다음을 통해 공유


“It’s Simple!” – Time Configuration in Active Directory

First, let me say that I am really pleased to start this series which I wanted to call "It's Simple!" aiming to simplify things a little bit and make them easier to assimilate.

Now back to our topic, shall we?

So you said Time Configuration right? Why should we care at the first place?

It's simple! Active Directory can't work correctly (or at all) if the clock is not synchronized around domain controllers/member machines.

For example, in Kerberos V5, computers that are more than 5 minutes out of sync will not authenticate (which is configurable by GPO: Maximum tolerance for computer clock synchronization in Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy).

Another example is replication, Active Directory uses time stamps to resolve replication conflicts.

Now, let's see how time should be configured in Active Directory:

  1. In Active Directory, we use the Windows Time service for clock synchronization: W32Time,
  2. All member machines synchronizes with any domain controller,
  3. In a domain, all domain controllers synchronize from the PDC Emulator of that domain: using NT5DS (which simply means: follow the domain hierarchy and get me my PDC emulator)
  4. The PDC Emulator of a domain should synchronize with any domain controller of the parent domain: using NTP,
  5. The PDC Emulator of the root domain in a forest should synchronize with an external time server (could be clock device, a router, another standalone server, an internet time server…)

 

 

But how do I configure time in my Active Directory?

Well, it's simple! Normally it should be set correctly if we don't modify it in purpose,

Otherwise, we do provide some tools for that: w32tm.exe command-line utility and GPO

  • Using w32tm.exe

     

    • Run the following command on the PDC emulator: 

      w32tm /config /manualpeerlist: timeserver /syncfromflags:manual /reliable:yes /update

      (where timeserver is a –space delimited– list of your time source servers)

      Once done, restart W32Time service.

       

    • Run the following command on all other DCs (that are not PDC): 

      w32tm /config /syncfromflags:domhier /update

      Once done, restart W32Time service.

       

  • Using GPO with WMI filter

     

    Using a GPO is always better to automate as much as possible (and of course in case we had to transfer the PDC role to another DC): 

    • Create a GPO and link it to the Domain Controllers container

    • Set a WMI filter to target the PDC emulator, using the following syntax:

       Select * from Win32_ComputerSystem where DomainRole = 5

       

    • Open the GPO for edition and go to: Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers then Configure Windows NTP Client + Enable Windows NTP Client

       

       

      Quick note: NtpServer contains a space-delimited time source servers with the format: Name-or-IP,server-flag

       

    • All non-PDC domain controllers should be set to NT5DS (domain hierarchy).

       

  • Creating a global settings GPO

     

    • Create a GPO and link it to Domain Controllers organizational unit,
    • Edit the settings under: Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers then Global Configuration Settings
    • Depending on the use, you may leave the default values.

     

  • Checking 

    • You can check the registry entries if the domain controller is using NTP (should be on PDC) or NT5DS (on non-PDC):

      Find the value of Type under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

    • You can also check for time advertisement on the PDC by running this command w32tm.exe /resync /rediscover /no_wait, then check for Event ID 139

    • To check the source time server: w32tm /query /status

Side notes:

  • Please note that we recommend using w32tm command-line utility instead of "net time" command (why?),
  • We recommend using w32tm or GPO tools to configure time services instead of registry tool,
  • The PDC should not synchronize with itself (RFC 1305),
  • More details on the WMI filter here and GPO time settings here.
  • About NtpServer value syntax and server flags here and here.

 

Hope its simple now!

Imed Boukhaf from NEPA team.

Comments

  • Anonymous
    January 01, 2003
    is there any way to find/ping the pdc emulator's FQDN ?

  • Anonymous
    January 01, 2003
    Love the blog. one thing missing is the owner of this thread. Got Some comments that I want to share offline :-)

  • Anonymous
    January 01, 2003
    missprint in w32tm.exe /resync /rediscover /no_waitright is w32tm.exe /resync /rediscover /nowait

  • Anonymous
    September 14, 2013
    The location of the registry is different when you configure NTP using group policy. For that matter any setting using Group Policy. In this case: After applying the Global settings the path should be checked in the below REG path. HKEY_LOCAL_MACHINESOFTWAREPOLICIESMICROSOFTW32TimeParameters

  • Anonymous
    October 25, 2013
    Thanks a lot JR, PDC was ignoring any w32tm configuration changes, policies were "not configured". The only assumption i could come to, was that something is overriding all of the changes, and found it in the registry you specified.

  • Anonymous
    January 24, 2014
    Hi,i understand the concept of DC's talking to PDC, talking to external NTPbut...is there a technical reason, not to sync all DC's directly with external NTP servers ?"All non-PDC domain controllers should be set to NT5DS (domain hierarchy)"or, is it better to create a new GPO, and then add the "DomainRole = 5 " filter ?how do i make sure my DC's sync from my PDC ? i am asking cause i have DC's out of sync by 2 mins...ThanksMartin

  • Anonymous
    February 26, 2014
    @Martin, To ensure your other DC's are configured to point to the DC with the PDC emulator role, you can create another GPO with the default NT5DS settings and apply a WMI filter that will filter for DC without the PDC emulator role "Select * from Win32_ComputerSystem where DomainRole = 4".

