Windows and NTP

Posted on by Hayes Jupe

It’s important that Windows time is set correctly – but how Windows time works seems to be a poorly understood area.

In this article, I’ll try to clear up the concepts and explain what is, in my opinion, the best way to implement time services throughout your domain(s).

Background

  • Windows, by default, will automatically set its time from the domain controller which holds the FSMO role “PDC emulator”
  • It is a good practice to sync your PDCe with an external time source
  • In a multi-domain environment, the PDCe in the forest root domain is the overall master
  • Port 123 (NTP) is used for all communications
  • All other DC’s will, by default, look for the PDCe as their time source. There is no need to set anything here unless something has gone wrong.
  • All workstations will, by default, look at the local DC as their time source. There is no need to set anything here unless something has gone wrong.
    • Windows will, by default, poll for an NTP update once every 8 hours.
  • Windows 2016 time service offers (optionally) more accurate time services than previous versions – https://docs.microsoft.com/en-us/windows-server/networking/windows-time-service/accurate-time

Setting up the NTP client on your PDCe to sync from an external source

I strongly recommend utilising group policy to set up the NTP client on your PDC emulator, not the command line. Using a group policy makes the settings a) obvious and b) easily transportable to new DC’s as your migrate/upgrade in the future

  • Create a new GPO, I name mine “Domain Controller – Set NTP on PDCe”
    • Narrow it down to your PDCe by either
      • Removing “authenticated users” and adding your current PDCe (This will need to be manually updated if/when the PDCe role moves)
      • Utilising the WMI query “Select * from Win32_ComputerSystem where DomainRole = 5” (This will auto-update when the PDCe moves)
    • Set the following within the group policy
      • Computer Configuration > Administrative Templates > System > Windows Time Service > Time Providers
      • Enable Windows NTP Client: Enabled
      • Configure Windows NTP Client: Enabled
        • NtpServer: <YourExternalNTPServer1>,0x1 <YourExternalNTPServer2>,0x1 (for Adelaide based clients, i used ntp.internode.on.net and ntp.adelaide.edu.au – a local ISP and a local University – but these could be any publicly available NTP server)
        • Type: NTP
        • CrossSiteSyncFlags: 2
        • ResolvePeerBackoffMinutes: 15
        • Resolve Peer BAckoffMaxTimes: 7
        • SpecilalPoolInterval: 3600
        • EventLogFlags: 0
      • Optionally – enable the NTP server if you want non-Windows clients to also be able to sync against your PDCe
        • Enable Windows NTP Server: Enabled

 

Commands to check status and troubleshoot

  • w32tm /monitor – this exceedingly useful command will show you the status of all DC’s in the domain, where they are configured to get their time source from and their offset from the authoritative time source
  • if a domain controller is having issues
    • w32tm /config /syncfromflags:domhier /update
    • net stop w32time
    • net start w32time
  • w32tm /query /status
  • Event Viewer entries
    • Applications and Services Logs → Microsoft → Windows → Time-Service → Operational
    • Windows Logs → System – Event ID 12,35,37,50
  • Debug logging
    • w32tm /debug /enable /file:C:\Temp\w32time.log /size:10240000
    • w32tm /debug /disable
  • Check if your DC’s in particular have their time sync’ed with their VM host. I have seen this cause issues when the underlying hardware for a VMHost has an odd clock issue. Not sayings its common – but ive seen it happen a few times and generally recommend not syncing time from your VMHost to your DC’s.

 

Using policy to set clients to look at your DC’s as their time source

This is the default behaviour of windows – and you should not need to set this, however, for some places I’ve found we have had to because something, somewhere is broken – and sometimes you need a fix quickly.

  • Computer Configuration -> Administrative Templates -> System -> Windows Time Service -> Time Providers
    • Configure Windows NTP Client: Enabled
      • NtpServer: <YourDC1>,0x1 <YourDC2>,0x1
      • Type: NTDS5
      • CrossSiteSyncFlags: 2
      • ResolvePeerBackoffMinutes: 15
      • ResolvePeerBackoffMaxTimes: 7
      • SpecilalPoolInterval: 3600
      • EventLogFlags: 0

References

https://docs.microsoft.com/en-us/windows-server/networking/windows-time-service/how-the-windows-time-service-works

https://docs.microsoft.com/en-us/windows-server/networking/windows-time-service/accurate-time

https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-simple-time-configuration-in-active-directory/

https://theitbros.com/configure-ntp-time-sync-group-policy/

https://learn.microsoft.com/en-us/services-hub/unified/health/remediation-steps-ad/configure-the-root-pdc-with-an-authoritative-time-source-and-avoid-widespread-time-skew

 

 

Leave a Reply