HOWTO: Configure Accurate Time in Active Directory

Reading Time: 6 minutes

Windows Server 2016 introduced the Accurate Time feature. Microsoft introduced increased polling and clock update frequency in Windows Server 2016 Active Directory, when compared to Windows Server 2008/2012. While this introduces a small additional CPU load on Domain Controllers, it does provide for more Accurate Time for Windows Server 2016 because of more frequent polling, updating and through an algorithm that calculates time difference trends.

Now let’s see how to configure it.

 

About the Accurate Time feature

The Accurate Time feature helps admins in Microsoft-oriented networking infrastructures to:

  1. Create more accurate logging and auditing through accurate timestamps across systems and appliances.
  2. Adhere to government regulations like FINRA and ESMA (MiFID II), that require accurate time.
  3. Build more reliable Windows Clustering solutions.
  4. Get more accurate outcomes on the last write wins mechanisms that ultimately determine the outcome of competing changes within Active Directory replication.

I’ve discussed some of these challenges previously in my blogpost on Managing Active Directory Time Synchronization on VMware vSphere. I mentioned the Accurate Time feature in that context, too, but did not elaborate on how to configure it.

The Accurate Time feature is not enabled, by default.

 

About the Active Directory Time Hierarchy

In every Active Directory environment, time is synchronized in a hierarchy. This hierarchy is depicted in the below image, courtesy of the Time Synchronization in Active Directory Forests page in the Microsoft TechNet Wiki:

ADTimeHierarchy

The Domain Controller holding the Primary Domain Controller emulator (PDCe) Flexible Single Master Operations (FSMO) role in the root domain represents the top of the hierarchy and is considered the authoritative time source. That’s why the Active Directory Best Practices Analyzer (BPA) reports an action when this Domain Controller does not synchronize its time with an external source, like a pool of NTP servers on the Internet or a couple of GPS-equipped internal appliances, or a combination of both.

The Domain Controller holding the PDCe FSMO role represents the top. It is important to identify the Domain Controller with the PDCe FSMO role, as we need to perform changes on this host.

 

How to configure Accurate Time on the Domain Controller with the PDCe FSMO Role

To configure the Accurate Time feature on the Domain Controller with the PDCe FSMO Role, perform these steps:

 

Determine the Domain Controller with the PDCe FSMO Role

We start with double-checking the configured time servers on the Domain Controller holding the PDCe FSMO role. Determine the Domain Controller using the following command on the command line of any domain-joined system:

netdom.exe query fsmo

 

Get the currently configured time servers for the Domain Controller

Sign in interactively to this Domain Controller and start an elevated Windows PowerShell window, or enter a PowerShell remote session. Run the following line to return the comma-separated list of time servers specified:

Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\' | Select-Object NtpServer

 

Make sure the NTP servers listed are on the list of Stratum 1 servers, are denoted as OpenAccess (or you have prior arrangements for servers that are denoted as ClosedAccess or RestrictedAccess), are hosted reasonably geographic nearby and maintained by an organization with an excellent reputation.

 

Configure the server to offer accurate time

Configure the Domain Controller with the PDCe FSMO role to offer the Accurate Time feature using the following lines of Windows PowerShell:

$NTP = 'HKLM:\SYSTEM\CurrentControlSet\Services\W32Time'

New-ItemProperty -Path $NTP"\Config\" -Name MinPollInterval -Value 6 -Propertytype DWORD

New-ItemProperty -Path $NTP"\Config\" -Name MaxPollInterval -Value 6 -Propertytype DWORD

New-ItemProperty -Path $NTP"\Config\" -Name UpdateInterval -Value 100 -Propertytype DWORD

New-ItemProperty -Path $NTP"\Config\" -Name FrequencyCorrectRate -Value 2 -Propertytype DWORD

New-ItemProperty -Path $NTP"\TimeProviders\NtpClient" -Name SpecialPollInterval -Value 64 -Propertytype DWORD

w32tm.exe /config /update

Restart-Service w32time

 

(Optionally) Configure NTP for 3rd-party systems and appliances

Optionally, make the Domain Controller an authoritative server for 3rd-party systems and appliances, using the following lines of Windows PowerShell:

$NTP = 'HKLM:\SYSTEM\CurrentControlSet\Services\W32Time'

New-ItemProperty -Path $NTP"\Parameters\" -Name Type -Value NTP -Propertytype DWORD

New-ItemProperty -Path $NTP"\Config\" -Name AnnounceFlags -Value 5 -Propertytype DWORD

New-ItemProperty -Path $NTP"\TimeProviders\NtpServer\" -Name Enabled -Value 1 -Propertytype DWORD

New-ItemProperty -Path $NTP"\Config\" -Name MaxPosPhaseCorrection -Value 1800 -Propertytype DWORD

New-ItemProperty -Path $NTP"\Config\" -Name MaxNegPhaseCorrection -Value 1800 -Propertytype DWORD

w32tm.exe /config /update

Restart-Service w32time

How to configure Accurate Time on domain-joined devices

To perform the steps below, sign in to a system with the Group Policy Management Console (GPMC) installed with an account that is either:

  • A member of the Domain Admins group, or;
  • The current owner of the Group Policy Object, and have the Link GPOs permission on the Organizational Unit(s), Site(s) and/or Domain(s) where the Group Policy Object is to be linked, or
  • Delegated the Edit Settings or Edit settings, delete and modify security permission on the GPO, and have the Link GPOs permission on the Organizational Unit(s), Site(s) and/or Domain(s) where the Group Policy Object is to be linked.

