Latest posts by Timothy Warner (see all)
- How to keep Windows Admin Center up to date - Wed, Jun 19 2019
- Work around Azure MFA outages: Protect user access - Wed, Jun 5 2019
- PS Protector: Convert your PowerShell module into a .NET assembly DLL - Tue, May 7 2019
The Kerberos v5 protocol uses timestamps as part of its fundamental definition. The reason for this is to prevent "replay" attacks on your network. Consequently, your users will be unable to authenticate to your Active Directory Domain Services (AD DS) domain if there is more than five minutes difference between the client workstation's clock time and your domain controllers' clocks.
The five-minute tolerance is the Active Directory default. To adjust this value, open a Group Policy Object (GPO), navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Kerberos Policy, and open the policy Maximum tolerance for computer clock synchronization, as shown in the next figure.
Keeping domain time in sync ^
Fundamentally, server and client systems rely upon their battery-powered crystal oscillator real-time clock (RTC) to keep time. Layered on top of that in Windows is the Windows Time service (W32Time), Microsoft's implementation of the industry standard Network Time Protocol (NTP). NTP listens on User Datagram Protocol (UDP) port 123.
Check out the following annotated Visio diagram (adapted from the Microsoft docs) I drew for you. After the figure, I'll describe how time synchronization works in an AD DS hierarchy.
- 1: Domain member workstations (WKS) synchronize time with any domain controller (DC) in their own domain.
- 2: Domain controllers synchronize time with the Primary Domain Controller (PDC) Emulator (PDCE) in its own domain or DCs from the parent domain.
- 3: The PDC Emulator role holder synchronizes time with the PDC Emulator or any DC from the parent domain.
- 4: The forest root PDC Emulator synchronizes its time with an external NTP time server.
- 5: The NTP time server can be internet-based or located on your local network.
By default, Windows Server and Windows Client domain member systems synchronize their clocks once per hour (3,600 seconds). This interval is configurable, however. You do this by modifying the SpecialPollInterval registry value, found in this path:
You can use the registry to configure your forest root PDC Emulator role holder to use one or more public or private NTP servers. First, browse to this path:
Then change the Type value data from NT5DS to NTP. Next, in the same path, modify the NtpServer value with a space-delimited list of time server hostnames or IP addresses. For example:
time.windows.com,0x01 time.nist.gov,0x01 my.time.server.com,0x02
The hexadecimal values after each hostname are called flags; the values represent:
- 0x01: Special Interval
- 0x02: Use as Fallback Only
- 0x04: Symmetric Active
- 0x08: Client
In my example, I want to use either of the first two names and the third entry only if the first two are unreachable. Note that the 0x01 flag requires that you configure the SpecialPollInterval value I discussed previously.
Okay, we aren't finished yet. We need to configure the PDC Emulator not to sync with itself but with the NTP servers we just defined. Browse to this registry path:
Then set the AnnounceFlags value to the hex value 5.
To finish off the configuration, use PowerShell to restart the Windows Time service on the domain controller:
Restart-Service -Name W32Time -Force
Meeting high time accuracy requirements ^
Some businesses have much stricter time accuracy and synchronization than most. If they have the money, they should probably purchase a hardware NTP server (or even a Raspberry Pi!) that fetches time via GPS to serve them best. You would then configure your forest root PDC Emulator to synchronize with the internal hardware NTP server as previously described.
That said, you should know that Microsoft made changes to Windows Server 2016 and Windows Server 2019 to support higher accuracy W32time requirements.
In what should come as no surprise, Microsoft says the first thing you should to do obtain a high time accuracy configuration is to ensure all domain member workstations run Windows 10 and all domain servers run Windows Server 2016 or Windows Server 2019 (at least the domain controllers).
Second, Microsoft advises that all domain members should have the Windows Time service set to the Automatic startup type and always running.
Third, you should configure your domain as I outlined previously to synchronize time with a hierarchy of NTP time servers.
Fourth and finally, you should optimize your network to ensure no more than 100 ms latency between any two domain systems.
According to the Microsoft docs, fulfilling the above recommendations should deliver up to 1 millisecond time accuracy throughout your domain.
For further learning ^
There you have it! I hope you are clearer now on how to configure time sync in Active Directory. Let me leave you with some hand-picked resources you can check out to dive deeper into Active Directory time synchronization.
- How the Windows Time Service Works
- Active Directory Time Synchronization
- High Accuracy W32time Requirements
- Configuring Systems for High Accuracy
- Accurate Time for Windows Server 2016
- Support boundary for high-accuracy time