NTP Active Directory

PDC Emulator Configuration (Forest Root Domain)

 

Before starting any configuration, you need to make sure that you can access an external reliable NTP server.  If you are struggling to find one, a pool of load balanced NTP servers is available on the Internet in the NTP Pool project.  This project will have servers close to you which will provide you with marginally higher accuracy based on reduced round trip inconsistencies.  Have a look at http://www.pool.ntp.org to find an NTP Pool near you.  Remember that you will need UDP port 123 assess from your PDC Emulator to the desired Internet based NTP server.

Next, find the PDC Emulator.  You can find the PDC Emulator for the domain using the “netdom query fsmo” command on any domain controller.

On the PDC Emulator, let’s first clear all the w32tm config on the PDC Emulator.  This will allow us to start afresh and not be concerned with previous potential inaccurate configurations.  This is optional, but something I usually do to ensure that I am aware of every config entry I make.  To do this:

W32tm /unregister

Wait a minute or two

W32tm /register

Now, to configure the PDC Emulator, run the following:

w32tm /configure /manualpeerlist:pool.ntp.org,0×1 /syncfromflags:manual /update

Note: The 0×1 is required as this is a DNS name and not an IP Address.

Syncfromflags:manual tells the server PDC Emulator that it will use an external NTP server for time, and not the domain.

Remember to restart the Windows Time Service after each configuration change.  Use the following commend to restart the Windows Time Service:

Net stop w32time & net start w32time

Once you have done this, you can verify these settings in the Registry in the following location:

HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
Type:  NTP

NTPServer: pool.ntp.org

You can also use w32tm to check the new configuration:

W32tm /query /configuration

ONLY the PDC Emulator of the Forest Root Domain should have the Type configured as NTP.  All other machines in the domain should have this entry set to NT5DS in order to obtain their time from the Domain and not external NTP servers.

You now need to inform the server to get out there and find what the time is supposed to be using NTP.  Use the following command to do this:

W32tm /resync /rediscover

At any time, you can use the following command to monitor the server which is really great for troubleshooting:

w32tm /monitor

You can also check the status of the server as follows:

W32tm /query /status

The following two registry entries specify the maximum time shift that the DC will accept in seconds from it’s peers:

MaxPosPhaseCorrection (default – 172800 seconds)

MaxNegPhaseCorrection (default – 172800 seconds)

Although Microsoft recommends changing this to 900 seconds, others have commented to reduce this to 300 seconds to ensure you don’t have any 300 second Kerberos issues.  Use your discretion here.  I always use 300 seconds.  The default is 2 days (172800 decimal).  If you are 2 days out, it might be weekend and you are still working…

Note:  If your DC is having difficulty based on any of the above steps, ensure that there are no GPO Time Settings applying to the Domain Controller.  You can find this using Resultant Set of Policy in the following GPO Settings path:

Computer Configuration > Administrative Templates > System > Windows Time Service

Client and additional Domain Controller Configuration

On the assumption that not GPO configuration settings have been applied, the clients should work fine under normal circumstances.

All client devices within the domain should receive their time from the domain.  To manually tell a client to do this, run the following:

w32tm /config /syncfromflags:domhier /update

This can also be done using Group Policy here:

Computer Configuration > Administrative Templates > System > Windows Time Service

Once you have done this, you can verify these settings on the client in the Registry in the following location:

HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
Type:  NT5DS

NTPServer: PDCEmulatorName

Source: http://robsilver.org/ad/demystifying-time-in-a-forest/

You May Also Like

About the Author: Bastiaan van Leeuwen

Leave a Reply

Your email address will not be published. Required fields are marked *