“It’s Simple!” – Time Configuration in Active Directory

Mohamed Tawfik AMHIL

1 Mar 2013 3:53 AM

Comments 17
Likes

First, let me say that I am really pleased to start this series which I wanted to call "It's Simple!" aiming to simplify things a little bit and make them easier to assimilate.

Now back to our topic, shall we?

So you said Time Configuration right? Why should we care at the first place?

It's simple! Active Directory can't work correctly (or at all) if the clock is not synchronized around domain controllers/member machines.

For example, in Kerberos V5, computers that are more than 5 minutes out of sync will not authenticate (which is configurable by GPO: Maximum tolerance for computer clock synchronization in Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy).

Another example is replication, Active Directory uses time stamps to resolve replication conflicts.

Now, let's see how time should be configured in Active Directory:

In Active Directory, we use the Windows Time service for clock synchronization: W32Time,
All member machines synchronizes with any domain controller,
In a domain, all domain controllers synchronize from the PDC Emulator of that domain: using NT5DS (which simply means: follow the domain hierarchy and get me my PDC emulator)
The PDC Emulator of a domain should synchronize with any domain controller of the parent domain: using NTP,
The PDC Emulator of the root domain in a forest should synchronize with an external time server (could be clock device, a router, another standalone server, an internet time server…)

But how do I configure time in my Active Directory?

Well, it's simple! Normally it should be set correctly if we don't modify it in purpose,

Otherwise, we do provide some tools for that: w32tm.exe command-line utility and GPO

Using w32tm.exe
- Run the following command on the PDC emulator:
  
  w32tm /config /manualpeerlist:timeserver /syncfromflags:manual /reliable:yes /update
  
  (where timeserver is a –space delimited– list of your time source servers)
  
  Once done, restart W32Time service.
- Run the following command on all other DCs (that are not PDC):
  
  w32tm /config /syncfromflags:domhier /update
  
  Once done, restart W32Time service.
Using GPO with WMI filter

Using a GPO is always better to automate as much as possible (and of course in case we had to transfer the PDC role to another DC):
- Create a GPO and link it to the Domain Controllers container
- Set a WMI filter to target the PDC emulator, using the following syntax:
  
  Select * from Win32_ComputerSystem where DomainRole = 5
- Open the GPO for edition and go to: Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers then Configure Windows NTP Client + Enable Windows NTP Client
  
  Quick note: NtpServer contains a space-delimited time source servers with the format: Name-or-IP,server-flag
- All non-PDC domain controllers should be set to NT5DS (domain hierarchy).
Creating a global settings GPO
- Create a GPO and link it to Domain Controllers organizational unit,
- Edit the settings under: Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers then Global Configuration Settings
- Depending on the use, you may leave the default values.
Checking
- You can check the registry entries if the domain controller is using NTP (should be on PDC) or NT5DS (on non-PDC):
  
  Find the value of Type under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
- You can also check for time advertisement on the PDC by running this command w32tm.exe /resync /rediscover /no_wait, then check for Event ID 139
- To check the source time server: w32tm /query /status

Side notes:

Please note that we recommend using w32tm command-line utility instead of "net time" command (why?),
We recommend using w32tm or GPO tools to configure time services instead of registry tool,
The PDC should not synchronize with itself (RFC 1305),
More details on the WMI filter here and GPO time settings here.
About NtpServer value syntax and server flags here and here.

Hope its simple now!

Imed Boukhaf from NEPA team.

Comments

MSebbane

12 Mar 2013 1:07 AM

Love the blog. one thing missing is the owner of this thread. Got Some comments that I want to share offline :-)
JR

14 Sep 2013 9:16 AM

The location of the registry is different when you configure NTP using group policy. For that matter any setting using Group Policy.

In this case: After applying the Global settings the path should be checked in the below REG path.

HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\W32Time\Parameters
frei

25 Oct 2013 11:07 AM

Thanks a lot JR, PDC was ignoring any w32tm configuration changes, policies were "not configured".

The only assumption i could come to, was that something is overriding all of the changes, and found it in the registry you specified.
Anonymous

21 Dec 2013 1:14 PM

is there any way to find/ping the pdc emulator's FQDN ?
Anonymous

25 Dec 2013 1:48 PM

missprint in w32tm.exe /resync /rediscover /no_wait right is w32tm.exe /resync /rediscover /nowait
Martin

24 Jan 2014 6:22 PM

Hi, i understand the concept of DC's talking to PDC, talking to external NTP but...is there a technical reason, not to sync all DC's directly with external NTP servers ? "All non-PDC domain controllers should be set to NT5DS (domain hierarchy)" or, is it better to create a new GPO, and then add the "DomainRole = 5 " filter ? how do i make sure my DC's sync from my PDC ? i am asking cause i have DC's out of sync by 2 mins... Thanks Martin
David