To configure the Accurate Time feature on domain-joined devices, perform these steps:

 

Create a new Group Policy object

To create a Group Policy Object, perform these steps:

  • Open the Group Policy Management Console (gpmc.msc)
  • In the left navigation pane, expand the Forest container.
  • Expand the Domains container, and then navigate to the domain where you want to create the GPO.
  • Expand the domain name.
  • Right-click the Group Policy Objects node and select New from the menu.
  • In the New GPO pop-up window, enter a descriptive name for the Group Policy Object for instance ‘NTP Client Settings’. Make sure you don’t select a Starter GPO.
  • Click OK to create the GPO.

 

Configure settings for Accurate Time

Make the appropriate changes in the Group Policy object for the Accurate Time feature, while still in the Group Policy Management Console (GPMC):

  • Select the previously created Group Policy object.
  • In the left navigation pane, right-click the GPO and select Edit… from the menu.
    The Group Policy Editor (gpedit.msc) appears.
  • In the left navigation pane of the Group Policy Editor window expand the Computer Configuration node, then the Policies node, the Administrative Templates node, the System node, the Windows Time Service node and finally the Time Providers node.
  • In the main pane of the Group Policy Editor window, double-click the Configure Windows NTP Client setting.
    The Configure Windows NTP Client window appears:

Configure NTP Client Group Policy setting

  • Configure the setting as Enabled at the top of the window.
  • In the left pane in the Options: area, specify the following settings:
    • As the NTPServer, specify the domain name.

Note:
You could alternatively specify the fully-qualified DNS domain name of the Domain Controller holding the PDCe FSMO role, but this would create a single point of failure in the otherwise redundant infrastructure. As the other Domain Controllers would synchronize time accurately with the Domain Controller holding the PDCe FSMO role, this is a good configuration.

    • As the Type, specify NT5DS.
    • For the CrossSiteSyncFlags value, specify 2.
    • For the ResolvePeerBackoffMinutes value, specify 15.
    • For the ResolvePeerBackoffMaxTimes value, specify 7.
    • For the SpecialPollInterval value, specify 64.
    • For the EventLogFlags value, specify 0.
  • Click OK.
  • Back in the main pane of the Group Policy Editor window, double-click the Enable Windows NTP Client setting.
  • Configure the setting as Enabled at the top of the window.
  • Click OK.
  • Close the Group Policy Editor (gpedit.msc) window.

 

Assign the Group Policy object to the Domain

To link the previously created Group Policy Object, perform these steps, while still in the Group Policy Management Console (GPMC):

  • In the left navigation pane of the Group Policy Management Console (GPMC) navigate to the node that represents the domain name.
  • Right-click the node and select Link an existing GPO… from the menu.
  • In the Select GPO window, select the GPO you created earlier from the list of available Group Policy objects:.
  • Click OK to link the GPO.

 

Concluding

The Accurate Time feature might benefit your organization. The feature is not enabled by default, but you can enable it easily, using the lines of Windows PowerShell above.

Further reading

Configure NTP Time Sync Using Group Policy
VMware vSphere 7.0U1 introduces advanced time sync configuration
vSphere 7's vMotion notifies for time differences
Managing Active Directory Time Sync on VMware vSphere
Active Directory Time Sync, broken by default

4 Responses to HOWTO: Configure Accurate Time in Active Directory

  1.  

    Thanks! Much appreciated, I had an OU policy that set the domain controllers to point to the NTP server; however, the IA requirement was for only the PDC emulator to point there.
    Finally, I made a sub-OU for the BDC and applied the NT5DS setting you showed in the article and enforced it, voila!

    • Hi Les,

      You might want to consider targeting the Group Policy using a WMI filter, instead of a sub OU.

      Remember:

      • The PDC Emulator FSMO role may be manually transferred from one Domain Controller to another.
      • The PDC Emulator FSMO role may be automatically transferred to another Domain Controller when you demote the Domain Controller.

      In both cases, you'd want the registry settings to be automatically applied.
      As the WMI Filter would only apply to Domain Controllers, the impact on applying the Group Policy through WMI is minimal.
      Now all you have to worry about is allowing only the right Domain Controller through the network firewall for UDP123 at all times (when using an externally hosted reliable time source)…

       
  2.  

    How can you set this so it is dynamic? Like you said, the FSMO roles cam be transferred… Maybe a WMI filter for the PDC holder that would configure the PDC Holder?

    • Yes, indeed.
      You can find a good write-up of a WMI Filter targeting the Domain Controller holding the PDC Emulator role here.

       

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.