Backtrack:  
 
by lunarg on July 3rd 2015, at 15:46

Active Directory uses Kerberos for authentication, which relies strongly on having the date and time of day running synchronously across the entire network and all devices in it. By default, each server and client joined in the AD, including domain controllers, will follow the domain hierarchy to sync its time. Domain controllers are set to automatically determine whether they can be used as a (reliable) time source. If a DC has considered itself as a time source, it will accept requests from clients and provide them with the its own current time.

Domain controllers at the top of the forest (top-level DCs) don't have another server above them to sync against, so they can either opt to sync time with its own hardware clock (this is the default behaviour), or sync to an external (internet) time server through (S)NTP (not default, and needs to be configured). Using its own hardware clock is a viable option, as the time will be synchronised across the forest, but it has one considerable drawback: if the hardware clock of the top-level domain controllers start to drift, then the entire forest will suffer from this clock skew. Although authentication will continue to function, the clock will not be in sync with "the rest of the world". As such, it is highly recommended to have the top-level DC sync with an external time source, such as an internet time server.

Configuration

Warning
If the DC you want to configure as an authoritative time server, is part of a forest, and that DC is not at the top of the forest (top-level domain), do not configure the DC to sync directly with an internet time server.
Only top-level DCs should sync with an external time source.
Ignoring this may result in clock skew between your domain and the domain(s) higher up the hierarchy, and stops Kerberos ticketing (= authentication) from functioning properly. This is particularly the case if the top-level DCs do not sync their time with a reliable external time source.
Consider yourself warned...

Advertise as a reliable time source

Configure the time server to advertise itself as a reliable time source. By default, the DC will automatically determine for itself it is a reliable time source, but when we enable sync with an internet time server, the DC will no longer consider itself as one, so we need to override this behaviour.

How the server advertises itself is determined by the AnnounceFlags in the Windows Registry. See this Technet article for a list of possible values.

  1. In the Windows Registry, locate and modify the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags
  2. Set the value of AnnouceFlags to 5.
Important notice
Note that forcing the DC to announce itself as a reliable time source may potentionally cause clock skewing if the DC cannot connect to the external time source. If you know you will have intermittent network outage, it is recommended to leave the AnnouceFlags set to 10 (decimal).

Configure sync to one or more external time sources using (S)NTP

Although Microsoft states in KB 816042 to configure the external time sources in the registry, this info is a bit deprecated: starting with 2008/Vista, it is now very easy to configure the external time sources with the w32tm command. Using this command is now the preferred and recommended method to configure external time sources.

To configure external time sources, run this command:

w32tm /config /syncfromflags:MANUAL /manualpeerlist:0.europe.pool.ntp.org

The command does two things at once:

  • The parameter /syncfromflags sets the NTP client on the server to use manually specified external time sources rather than synchronizing using the domain hierarchy. If this is not configured this way, the external time sources will be completely ignored.

  • With the parameter /manualpeerlist, we specify which external time source we want to use. This can be specified as a FQDN or as an IP. If you wish to specify more than one server, the entire parameter needs to be enclosed in double quotes ("), like so:
    "/manualpeerlist:peer1 peer2 peer3"

Note that you could split up the command above in two different ones: one to enable sync through the specified peers list, and one to specify the peers.

In our example, if we want to synchronize with two time sources selected from the European pool of publically available NTP servers, we would run this:

w32tm /config /syncfromflags:MANUAL "/manualpeerlist:0.europe.pool.ntp.org 1.europe.pool.ntp.org"

Applying configuration changes

With the external time sources set up, we still have to apply the changes. You can either restart the w32time service:

net stop w32time && net start w32time

Another method is to trigger the service to re-read all parameters from the registry. This will include any changes you've made with the w32tm command:

w32tm /config /update

It is recommended to use servers from pool.ntp.org rather than choosing fixed servers. Using the pool means random servers will be selected from that pool, and ensures that if a server ever becomes unreachable, another server will automatically be selected from the pool. It is recommended to use servers that are geographically closest, which can be achieved by using the pool's geographical subdivisions.

Because selection occurs only at startup of the time service on your server, it is also highly recommended to select at least two servers from the pool to quickly ensure a failback if the first server goes down.

For example, if my server is in Europe, and I want to pick two randomly selected servers from the European pool of time servers, I would set the peers on my server to 0.europe.pool.ntp.org and 1.europe.pool.ntp.org.

