Make sure you understand the basics of time synchronization in Active Directory, and learn how to meet the need for greater time accuracy throughout your domain

Timothy Warner

Timothy Warner is a Microsoft Cloud and Datacenter Management Most Valuable Professional (MVP) who is based in Nashville, TN. Check out his Azure and Windows Server video training at Pluralsight, and feel free to reach out to Tim via Twitter.

The Kerberos v5 protocol uses timestamps as part of its fundamental definition. The reason for this is to prevent "replay" attacks on your network. Consequently, your users will be unable to authenticate to your Active Directory Domain Services (AD DS) domain if there is more than five minutes difference between the client workstation's clock time and your domain controllers' clocks.

The five-minute tolerance is the Active Directory default. To adjust this value, open a Group Policy Object (GPO), navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Kerberos Policy, and open the policy Maximum tolerance for computer clock synchronization, as shown in the next figure.

Adjusting Kerberos time tolerance in Group Policy

Adjusting Kerberos time tolerance in Group Policy

Keeping domain time in sync ^

Fundamentally, server and client systems rely upon their battery-powered crystal oscillator real-time clock (RTC) to keep time. Layered on top of that in Windows is the Windows Time service (W32Time), Microsoft's implementation of the industry standard Network Time Protocol (NTP). NTP listens on User Datagram Protocol (UDP) port 123.

Check out the following annotated Visio diagram (adapted from the Microsoft docs) I drew for you. After the figure, I'll describe how time synchronization works in an AD DS hierarchy.

AD DS time synchronization hierarchy

AD DS time synchronization hierarchy

  • 1: Domain member workstations (WKS) synchronize time with any domain controller (DC) in their own domain.
  • 2: Domain controllers synchronize time with the Primary Domain Controller (PDC) Emulator (PDCE) in its own domain or DCs from the parent domain.
  • 3: The PDC Emulator role holder synchronizes time with the PDC Emulator or any DC from the parent domain.
  • 4: The forest root PDC Emulator synchronizes its time with an external NTP time server.
  • 5: The NTP time server can be internet-based or located on your local network.

By default, Windows Server and Windows Client domain member systems synchronize their clocks once per hour (3,600 seconds). This interval is configurable, however. You do this by modifying the SpecialPollInterval registry value, found in this path:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services \W32Time\TimeProviders\NtpClient

You can use the registry to configure your forest root PDC Emulator role holder to use one or more public or private NTP servers. First, browse to this path:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

Then change the Type value data from NT5DS to NTP. Next, in the same path, modify the NtpServer value with a space-delimited list of time server hostnames or IP addresses. For example:

time.windows.com,0x01 time.nist.gov,0x01 my.time.server.com,0x02

The hexadecimal values after each hostname are called flags; the values represent:

  • 0x01: Special Interval
  • 0x02: Use as Fallback Only
  • 0x04: Symmetric Active
  • 0x08: Client

In my example, I want to use either of the first two names and the third entry only if the first two are unreachable. Note that the 0x01 flag requires that you configure the SpecialPollInterval value I discussed previously.

Okay, we aren't finished yet. We need to configure the PDC Emulator not to sync with itself but with the NTP servers we just defined. Browse to this registry path:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config

Then set the AnnounceFlags value to the hex value 5.

To finish off the configuration, use PowerShell to restart the Windows Time service on the domain controller:

Meeting high time accuracy requirements ^

Some businesses have much stricter time accuracy and synchronization than most. If they have the money, they should probably purchase a hardware NTP server (or even a Raspberry Pi!) that fetches time via GPS to serve them best. You would then configure your forest root PDC Emulator to synchronize with the internal hardware NTP server as previously described.

That said, you should know that Microsoft made changes to Windows Server 2016 and Windows Server 2019 to support higher accuracy W32time requirements.

In what should come as no surprise, Microsoft says the first thing you should to do obtain a high time accuracy configuration is to ensure all domain member workstations run Windows 10 and all domain servers run Windows Server 2016 or Windows Server 2019 (at least the domain controllers).

Second, Microsoft advises that all domain members should have the Windows Time service set to the Automatic startup type and always running.

Third, you should configure your domain as I outlined previously to synchronize time with a hierarchy of NTP time servers.

Fourth and finally, you should optimize your network to ensure no more than 100 ms latency between any two domain systems.

According to the Microsoft docs, fulfilling the above recommendations should deliver up to 1 millisecond time accuracy throughout your domain.

For further learning ^

There you have it! I hope you are clearer now on how to configure time sync in Active Directory. Let me leave you with some hand-picked resources you can check out to dive deeper into Active Directory time synchronization.

Are you an IT pro? Apply for membership!

6+

Users who have LIKED this post:

  • avatar
  • avatar
Share

Related Posts

2 Comments
  1. SysAdmin-E.com 3 months ago

    Aren't there PowerShell or regular commands to manage the time service? Why are there only examples of going into the registry? That seems like more work and more possibility for human error.

    1+

    Users who have LIKED this comment:

    • avatar
    • Luc Fullenwarth 3 months ago

      @sysadmin-E.com

      Until now there is no native PowerShell cmdlet to manage time in Windows.
      You have the following options:

      • DCS
      • GPO
      • Registry
      • The w32tm.exe command.
      0

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2019

Log in with your credentials

or    

Forgot your details?

Create Account