  • Anonymous
    March 18, 2014
    The comment has been removed

  • Anonymous
    March 19, 2014
    It's very clear for me and works great. Now, we have a policy for both domain controllers primary and secondary (in my case), the question is, how can i synchronize my computers in the domain (windows 7, 8, xp etc) with this dc's? With a logon script with net time or with another gpo pointing to the dc's?
    I would appreciate your help.

    PS: obvious that these tasks require a basic knowledge of server administration, this post was the most clear regarding time sincronization,.
    Thanks
    Damián Fiorito

  • Anonymous
    March 25, 2014
    A little more details.. maybe with examples of what you'd entire in the fields would help a lot!

  • Anonymous
    April 14, 2014
    This was a very poorly written technical documentation. It reads like it's been written during a coffee break. No quality control, jumps from topic to topic, no clear path of information flow. It is in severe need of editing and quality control. Even the sentences are incoherent and sound like thought streams, not instructions. We need this information, but we need it in such a way that we can read, and implement, step by step.

    Thank you

  • Anonymous
    April 24, 2014
    The comment has been removed

  • Anonymous
    August 25, 2014
    Really dodgy article. No background of understanding. Poor communication. "It's simple"?! What a load of rubbish, the author doesn't even specify how to configure clients in a domain to look to their domain controller server for time rather than an external time source!

    Vastly lacking in detail for the more technical, and sadly very unclear for even basic configuration requirements in an AD domain.

  • Anonymous
    September 04, 2014
    I have to agree with the concerns about the quality of this article. The layout is non-existent and the general quality is poor. You can have a friendly style, but still make it readable.

    I do think it accurately includes the basics, but it doesn't make it very clear what you're doing at a particular step, and why.

    Sure, you probably don't need to mention all the scenarios, and I actually think the references at the end are fine, but they should have much better descriptive detail.

    As for Mat's query about how to configure the clients, you shouldn't need to do so specifically if they are joined to the domain and using the default configuration. But it might help to state that in black and white (and maybe link to some info about how to reset to the defaults for domain clients).

  • Anonymous
    October 16, 2014
    Excelent, It worked flawlessly.

  • Anonymous
    November 11, 2014
    You may find this article about synchronizing windows using NTP more informative:
    http://www.timetoolsglobal.com/2013/06/21/how-to-synchronize-microsoft-windows-to-a-ntp-server-1/

  • Anonymous
    January 05, 2015
    Wow, hard to believe all of the foul comments being posted about this FREE article. It is much more up to date and to the point than the other articles, both of which require editing the registry directly, something you would be hard-pressed to get approved in change control versus PowerShell commands IMHO. And, no, it isn't a repeat of someone else's work unless you mean it summarizes and presents freely available Microsoft documentation in a different format, which pretty much sums up every blog post on the Internet.

    Grow up, people.

  • Anonymous
    February 04, 2015
    This guide was great. Got a client's servers times all sync'd up from the DC with this.

  • Anonymous
    March 13, 2015
    "Open the GPO for edition and go to:" makes no sense

  • Anonymous
    March 30, 2015
    Usually TechNet articles are the gospel. They should have reviewed and removed this one. I think this GPO is going to lead to multiple sources of time if you move the PDC emulator role.

  • Anonymous
    June 02, 2015
    Actually what would have been good is an idea of what you should receive when you run "w32tm /query /Status"
    So that you know if you got it right.

    Cause there is no "check that you set it up correct like this" section of the article

  • Anonymous
    June 04, 2015
    When I applied this WMI Filter in Windows Server 2012 R2 I received an error message about the namespace, however the policy still worked. I would suggest ignoring the error and manually verifying that the policy worked by looking in the registry on your DCs. Many other people have also had this problem as indicated in this other post:https://social.technet.microsoft.com/Forums/windowsserver/en-US/e554a894-6481-4f94-aa06-5b1a1b76c97f/gpo-wmi-filters-are-failing?forum=winserverGP

  • Anonymous
    June 04, 2015
    The comment has been removed

  • Anonymous
    June 05, 2015
    The comment has been removed

  • Anonymous
    October 01, 2015
    This article is GREAT! It gave me, an experienced admin, everything I needed to know quickly and simply so I didn't have to spend a lot of time researching the basics. I can now go forward ON MY OWN. Thanks and love the diagram!

  • Anonymous
    October 08, 2015
    A host of reference material for AD and Group Policy

  • Anonymous
    October 26, 2015
    If you guys need great time accuracy (1-5ms) on your network I would like you to take a look at NTS software (includes NTP server/client apps for Windows)http://nts.softros.com

  • Anonymous
    November 20, 2015
    The comment has been removed

  • Anonymous
    January 31, 2016
    I would like to do this with GP's. I see you have configured a GP for the PDC emulator, using the filter and configuring the external time provider using "NTP".

    For my other DC's, do I need a 2nd GP, to configure them to use "w32tm /config /syncfromflags:domhier /update "

    rather then manually going to every DC and running this?

  • Anonymous
    February 11, 2016
    Thank you for writing this arcticle. Very helpful.

  • Anonymous
    March 22, 2016
    I found this article helpful. Thank you!