Keeping time accurate on your Windows Domain

Posted by October 6, 2018 in Active Directory

A simple but common problem I have seen on Windows domains is time drift. Normally it’s a user that logs a ticket pointing out that the clock on their workstation or sometimes application server is wrong.

Although this seems like a trivial problem at first, it is surprising how many senior Windows admins don’t have a good understanding about how the time syncing on a windows domain works. The larger the network and the more non-windows devices on it the more the problem seems to compound as the engineers configuring the non-windows devices set their devices NTP server as one of the pool of DCs running on a large enterprise network and not to mention that in Kerberos V5 computers that are more than 5 minutes out of sync will not authenticate

This blog will cover the basics of how time is kept on a windows domain and recommended ways to keep everything in sync.

The basics:

  • In Active Directory, we use the Windows Time service for clock synchronization: W32Time
  • All member machines synchronizes with any domain controller
  • The domain controller running the PDC Emulator role is master time keeper for the root domain in the forest
  • It is best practice to have the PDC Emulator server syncing with an external time server.

The hierarchy in this picture below

 

 

You can identify the domain controller running the PDC emulator with the following powershell commands


Get-ADForest |
Select-Object -ExpandProperty RootDomain |
Get-ADDomain |
Select-Object -Property PDCEmulator

Or to see all the roles to can use the below command from PowerShell or CMD


netdom /query fsmo

The results should give you something like this:

Once the server running the PDC Emulator is identified, it is recommended to configure it to sync with an external time server is it is not already.

To check the current settings run the following in a powershell or CMD session with elevated privileges:


w32tm /query /status

Results:

If you see something like Free-running System Clock or an unknown source address it’s best to run the below code using either this time servers or other trusted time servers for your region.

Find the local servers for your region here: https://www.ntppool.org


net stop w32time
w32tm /unregister
w32tm /register
w32tm /config /manualpeerlist:"0.de.pool.ntp.org,0x1 1.de.pool.ntp.org,0x1 2.de.pool.ntp.org,0x1 3.de.pool.ntp.org,0x1" /syncfromflags:manual /reliable:yes /update
net start w32time
w32tm /resync

If you run the status query again you can see the source has changed

To see all the peers are now added and to check their state you can see the following command:


w32tm /query /peers

Now for all other domain controllers, that you want to use the PDC role server as the authority time server for, you will have to run the following commands:

w32tm /config /syncfromflags:domhier /update
net stop w32time
net start w32time

Or with a GPO

Create a GPO and link it to Domain Controllers organizational unit,

Set a WMI filter to target the PDC emulator, using the following syntax:

Select * from Win32_ComputerSystem where DomainRole = 5

Edit the settings under: Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers then Global Configuration Settings

Edit the settings under: Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers then Configure Windows NTP Client + Enable Windows NTP Client

Depending on the use, you may leave the default values.

All non-PDC domain controllers should be set to NT5DS (domain hierarchy).

 

You May Also Like

Streamlining Port Connectivity Checks in PowerShell

How to Fix WSUS After an In-Place Upgrade to Windows Server 2022

About the Author: Phil

Leave a Reply

Your email address will not be published. Required fields are marked *