NTP role in windows domain controller

NTP port it is used by the Network Time Protocol for computer clock synchronization through the network by using packet switching and variable data latency.

Time is most important settings in Domain and has  hierarchy within its members.

On Domain Controller, the DC with the PDC Emulator FSMO (Flexible Single Master Operations) role, is the time master in the domain. It uses it’s own BIOS time but should be changed to another time source like a NTP hardware device, routers, layer3 switches or external time servers, that are able to act as a time provider.

Why required correct times in domain members
It is needed from Kerberos V5 authentication to prevent “replay attacks,” Kerberos V5 uses time stamps as part of its protocol definition.
The default maximum time tolerance is 5 minutes and defined with a Group Policy setting and should not be changed.

GPO setting:

Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy\ “Maximum tolerance for computer clock synchronization”

Port Number: 123
Protocol / Name: ntp

Required ports for DC

Kerberos: 88 (TCP and UDP)
DNS: 53 (TCP and UDP)
LDAP: 389 (TCP UDP) 636 (TCP)
SMB/CIFS: 445 (TCP and UDP)
NTP: 123 (TCP and UDP)
135, 49156, 49158 (TCP)
NETBIOS  137-139
RPC  135
RDP  3389
RPC randomly allocated high TCP ports¹     1024 – 65535
LDP 389
GC,LDP  3268

Domain sync with external Authoritive NTP servers
DC holds the FSMO roles(PDC emulator) is set up for type NT5DS

In case need to setup the PDC to get its time from an external time source (normally it is time.windows.com) need to run folwing commands

To display the time difference between the local computer and a target computer
w32tm /stripchart /computer: time.windows.com /samples:5 /dataonly

and configure PDC emulator with external server

w32tm /config /manualpeerlist:”time.windows.com” /syncfromflags:manual /reliable:yes /update”

replacing time.windows.com with your time server or use ntp.org (0.pool.ntp.org).

and then net stop “w32tm” and net start “W32tm”

Note: SYNCFromFlags options
MANUAL – sync from peers in the manual peer list
DOMHIER – sync from an AD DC in the domain hierarchy
NO – sync from none
ALL – sync from both manual and domain peers

Members to automatic domain time synchronization
w32tm /config /syncfromflags:domhier /update

After that restart the service using folowing commands
net stop w32time
net start w32time

net time \\timesrv /set /yes
using the same command to show time in a remote system
net time \\computernam :/domain:domain name

To reconfigure the previous PDC Emulator, in case of transferring/seizing the FSMO to another Domain Controller, run:

w32tm /config /syncfromflags:domhier /reliable:no /update

After that you have to run:
net stop w32time
net start w32time

Registry settings in members
HKLM\ SYSTEM\ CurrentControlSet\ Services\ W32Time\ Parameters\

modify the “Type” value to “Nt5Ds” without the quotes

Group policy settings
Configure Global Configuration Settings here

Computer Configuration\Policies\Administrative Templates\System\Windows Time Service

Configure Windows NTP Client settings here

Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers

How to reset the time service to a default state
net stop w32time
w32tm /unregister
w32tm /register
net start w32time

Configure using microsoft tools
Configuring the Windows Time service to use an internal hardware clock

Some of the Event ID related NTP
Event ID 12: Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source.
Event ID 24: Time Provider NtpClient: No valid response has been received from domain controller DC-DNS.domain.org [this is our primary DC] after 8 attempts to contact it.
Event ID 36: The time service has not synchronized the system time for 86400 seconds because none of the time service providers provided a usable time stamp.
Event ID 50: The time service detected a time difference of greater than 5000 milliseconds for 900 seconds.
Event ID 129: NtpClient was unable to set a domain peer to use as a time source because of discovery error.
Event ID 131: NtpClient was unable to set a domain peer to use as a time source because of DNS resolution error on ”.
Event ID 142: The time service has stopped advertising as a time source because the local clock is not synchronized.
Event ID 144: The time service has stopped advertising as a good time source.

some useful commands
shows the server is syncing with which server : w32tm /query /source

Local CMOS Clock

find time in servers : w32tm /monitor /domain:domainname /computers:ip1,1p2

Display the current time zone settings.

w32tm /tz
Display the values associated with a given registry key.
The default key is HKLM\System\CurrentControlSet\Services\W32Time

w32tm /dumpreg



Posted on December 4, 2013, in Uncategorized, Windows. Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: