A simple but common problem I have seen on Windows domains is time drift. Normally it’s a user that logs a ticket pointing out that the clock on their workstation or sometimes application server is wrong.
Although this seems like a trivial problem at first, it is surprising how many senior Windows admins don’t have a good understanding about how the time syncing on a windows domain works. The larger the network and the more non-windows devices on it the more the problem seems to compound as the engineers configuring the non-windows devices set their devices NTP server as one of the pool of DCs running on a large enterprise network and not to mention that in Kerberos V5 computers that are more than 5 minutes out of sync will not authenticate
This blog will cover the basics of how time is kept on a windows domain and recommended ways to keep everything in sync.
- In Active Directory, we use the Windows Time service for clock synchronization: W32Time
- All member machines synchronizes with any domain controller
- The domain controller running the PDC Emulator role is master time keeper for the root domain in the forest
- It is best practice to have the PDC Emulator server syncing with an external time server.
The hierarchy in this picture below
You can identify the domain controller running the PDC emulator with the following powershell commands
Get-ADForest | Select-Object -ExpandProperty RootDomain | Get-ADDomain | Select-Object -Property PDCEmulator
Or to see all the roles to can use the below command from PowerShell or CMD
netdom /query fsmo
The results should give you something like this:
Once the server running the PDC Emulator is identified, it is recommended to configure it to sync with an external time server is it is not already.
To check the current settings run the following in a powershell or CMD session with elevated privileges:
w32tm /query /status
If you see something like Free-running System Clock or an unknown source address it’s best to run the below code using either this time servers or other trusted time servers for your region.
Find the local servers for your region here: https://www.ntppool.org
net stop w32time w32tm /unregister w32tm /register w32tm /config /manualpeerlist:"0.de.pool.ntp.org,0x1 1.de.pool.ntp.org,0x1 2.de.pool.ntp.org,0x1 3.de.pool.ntp.org,0x1" /syncfromflags:manual /reliable:yes /update net start w32time w32tm /resync
If you run the status query again you can see the source has changed
To see all the peers are now added and to check their state you can see the following command:
w32tm /query /peers
Now for all other domain controllers, that you want to use the PDC role server as the authority time server for, you will have to run the following commands:
w32tm /config /syncfromflags:domhier /update net stop w32time net start w32time
Or with a GPO
Create a GPO and link it to Domain Controllers organizational unit,
Set a WMI filter to target the PDC emulator, using the following syntax:
Select * from Win32_ComputerSystem where DomainRole = 5
Edit the settings under: Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers then Global Configuration Settings
Edit the settings under: Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers then Configure Windows NTP Client + Enable Windows NTP Client
Depending on the use, you may leave the default values.
All non-PDC domain controllers should be set to NT5DS (domain hierarchy).