTP is implemented via UDP over port 123 and can operate in broadcast and multicast modes, or by direct queries.
Active Directory Time Synchronization Architecture
In Active Directory deployment, the only computer configured with a time server explicitly should be computer holding the PDC Emulator FSMO role in the forest root domain.
**
This is because the Forest root domain PDC emulator is the one and only one-time source for all the Domain Controllers, member servers and windows based workstations for the entire forest.**
It is possible to override this configuration and bypass PDC emulator, but the default (and recommend) configuration is that all domain members should sync time with forest PDC emulator, directly or indirectly.
- All domain controllers in the forest root domain synchronize time with the PDC Emulator FSMO role-holder.
- All Domain Controllers in child Domains synchronize time with any Domain Controller with Parent Domain or with PDC Emulator of its own Domain.
- All PDC Emulator FSMO role-holders in child domains synchronize their time with domain controllers in their parent domain (including, potentially, the PDC Emulator FSMO role-holder in the forest root domain).
- All domain member computers (Servers / Workstations/ any other devices) synchronize time with domain controller computers in their respective domains.
Diagram Source: Microsoft
How to check the configuration from client side
To determine if a domain member is configured for domain time sync, examine the REG_SZ value at HKLM\System\CurrentControlSet\Services\W32Time\Parameters\Type.
- If it is set to "Nt5DS" then the computer is synchronizing time with the Active Directory time hierarchy.
- If it's configured with the value "NTP" then the computer is synchronizing time with the NTP server specified in the NtpServer REG_SZ value in the same registry key.
External Time Source
Since PDC Emulator of the forest root domain is the main time source of the entire forest, it is important that the system clock of this computer is accurate.
To maintain the accuracy, the forest root domain PDC emulator must be configured to synchronize its time with an external time source which is reliable. Example: Windows Time Server or Google Time Server.
Stratum Value
The degree to which a computer’s time is accurate is called a stratum.
- The most accurate time source on a network (such as a hardware clock) occupies the lowest stratum level, or stratum one. This accurate time source is called a reference clock.
- An NTP server that acquires its time directly from a reference clock occupies a stratum that is one level higher than that of the reference clock.
- Resources that acquire time from the NTP server are two steps away from the reference clock, and therefore occupy a stratum that is two higher than the most accurate time source, and so on.
As a computer’s stratum number increases, the time on its system clock may become less accurate. Therefore, the stratum level of any computer is an indicator of how closely that computer is synchronized with the most accurate time source.
So when you configure a new PDC emulator or move existing PDC emulator role to a different domain controller, please follow below steps for external time source configuration.
Old PDC Emulator: DC1.subhro.com
New PDC Emulator: DC2.subhro.com
External Time Sources: 1) time.windows.com 2) time.google.com
Configure a reliable external time source for the Forest Root Domain PDC Emulator
Note: If Forest PDC Emulator is a VM, make sure it is not configured to Sync time with its host.
- On the PDC Emulator, run the following command from command prompt (Admin Mode)
w32tm /config /manualpeerlist:"0.time.windows.com,0x1 1. time.google.com ,0X1" /syncfromflags:manual /reliable:yes /update
- Check and confirm the below registry value:
*** ***
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type has “NTP” as the value
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer has the value "0.time.windows.com,0x1 1. time.google.com ,0X1"
Please note: Make sure the time server names are resolvable. Otherwise, please use IP address.
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags has the value 0x5. This value indicates that this system is configured to sync with an external time source. If the value is 0XA, it means this system will not sync with any external time source but would sync with itself.****
- Configure poll interval with external time source by modifying below registry key:
** **
*HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollInterval
*
Put the value in seconds. For example, if you want to set the poll interval to 1 hour, put 3600 here.
- Run the following commands in sequential order :
net stop w32time
net start w32time
**5. **If required, restart the new PDC emulator.
Remove the reliable external time source settings from the old PDC Emulator (If you are changing the PDC emulator)
1. Run the following command from command prompt of the old PDC Emulator :
w32tm /config /syncfromflags:domhier /reliable:no /update
** ** 2. ** **Check and confirm the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type has “NT5DS” as the value
** 3. **Run the following commands in sequential order :
net stop w32time
net start w32time
** **
2. If required, restart the server.
Post configuration checking
1. Check the time configuration by running the command
w32tm /query /configuration
**
- Check the time synchronization report by running the command**
** **
w32tm /monitor
** **Click here to get the Powershell script, which will automate the Time Skew report for your domain, and will send the result in an email.
- To compare the time synchronization of a server with an external time source use the following command
** **
** w32tm /stripchart /computer:** time.windows.com
d: Internal delay (time difference between the UDP package received and UDP package sent on the server side.
O: Actual offset between the local time and the server time.
** **
** 4. **To check the time source of a server run this command
** **
** w32tm /query /status**
- To manually sync the time with time source, run this command
** **
w32tm /resync
** Few points to observe from the above output:**
** **
Root dispersion is the maximum clock time difference that was ever observed between the local clock and the root clock. As you can see, this value has been reduced to milliseconds after synchronization.