26 Feb 2014 6:14 PM

@Martin, To ensure your other DC's are configured to point to the DC with the PDC emulator role, you can create another GPO with the default NT5DS settings and apply a WMI filter that will filter for DC without the PDC emulator role "Select * from Win32_ComputerSystem where DomainRole = 4".
Nick

19 Mar 2014 7:07 AM

It's simple? Here are some problems I've run into as someone who is not a guru in Active Directory or Group Policy Objects but who can follow along your directions:

1. "Open the GPO for edition" -- what does that mean? What edition?
2. I've assumed this means open the GPO that I created by clicking around since you don't explain how this gets created, however under Computer Configuration I don't see "Administrative Templates" available. Oh, wait... it's actually "Computer Configuration\Policies\Administrative Templates"
3. I assume by "then Configure Windows NTP Client + Enable Windows NTP Client" that you mean to "Edit the 'Configure Windows NTP Client' policy setting, change the radio button to 'Enabled' and change the 'Type' option to NTP, leaving all other settings at their defaults." You also mean by "Enable Windows NTP Client" that you should "Edit the 'Enable Windows NTP Client' policy and change the radio button to 'Enabled'."
4. You say "we do provide some tools for that: w32tm.exe command-line utility and GPO". You then go on to list three sub-bullets for "w32tm.exe", "GPO", and "Creating a global settings GPO" plus a fourth one for "Checking" which should be a way of verifying the above? Presumably these are meant to be either-or, but why do you mention only two options but list three? Maybe "Creating a global settings GPO" is not optional?
5. Under "Creating a global settings GPO", you say "Depending on the use, you may leave the default values". But depending on what use? How does it depend? I'm going to assume that this was a third alternative which is not necessary since I've already setup a GPO. Besides which, the instructions here are also incorrect. The "Global Configuration Settings" policy is not under "...\System\Windows Time Service\Time Providers\" it's directly under "...\System\Windows Time Service\".

Next time, it would be quite helpful to explain the steps as if the person you are explaining it to does not already possess the body of knowledge that you have. You make far too many assumptions and you're also sloppy in your descriptions, giving the incorrect details from faulty memory instead of double-checking so that you provide correct information. All in all, it makes for a very "Not Simple!" guide to try and follow.
Damián Fiorito

19 Mar 2014 3:12 PM

It's very clear for me and works great. Now, we have a policy for both domain controllers primary and secondary (in my case), the question is, how can i synchronize my computers in the domain (windows 7, 8, xp etc) with this dc's? With a logon script with net time or with another gpo pointing to the dc's?
I would appreciate your help.

PS: obvious that these tasks require a basic knowledge of server administration, this post was the most clear regarding time sincronization,.
Thanks
Damián Fiorito
Neer Patel

25 Mar 2014 3:04 PM

A little more details.. maybe with examples of what you'd entire in the fields would help a lot!
Cem Onur

14 Apr 2014 10:38 PM

This was a very poorly written technical documentation. It reads like it's been written during a coffee break. No quality control, jumps from topic to topic, no clear path of information flow. It is in severe need of editing and quality control. Even the sentences are incoherent and sound like thought streams, not instructions. We need this information, but we need it in such a way that we can read, and implement, step by step.

Thank you
Yer Scroogled

24 Apr 2014 5:40 PM

This "article" is useless because the person who "wrote" it just copied it from a TechNet article. He probably doesn't even understand what he's doing and that's why it sucks!! If you want to see the actual article and get all the information that is missing then check this link out:
- http://blogs.technet.com/b/askds/archive/2008/11/13/configuring-an-authoritative-time-server-with-group-policy-using-wmi-filtering.aspx

Come on man, if you're going to copy someone at least reference their work at the bottom!

Hey Nick, I doubt that he has any body of knowledge at all.
Mat

25 Aug 2014 11:24 PM

Really dodgy article. No background of understanding. Poor communication. "It's simple"?! What a load of rubbish, the author doesn't even specify how to configure clients in a domain to look to their domain controller server for time rather than an external time source!

Vastly lacking in detail for the more technical, and sadly very unclear for even basic configuration requirements in an AD domain.
Trix

4 Sep 2014 11:27 AM

I have to agree with the concerns about the quality of this article. The layout is non-existent and the general quality is poor. You can have a friendly style, but still make it readable.

I do think it accurately includes the basics, but it doesn't make it very clear what you're doing at a particular step, and why.

Sure, you probably don't need to mention all the scenarios, and I actually think the references at the end are fine, but they should have much better descriptive detail.

As for Mat's query about how to configure the clients, you shouldn't need to do so specifically if they are joined to the domain and using the default configuration. But it might help to state that in black and white (and maybe link to some info about how to reset to the defaults for domain clients).
Daniel Miranda Ulate

16 Oct 2014 8:25 PM

Excelent, It worked flawlessly.

Your comment has been posted. Close

Thank you, your comment requires moderation so it may take a while to appear. Close

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

NEPA PFE

“It’s Simple!” – Time Configuration in Active Directory

“It’s Simple!” – Time Configuration in Active Directory