More information about pool.ntp.org can be found here and on their own website.

Optional: adjust polling parameters

Because we want our DC to always have the correct time, we also need to adjust some polling settings. These are settings that specify in what interval the external time source needs to be polled for the correct time. How these values have to be determined depends greatly on the server. For example, a virtualized DC usually requires a slightly tighter polling interval as they are more prone to clock skewing than a DC running on hardware.

The values mentioned below are recommended values by Microsoft, but can be changed if needed. Use common sense when determining the values for your own environment, keeping in mind that it is not appreciated if a server polls an external time source every minute.

Although some of the polling parameters can be changed with the w32tm command, the more advanced settings can only be configured directly in the registry, so I prefer to adjust the values manually through regedit.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollInterval
This value sets the polling interval for the external time source, in seconds.
The recommended value is 900 or 1800 seconds, which means polling the source every 15 or 30 minutes.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxPosPhaseCorrection
The value in is the maximum positive correctable time difference. It means that if the time difference between the server and the external time source exceeds this value, the time on the server will not be adjusted.
The recommended value is 3600 seconds (1 hour). If the time would drift beyond the value, it usually means the external time source is no longer valid, and thus, corrections are not advisable.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxNegPhaseCorrection
The value in is the maximum negative correctable time difference. It means that if the time difference between the server and the external time source exceeds this value, the time on the server will not be adjusted.
The recommended value is 3600 seconds (1 hour). If the time would drift beyond the value, it usually means the external time source is no longer valid, and thus, corrections are not advisable.

For each of the registry subkeys mentioned above, adjust the values to the recommendations, or fill in your own to accomodate your needs.

  1. Start up regedit.
  2. Navigate to each of the registry subkeys mentioned in the list above. If a subkey is not mentioned in the list, leave them to their set values.
  3. Change the value of the subkey. Take note that values mentioned here are in decimal formatting. Be sure to set the entry to decimal before typing in the new value.
  4. Repeat for the other keys.
    When done, restart the time service for the changes to take effect:
    net stop w32time && net start w32time
    You can also apply the changes by sending an "update" command to the service so it re-reads all values from the registry:
    w32tm /config /update

Testing the time service and its external time sync

The w32tm command provides several query subcommands to check the status of the service and the polling statistics of the external time source(s). It is recommended to query these after configuring the server, as to be sure everything is working properly. Also recommended is to regularly re-check to ensure the server continues to properly sync its time with the configured external time source(s).

In our example, I've configured two internet time sources to synchronize to. By default, only one will be selected as the effective time source, and this will always be the source with the lowest stratum.

To show a list of the current configured external time sources (= peers) and their status:

w32tm /query /peers
Output
#Peers: 2

Peer: 0.europe.pool.ntp.org
State: Active
Time Remaining: 360.6858276s
Mode: 1 (Symmetric Active)
Stratum: 2 (secondary reference - syncd by (S)NTP)
PeerPoll Interval: 10 (1024s)
HostPoll Interval: 10 (1024s)

Peer: 1.europe.pool.ntp.org
State: Active
Time Remaining: 872.8431986s
Mode: 1 (Symmetric Active)
Stratum: 1 (primary reference - syncd by radio clock)
PeerPoll Interval: 10 (1024s)
HostPoll Interval: 10 (1024s)

In our example, it is also revealed that one of our time sources is a stratum 1 server (1.europe.pool.ntp.org), and our server will prefer this one over the other server (0.europe.pool.ntp.org), which is a stratum 2 server. This can be seen with the following command:

w32tm /query /source
Output
1.europe.pool.ntp.org

To view our own server's status:

w32tm /query /status
Output
Leap Indicator: 0(no warning)
Stratum: 2 (secondary reference - syncd by (S)NTP)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0467207s
Root Dispersion: 0.0282473s
ReferenceId: 0xD4070183 (source IP: 212.7.1.131)
Last Successful Sync Time: 19/06/2015 12:45:01
Source: 1.europe.pool.ntp.org
Poll Interval: 10 (1024s)

This shows our own server's status more in detail. It reveals indeed the active external time source, and also shows what stratum our server has. Because our server is synced with a stratum 1 server, it is a stratum 2 server. Futhermore, it also reveals how accurate our own clock is, the clock dispersion, and some polling statistics.