ORIGINAL ARTICLE: http://robsilver.org/ad/demystifying-time-in-a-forest/
ALL RIGHTS RESERVED TO THE AUTHOR(S) OF THE ORIGINAL ARTICLE.
Demystifying Time in a Forest
by Rob Silver on April 23, 2010
There are a large number of posts on the internet with regards to setting up or troubleshooting time in an Active Directory forest. This blog aims to shed some light on the key principals, configuration and useful resources for time in an Active Directory forest.
One of the key reasons for the posts on Domain Controller time settings is the PDC Emulator not being configured with a reliable time source which generates the following error in DCDiag:
Warning: SERVERNAME is not advertising as a time server or errors related to the server not advertising itself as a Domain Controller.
The TIMESERV flag will not be set for that DC if there are any issues with the Windows Time Service.
Key Principals
Firstly, do you really need accurate time. Not really. In fact, Microsoft don’t even support high time accuracy. http://blogs.technet.com/askds/archive/ ... ments.aspx
However, it would be a really nice feature to have all machines on the network having the correct time. Naturally, there are some instances where accurate time is absolutely necessary; e.g. banking, time logging applications, transport systems etc. The Stratum is the degree to which a computers clock is accurate. The lower the value, the higher the accuracy where a value of 1 is considered the highest accuracy.
So, your time can be a year off and your forest will work fine. PLEASE don’t test this. USN rollback or Certificate expiration may occur if you experiment with this which is a topic for another day…
Next question – do the clocks need to be in sync within the Forest? Yes they do, give or take 5 minutes in order to ensure you don’t break Kerberos as per RFC 1510.
So, it is more important to ensure that the clocks are in sync than to ensure accurate time, although accurate time is nice.
Windows 2000 used SNTP (Simple Network Time Protocol) and Net Time as both the protocol and management tool for managing time. This is pretty much outdated although some Domain Admins are still using the legacy mechanisms (net time /setsntp….) to try and configure the 2003/2008/2008 R2 Domain Controllers.
From Windows Server 2003 onwards, NTP is used as the protocol (uses Coordinated Universal Time [UTC] agnostic of time zones) on UDP port 123. It uses the Windows Time Service (w32time.dll) to manage time which is in turn configured via the w32tm.exe command line tool.
There’s a fundamental difference between w32tm and Net Time command lines. Net time only queries the time of the remote computer using the multi-functional net.exe utility while w32tm specifically queries the Windows Time Service. However, net time is still useful as it can be used to query remote devices which don’t run the Windows Time Service or NTP.
Please note that the command “Net Time†with no switches will query the time of a Domain Controller and not the local machine. This can be overridden with the \\computername switch. To query the time in a different domain, use the /domain:domainname switch. Although the “Net Time†command queries remote computers, the /SET switch only sets the time of the local machine (not the \\computername machine).
Setting up the forest, the best practice is to get the Forest Root PDC Emulator to retrieve it’s time from a reliable time source (Manual NTP Server), while all other DCs retrieve their time from the PDC Emulator in the forest root (Domhier). Clients retrieve their time from any Domain Controller advertising as a time server.
Let’s look at the steps involved in setting up the PDC Emulator in the forest root domain on the assumption that you would like it to synchronise it’s time with a remote reliable NTP server.
PDC Emulator Configuration (Forest Root Domain)
Before starting any configuration, you need to make sure that you can access an external reliable NTP server. If you are struggling to find one, a pool of load balanced NTP servers is available on the Internet in the NTP Pool project. This project will have servers close to you which will provide you with marginally higher accuracy based on reduced round trip inconsistencies. Have a look at http://www.pool.ntp.org to find an NTP Pool near you. Remember that you will need UDP port 123 assess from your PDC Emulator to the desired Internet based NTP server.
Next, find the PDC Emulator. You can find the PDC Emulator for the domain using the “netdom query fsmo†command on any domain controller.
On the PDC Emulator, let’s first clear all the w32tm config on the PDC Emulator. This will allow us to start afresh and not be concerned with previous potential inaccurate configurations. This is optional, but something I usually do to ensure that I am aware of every config entry I make. To do this:
W32tm /unregister
Wait a minute or two
W32tm /register
Now, to configure the PDC Emulator, run the following:
w32tm /configure /manualpeerlist:pool.ntp.org,0×1 /syncfromflags:manual /update
Note: The 0×1 is required as this is a DNS name and not an IP Address.
Syncfromflags:manual tells the server PDC Emulator that it will use an external NTP server for time, and not the domain.
