Active Directory Time Sync (broken by default)

adsnapshot Active Directory relies on accurate time for a number of reasons. One of this reasons is Kerberos authentication, which by nature can only cope with a difference in time (time skew) of five minutes between the Kerberos server and client.

Now, don’t get me wrong. I think the time skew limitation and the overall Kerberos implementation as we know it today, is fabulous. Keeping Domain Controllers up to date with a reliable time source (time sync) , however, is not as simple as you might expect it to be.

 

Time Sync in Active Directory

First of all,  let’s look at the process of Time Sync in a default Active Directory environment:

  • Every Active Directory client (whether it’s a Windows client or a Windows Server) will synchronize it’s internal clock (time) with a Domain Controller.
  • Every Domain Controller synchronizes with the Domain Controller, holding the Primary Domain Controller emulator (PDCe) Flexible Single Master Operations (FSMO) role.
  • Since the PDCe FSMO role is a domain-wide operations role, a Domain Controller in an Active Directory subdomain will synchronize time with any Domain Controller in the forest root domain.

As you try to visualize this synchronization scheme, a sense of hierarchy should emerge. For this reason many people refer to this scheme as the Time Sync Hierarchy.

Challenges

The challenge with this hierarchy is the fact that any Domain Controller with a faulty internal clock (hardware) or faulty time synchronization (settings) can mess up a part of your Active Directory clients.

As described in blog post Active Directory in Hyper-V environments, Part 2, Time Sync between virtual Domain Controllers and the virtualization platform (through Integration Components/VMware tools) may attribute to this situation, where the virtualization platform does not synchronize time or synchronizes time with a different time source.

 

Broken by default

Not only may any Domain Controller on your environment cause time skew in a part of your environment. In the Active Directory Time Sync hierarchy a special place is reserved for the Domain Controller holding the PDCe FSMO role (in the Forest Root Domain).

Ideally, you want this server to synchronize time with a reliable time source. By default, however, this Domain Controller does not synchronize time, possibly time skewing your entire Active Directory forest.

 

Windows Server 2003

When you’re using Windows Server 2003 as your Domain Controller holding the PDCe FSMO role, it will by default synchronize time with time.windows.com. This host has proven to be less than reliable in the past. Anyone kicking off a manual time synchronization, might remember the screen below:

timewindowscom

Windows Server 2008 & 2008 R2

Microsoft has decided to no longer synchronize time with a pre-defined time source from Windows Server 2008 onward. When you run the Active Directory Best Practices Analyzer, as described in blog post Server Manager in Windows Server 2008 R2, Part 3, you will receive an error on this default configuration, urging you to correct this situation:

BPAResult_5CADE5E4[1]

 

Resolution

The resolution to this problem is to make sure:

  • Disable Time Synchronization between the virtualization platform and any virtual Domain Controller in the Integration Components/VMware tools
  • Enable Domain Controllers in your Forest Root Domain to communicate with NTP servers on the Internet through your corporate firewall. (UDP 123)
  • Manually configure the Domain Controller holding the Domain Controller, holding the Primary Domain Controller emulator (PDCe) Flexible Single Master Operations (FSMO) role in the Forest Root Domain with a reliable external time source,
    • defining at least two different NTP servers by their Fully Qualified Domain Names (FQDNs)
    • defining at least two different NTP servers by their IP addresses (to make sure Time Synchronization continues to work when DNS fails)

 

A viable command line to configure the Domain Controller would be:

w32tm /config /manualpeerlist: “europe.pool.ntp.org time.nist.gov 192.43.244.18 193.67.79.202″/syncfromflags:manual/reliable:yes/update

 

Further reading

Configure the Windows Time service on the PDC emulator in the Forest Root Domain
AD DS: The PDC emulator master in this forest should be configured to correctly synchronize time from a valid time source
How the Windows Time Service Works
Stratum One Time Servers
Configuring the Windows Time Service
Configuring Windows Time for Active Directory
Synchronize time throughout your entire Windows network
How to configure an authoritative time server in Windows Server
Active Directory Time Synchronization Problems with Hyper-V
How to configure your virtual Domain Controllers and avoid simple mistakes with resulting big problems

2 Responses to Active Directory Time Sync (broken by default)

  1.  

    That’s a good starter info but why not go on to setup two GPO’s with WMI filters for DomainRole 5 or 4 and then set appropriate settings for NTP sync or domain sync?

    Or is that coming in part 2? 🙂

    -Anders

  2.  

    That was so confusing to read I pooped my pants.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.