Home

Tutorials

Active Directory

Time Synchronization in Active Directory Forests (EN)

Time synchronization design and setup are very important for an Active Directory environment. This is because time synchronization issues lead to Kerberos authentication failures once the maximum tolerance for computer clock synchronization (By default is five (5) minutes) is exceeded.

Windows Time Service:

Windows Time Service is based on the use of NTP (Network Time Protocol) for time synchronization. It supports also SNTP (Simple Network Time Protocol) for compatibility reasons (Example: Compatibility with Windows 2000 computers).

Microsoft do not guarantee and do not support the accuracy of Windows Time Service between nodes on a network as this service is not a full-featured NTP solution that can meet time-sensitive application needs. Windows Time Service was not designated in such way that it maintains time synchronization to the range of one (1) or two (2) seconds.

If you have an application that needs to have a high accuracy NTP solution then Windows Time Service should not be used in this case. Instead, third party software are available to satisfy this need.

High Accuracy W32time Requirements: http://blogs.technet.com/b/askds/archive/2007/10/23/high-accuracy-w32time-requirements.aspx

Support boundary to configure the Windows Time service for high accuracy environments: http://support.microsoft.com/kb/939322/

The good part of Windows Time Service is that it allows an accuracy that meets the requirements of most of companies’ critical services like Active Directory Domain Services and AD-based authentication. A time difference of few seconds is expected but this will does not impact Kerberos authentication which is fine for an Active Directory environment.

Time Synchronization in an Active Directory Domain Services Hierarchy:

The following schema explains how the default time synchronization in Active Directory Domain Services works:

Source: http://technet.microsoft.com/en-us/library/cc773013%28v=ws.10%29.aspx#w2k3tr_times_how_izcr

As you can see, the PDC Emulator of the Forest Root Domain is considered as the best time source in an Active Directory forest. Other domain controllers in the Forest Root Domain use it for time synchronization while domain controllers in child domains use the PDC Emulator or any domain controller from parent domain for time synchronization. Member servers and Workstation use domain controllers in their domain for time synchronization. With this hierarchy, we can maintain a reliable time synchronization system that allows avoiding Kerberos failure issues in an Active Directory domain. This configuration is by default in an Active Directory forest and does not need to be changed.

As the PDC Emulator of the Forest Root Domain is considered as the best time source in an Active Directory forest, it needs to have its time as accurate as possible. That is why, it is highly recommended to configure this server to synchronize its time with at least two (2) reliable external NTP servers.

List of reliable NTP servers: http://www.pool.ntp.org/

PDC Emulator downtimes:

A weakness for the default time synchronization in Active Directory Domain Services hierarchy is that the PDC Emulator of the Root Domain is considered as a single point of failure (This is not the case for other PDC Emulators as if one is down, other domain controllers can still be used). If this domain controller is down or experiencing failures for a long period, the other domain controllers in the Forest Root domain will start to run out of sync and you may start experiencing time synchronization issues. That is why it is important to have this domain controller up and running in a healthy state.

In case of major failures where it is no longer possible to recover the PDC Emulator of the Root domain or if you are not able to recover it quickly, you need to proceed like the following:

Force the demotion of the Domain Controller using dcpromo /forceremoval command (You can also re-install it or just decommission it)
Seize FSMO roles that this Domain Controller was holding to another Domain Controller (You can use netdom query fsmo command to get the list of FSMO holders): http://support.microsoft.com/kb/255504
Do metadata cleanup of the faulty Domain Controller references: http://technet.microsoft.com/en-us/library/cc736378(v=ws.10).aspx

Configuration of time synchronization in an Active Directory forest:

There is multiple ways to configure time synchronization in an Active Directory forest:

Via commands: http://technet.microsoft.com/en-us/library/w32tm(v=ws.10).aspx
By updating Registry Keys: http://support.microsoft.com/kb/223184/en-us
Via Group Policies

To maintain the default time synchronization setup in an Active Directory forest, I would recommend using group policies. This is because it allows overwriting manually done updates by automatic corrections.

Below is how you can proceed for:

The PDC Emulator:

You need to create a Group Policy in which you will enable and configure the following parameters:

Computer Configuration\Policies\Administration Templates\System\Windows Time Service\Time Providers\Enable Windows NTP Client should be enabled

Computer Configuration\Policies\Administration Templates\System\Windows Time Service\Time Providers\Configure Windows NTP Client should be enabled with “NTP” as Type and the NTP server(s) to use set as NtpServer (You can add multiple NTP servers by separating them with a white space)

Other settings can be also configured (Example: CrossSiteSyncFlags).

Windows Time Service Group Policy Settings Explained: http://blogs.msdn.com/b/w32time/archive/2009/02/02/group-policy-settings-explained.aspx

Now, what is remaining is to link the group policy to “Domain Controllers” Organizational Unit or at the domain level of the Forest Root Domain and update the Security Filtering to apply the settings only on the PDC Emulator of your Forest Root domain.

Other domain controllers, member servers and Workstation:

You need to create a Group Policy in which you will enable and configure the following parameters:

Computer Configuration\Policies\Administration Templates\System\Windows Time Service\Time Providers\Configure Windows NTP Client should be enabled with “NT5DS” as Type

NT5DS is domain hierarchy based time synchronization.

The group policy needs to be linked to the domain level of all domains existing in the Active Directory forest. Please note here that for the group policy that will be linked to the Forest Root domain the PDC Emulator in this domain should be excluded from the appliance. This could be done by forcing a deny of Apply group policy permission in the advanced delegation tab of the group policy.

When you transfer / seize the PDC Emulator FSMO role in the Forest Root Domain to a new domain controller, you will need to update the group policies’ filtering to exclude the old PDC Emulator and replace it by the new one.

The latest tutorials

23/03/2019 How to identify active hosts in your networks and perform horizontal TCP port scans

06/03/2019 Stop perfecting your Active Directory Domain Services Password / Lockout Policies – It is time to invest on Multi-Factor Authentication and Compensating Controls

09/02/2019 An Effective Approach to Protect Administrative Accesses to Your Datacenters and Cloud Resources

17/01/2019 How to create a Lag Site for your Active Directory Domain Services setup

About Tunit

Tunit helps you plan your Microsoft systems integration and administration.

Certainly, having a good Management of your IT systems improve your Business performance while it can, when it is poorly managed, obstruct the responsiveness and efficiency of your organization. We are here to help you so do not hesitate to follow us.

View more