Since the primary time source (time.windows.com) is not reachable, it has automatically switched to secondary time source (time.google.com).
Stratum value was earlier 1, indicating that no external time source was configured and this PDC emulator was the root time source (which is not the recommended configuration, as explained earlier)
After running the first sync, the server detected the newly configured external time source and marked it as root (Stratum value 1). Therefore, the new value of the PDC emulator has been changed to one level up, which is 2.
A Note on Registry keys
There is an article on Technet which explains these registry values which we have used here.
Excerpts from that article
It is important to note that W32Time will only actively synchronize with one time source at a time, even though you are able to list more than one time source. The reason for this is simple: If your favorite time source goes down, it would be good to have a backup, or possibly a list of backups.
W32Time configures the list of time sources through the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer
The NtpServer key is a space-delimited list of time servers, either as DNS address or as IP addresses. Each server in the list can optionally have a set of flags, which are denoted as a hex value at the end of the address, separated by a comma.
Now let’s take a look at the flags. We have 4 possible flags:
• 0x01 SpecialInterval
• 0x02 UseAsFallbackOnly
• 0x04 SymmatricActive
• 0x08 Client
For 99% of cases, we only care about the first two options, so that is where we will focus. If you use the SpecialInterval flag, then you need to also set the "SpecialPollInterval" key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\
NtpClient\SpecialPollInterval
Normally, W32Time will poll (make a time request) on a floating interval, based on the quality of the time samples being returned by the time source. You can, however, specify a static interval that the time service will synchronize on. This value is in seconds. For example, if you set an of 3600, the time service will synchronize every hour (60 minutes * 60 seconds).
The second flag is the UseAsFallbackOnly option. Setting this flag will tell the time service that you want to try every other time server specified before trying this one.
Designing a Time Service Policy
Configuring PDC Emulator and external time source is only one part of the time service configuration. There are still many other points which we need to consider. Some of the important points are described below.
**1. Force all windows systems to use Domain Controller as their time source **
**By default in Active Directory domain environment clients synchronize their time with domain controllers (option Nt5DS — synchronize time to domain hierarchy). **
Typically, this behavior does not need to be reconfigured. However, if you want to ensure that the default behavior would not be overridden by someone on the client side, you can force a Group Policy to push the configuration.
a) Navigate to Computer Configuration->Policies->Administrative Templates->System->Windows Time Service->Time Providers. In the right pane, double-click “Enable Windows NTP Client”. Set it to “Enabled” and click OK.
b) Next, double-click “Configure Windows NTP Client”. Configure the options then append, 0x1 to the NtpServer field so that it reads yourdc.yourdomain.com,0x1)
2. Disable Virtual Machine Time Sync from host
All modern hypervisors have the ability to provide time synchronization to guest machines through that hypervisor’s integration tools. If enabled, guest machines will draw time from the physical host they are running on.
In an Active Directory environment, it is recommended to disable Virtual Machine time sync with a host, to avoid potential conflict.
3. Enable DHCP Scope Option
**
**
If you would like to push NTP server settings to a non-windows device (Like IP Phone), use DHCP scope option 042. Do not use DHCP scope option 004 unless it is specifically mentioned in any documentation.
4. Allow UDP Port 123 through Firewall
UDP port 123 should be unblocked by the firewalls, in both directions.
Also, remember NTP client sends UDP request from random port >1023 to port 123 on NTP server. It waits for a response on the same originating port. The firewall should be able to keep open originating port for UDP traffic from NTP server.
** **
5. Configure Static Devices
**There are few static devices (like few SAN, NAS devices) which do not support NTP server configuration over Group Policy or DHCP. For such devices, you need to configure the time sources statically, from the device console. **
The downside is, if NTP server name would be changed, you have to change these settings manually.
** **
How can we ensure that our systems are maintaining accurate time?
We recommend to follow below steps to ensure that all systems in an AD environment are maintaining accurate time.
a) Forest Root Domain PDC Emulator should sync its time with external NTP server on a regular basis.
To ensure that, follow these steps
1. Execute w32tm /query /status from the forest root domain PDC emulator. Validate the NTP server, last sync time, root desperation.
2. Compare the PDC emulator clock time with any world clock time and observe the difference in seconds. One such site is https://www.timeanddate.com/ , where you can view world clock with second value and can compare with your PDC.
b) All other Domain Controllers should sync time with Forest Root Domain PDC emulator on a regular basis. The time difference between Domain Controllers should be less than 1 second in an entire forest.
** **
To ensure that, configure a scheduled task, which would generate the Time Skew Report for all Domain Controllers and send it to your mailbox. Click here for the script, which I have prepared for this purpose.
c) All other computers and workstations should sync with Domain Controllers at a regular interval.
Summary
In this article, we have gone through the time service architecture within an Active Directory Forest. We have also discussed how to configure external time source for Forest PDC Emulator, and how to ensure client systems will follow the Active Directory Time Architecture.
Additionally, we have covered some best practices related to Time Service Configuration of virtual machines, Firewall Port Configuration and configuring non windows devices.
References
1. https://technet.microsoft.com/en-us/library/cc773013(WS.10).aspx