In an Active Directory domain, it is very important for all clocks to be within 5 minutes of each other (by default) due to the implementation of the Kerberos protocol for authentication.
*When a Windows server receives a Kerberos authentication request, it compares the timestamp in the request to its local time. If the difference between the local time and the timestamp is too big (within 5 minutes of each other – default setting), the authentication request is rejected and Kerberos authentication fails and users won’t be able to login.
*Besides that, the use of the correct time is also important for AD’s multi-master replication model used between all DCs, were timestamps are used to resolve AD replication conflicts.
Network Time Protocol (NTP)
Network Time Protocol (NTP) is the default time synchronization protocol used by the Windows Time Service (WTS) in Windows servers and workstations.
NTP is implemented via UDP over port 123 and can operate in broadcast and multicast modes, or by direct queries.Active Directory Time Synchronization Architecture
*In Active Directory deployment, the only computer configured with a time server explicitly should be computer holding the PDC Emulator FSMO role in the forest root domain.
*This is because the Forest root domain PDC emulator is the one and only one-time source for all the Domain Controllers, member servers and windows based workstations for the entire forest.
- All domain controllers in the forest root domain synchronize time with the PDC Emulator FSMO role-holder.
- All Domain Controllers in child Domains synchronize time with any Domain Controller with Parent Domain or with PDC Emulator of its own Domain.
- All PDC Emulator FSMO role-holders in child domains synchronize their time with domain controllers in their parent domain (including, potentially, the PDC Emulator FSMO role-holder in the forest root domain).
- All domain member computers (Servers / Workstations/ any other devices) synchronize time with domain controller computers in their respective domains.
How to check the configuration
1- client side
To determine if a domain member is configured for domain time sync, examine the REG_SZvalue at: HKLM\System\CurrentControlSet\Services\W32Time\Parameters\Type.
- If it is set to "Nt5DS" then the computer is synchronizing time with the Active Directory time hierarchy.
- If it's configured with the value "NTP" then the computer is synchronizing time with the NTP server specified in the NtpServer REG_SZ value in the same registry key.
2- PDC Emulator side
Configure a reliable external time source for the Forest Root Domain PDC Emulator
Note: If Forest PDC Emulator is a VM, make sure it is not configured to Sync time with its host.1. On the PDC Emulator, run the following command from command prompt (Admin Mode)
w32tm /config /manualpeerlist:"0.time.windows.com,0x1 1. time.google.com ,0X1" /syncfromflags:manual /reliable:yes /update
2. Check and confirm the below registry value:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type has “NTP” as the value
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer has the value "0.time.windows.com,0x1 1. time.google.com ,0X1"
Please note: Make sure the time server names are resolvable. Otherwise, please use IP address.
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags has the value 0x5. This value indicates that this system is configured to sync with an external time source.
- If the value is 0XA, it means this system will not sync with any external time source but would sync with itself.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollInterval
Put the value in seconds. For example, if you want to set the poll interval to 1 hour, put 3600 here.
4. Run the following commands in sequential order :
net stop w32time
net start w32time
5. If required, restart the new PDC emulator.
Post configuration checking
1. Check the time configuration by running the command
w32tm /query /configuration
2. Check the time synchronization report by running the command
3. To compare the time synchronization of a server with an external time source use the following command
w32tm /stripchart /computer: time.windows.com
d: Internal delay (time difference between the UDP package received and UDP package sent on the server side.
O: Actual offset between the local time and the server time.
4. To check the time source of a server run this command
w32tm /query /status
5. To manually sync the time with time source, run this command
w32tm /resync
Few points to observe from the above output:
Root dispersion is the maximum clock time difference that was ever observed between the local clock and the root clock. As you can see, this value has been reduced to milliseconds after synchronization.
- Since the primary time source (time.windows.com) is not reachable, it has automatically switched to secondary time source (time.google.com).
- Stratum value was earlier 1, indicating that no external time source was configured and this PDC emulator was the root time source (which is not the recommended configuration, as explained earlier)
Designing a Time Service Policy
2. Disable Virtual Machine Time Sync from host
**In an Active Directory environment, it is recommended to disable Virtual Machine time sync with a host, to avoid potential conflict.**
If you would like to push NTP server settings to a non-windows device (Like IP Phone), use DHCP scope option 042. Do not use DHCP scope option 004 unless it is specifically mentioned in any documentation.
UDP port 123 should be unblocked by the firewalls, in both directions.
No comments:
Post a Comment