Remember to restart the Windows Time Service after each configuration change. Use the following commend to restart the Windows Time Service:
Net stop w32time & net start w32time
Once you have done this, you can verify these settings in the Registry in the following location:
HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
Type: NTP
NTPServer: pool.ntp.org
You can also use w32tm to check the new configuration:
W32tm /query /configuration
ONLY the PDC Emulator of the Forest Root Domain should have the Type configured as NTP. All other machines in the domain should have this entry set to NT5DS in order to obtain their time from the Domain and not external NTP servers.
You now need to inform the server to get out there and find what the time is supposed to be using NTP. Use the following command to do this:
W32tm /resync /rediscover
At any time, you can use the following command to monitor the server which is really great for troubleshooting:
w32tm /monitor
You can also check the status of the server as follows:
W32tm /query /status
The following two registry entries specify the maximum time shift that the DC will accept in seconds from it’s peers:
MaxPosPhaseCorrection (default – 172800 seconds)
MaxNegPhaseCorrection (default – 172800 seconds)
Although Microsoft recommends changing this to 900 seconds, others have commented to reduce this to 300 seconds to ensure you don’t have any 300 second Kerberos issues. Use your discretion here. I always use 300 seconds. The default is 2 days (172800 decimal). If you are 2 days out, it might be weekend and you are still working…
Note: If your DC is having difficulty based on any of the above steps, ensure that there are no GPO Time Settings applying to the Domain Controller. You can find this using Resultant Set of Policy in the following GPO Settings path:
Computer Configuration > Administrative Templates > System > Windows Time Service
Client and additional Domain Controller Configuration
On the assumption that not GPO configuration settings have been applied, the clients should work fine under normal circumstances.
All client devices within the domain should receive their time from the domain. To manually tell a client to do this, run the following:
w32tm /config /syncfromflags:domhier /update
This can also be done using Group Policy here:
Computer Configuration > Administrative Templates > System > Windows Time Service
Once you have done this, you can verify these settings on the client in the Registry in the following location:
HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
Type: NT5DS
NTPServer: PDCEmulatorName
Useful Links:
Windows Time Technical Reference
http://technet.microsoft.com/en-us/libr ... S.10).aspx
High Accuracy w32time Requirements:
http://blogs.technet.com/askds/archive/ ... ments.aspx
NTP Pool Project:
http://www.pool.ntp.org/en/use.html
The 10’000 year clock:
http://www.longnow.org/clock/
Time Software Providers:
#1 Ace Software
40Tude Software
Acrovista
Apple Computer
Atom Time
Beagle Software
Bytefusion Ltd.
Dillobits
Thinking Man Software
Express Computing
Getware
Green Parrots Software
Gregory Braun
Greyware Automation Products
HC Mingham-Smith Limited
K & G Group
KezerNet
Masterclock
Meinberg
Mirage Audio Visual Media
MR Technical Solutions
NTP.org
Polygon, Inc.
RBA Software
RJ Software
Luzius Schneider Software
Slipstream Solutions
Soft Shape
Symmetricom
Tolvanen
Talking Time Keeper
VicTech
Visual GPS
W. Clark & Assoc.
WorldClock
Worldtimeserver.com
Time and Frequency Receiver Manufacturers:
Amano
American Time and Signal
Arbiter Systems
Atomic Time
Beaglesoft
Brandywine Communications
BRG Precision
C-MAX
Casio
Chaney Instruments
Chrono-Log
CNS Systems
Control Company
CrossRate Technology
CxR Larus
DICOM
Digital Display Systems, Inc.
EndRun Technologies
ESE
Fluke
Franklin Instrument
Galleon
Garmin
Gorgy Timing
hopf Elektronik GmbH
Horita
Howard Miller
Innotime Industrial, Ltd.
Instrumentation Technology Systems
Javad Navigation Systems
Junghans
Klockit
La Crosse Technology
Lathem Time
Macrodyne
Magellan
Masterclock
Meinberg
Navsys
Novatel
Oregon Scientific
Oscilloquartz
Pendulum Instruments AB
Precision Test Systems LTD
Precitel
Primex USA
Primex Wireless
Precise Time and Frequency, Inc.
Radio Shack
Raven Industries
RE-Resources
San Jose Navigation
Sangean America, Inc
Schweitzer Engineering Laboratories, Inc.
Septentrio
SkyScan
Spectracom
Stanford Research
Symmetricom
Time Tools
Topcon
TRAK Systems
Trimble
Zyfer
Hope this helps,
Rob