"It's Simple!" - Time Configuration in Active Directory - NEPA PFE

Its Simple! Time Configuration in Active Directory NEPA PFE https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-simple-time-...
This site uses cookies for analytics, personalized content and ads. By continuing to browse this site, you agree to this use.
Learn more (https://go.microsoft.com/fwlink/?linkid=845480)
(http://technet.microsoft.com/)| TechNet Search
Sign in (https://blogs.technet.microsoft.com/wp-login.php?aadsso_action=login)
Follow Us
Its Simple! Time Configuration in

Active Directory (https://blogs.technet.microsoft.com
/nepapfe/feed/)
Rate this article

Mohamed Tawfik AMHIL (https://social.technet.microsoft.com/profile/Mohamed+Tawfik+AMHIL) March 1, Popular Tags

2013 Active Directory
31 (https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-simple-time- (https://blogs.technet.microsoft.com
configuration-in-active-directory/#comments) /nepapfe/tag/active-directory/
Share 3 6 12 Exchange
(https://blogs.technet.microsoft.com
/nepapfe/tag/exchange/)
Exchange 2013
/nepapfe/tag/exchange-2013/
Availability
/nepapfe/tag/availability/)
Cluster
/nepapfe/tag/cluster/)
Video
/nepapfe/tag/video/)
Group Policy
/nepapfe/tag/group-policy/)
2012
/nepapfe/tag/2012/)
GPO
/nepapfe/tag/gpo/)
Exchange 2007
/nepapfe/tag/exchange-2007/
SCOM
/nepapfe/tag/scom/)
1 de 11 9/28/2017 8:58 a. m.
we? DAG
So you said Time Configuration right? Why should we care at the first place?
/nepapfe/tag/dag/)
It's simple! Active Directory can't work correctly (or at all) if the clock is not synchronized around
domain controllers/member machines. System Center
For example, in Kerberos V5, computers that are more than 5 minutes out of sync will not /nepapfe/tag/system-center/
authenticate (which is configurable by GPO: Maximum tolerance for computer clock
synchronization in Computer Configuration\Windows Settings\Security Settings\Account Upgrade
Policies\Kerberos Policy). (https://blogs.technet.microsoft.com
/nepapfe/tag/upgrade/)
Another example is replication, Active Directory uses time stamps to resolve replication conflicts.
Migrate Profile Data
Now, let's see how time should be configured in Active Directory:
1. In Active Directory, we use the Windows Time service for clock synchronization: /nepapfe/tag/migrate-profile-data/
W32Time,
USMT
2. All member machines synchronizes with any domain controller,
3. In a domain, all domain controllers synchronize from the PDC Emulator of that domain:
/nepapfe/tag/usmt/)
using NT5DS (which simply means: follow the domain hierarchy and get me my PDC
emulator) PDC Emulator
4. The PDC Emulator of a domain should synchronize with any domain controller of the (https://blogs.technet.microsoft.com
parent domain: using NTP, /nepapfe/tag/pdc-emulator/)
5. The PDC Emulator of the root domain in a forest should synchronize with an external
time server (could be clock device, a router, another standalone server, an internet time Outlook
server) (https://blogs.technet.microsoft.com
/nepapfe/tag/outlook/)

Time Configuration
/nepapfe/tag/time-configuration/
FSMO
/nepapfe/tag/fsmo/)
Archives
March 2014
/nepapfe/2014/03/)(1)
February 2014
/nepapfe/2014/02/)(2)
January 2014
/nepapfe/2014/01/)(2)
December 2013
/nepapfe/2013/12/)(1)
November 2013
(https://msdnshared.blob.core.windows.net/media/TNBlogsFS/prod.evol.blogs.technet.com /nepapfe/2013/11/)(3)
/CommunityServer.Blogs.Components.WeblogFiles/00/00/00/98/03/IB_Post1_Img October 2013
/7802.image002.gif) (https://blogs.technet.microsoft.com
/nepapfe/2013/10/)(1)
July 2013
But how do I configure time in my Active Directory? (https://blogs.technet.microsoft.com
/nepapfe/2013/07/)(1)
Well, it's simple! Normally it should be set correctly if we don't modify it in purpose, April 2013
Otherwise, we do provide some tools for that: w32tm.exe command-line utility and GPO (https://blogs.technet.microsoft.com
/nepapfe/2013/04/)(1)
Using w32tm.exe March 2013
Run the following command on the PDC emulator: /nepapfe/2013/03/)(1)
2 de 11 9/28/2017 8:58 a. m.
w32tm /config /manualpeerlist:timeserver /syncfromflags:manual /reliable:yes /update All of 2014

(where timeserver is a space delimited list of your time source servers)
/nepapfe/2014/)(5)
Once done, restart W32Time service. All of 2013

/nepapfe/2013/)(9)
Run the following command on all other DCs (that are not PDC):
w32tm /config /syncfromflags:domhier /update
Once done, restart W32Time service.
Using GPO with WMI filter

Using a GPO is always better to automate as much as possible (and of course in case we had to
transfer the PDC role to another DC):
Create a GPO and link it to the Domain Controllers container

Set a WMI filter to target the PDC emulator, using the following syntax:
Select * from Win32_ComputerSystem where DomainRole

=5
Open the GPO for edition and go to: Computer Configuration\Administrative

Templates\System\Windows Time Service\Time Providers then Configure Windows
NTP Client + Enable Windows NTP Client

(https://msdnshared.blob.core.windows.net/media/TNBlogsFS/prod.evol.blogs.technet.com
/CommunityServer.Blogs.Components.WeblogFiles/00/00/00/98/03/IB_Post1_Img
/8540.image004.jpg)
Quick note: NtpServer contains a space-delimited time source servers with the format: Name-
or-IP,server-flag
All non-PDC domain controllers should be set to NT5DS (domain hierarchy).

3 de 11 9/28/2017 8:58 a. m.
Creating a global settings GPO

Create a GPO and link it to Domain Controllers organizational unit,

Edit the settings under: Computer Configuration\Administrative Templates\System
\Windows Time Service\Time Providers then Global Configuration Settings
Depending on the use, you may leave the default values.

Checking
You can check the registry entries if the domain controller is using NTP (should be on PDC)
or NT5DS (on non-PDC):
Find the value of Type under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
\Services\W32Time\Parameters
You can also check for time advertisement on the PDC by running this command w32tm.exe
/resync /rediscover /no_wait, then check for Event ID 139
To check the source time server: w32tm /query /status
Side notes:
Please note that we recommend using w32tm command-line utility instead of "net time"
command (why? (http://blogs.msdn.com/b/w32time/archive/2009/08/07/net-time-and-
w32time.aspx)),
We recommend using w32tm or GPO tools to configure time services instead of registry tool,
The PDC should not synchronize with itself (RFC 1305 (http://www.rfc-editor.org/)),
More details on the WMI filter here (http://blogs.technet.com/b/askds/archive/2008/11
/13/configuring-an-authoritative-time-server-with-group-policy-using-wmi-filtering.aspx) and GPO
time settings here (http://blogs.msdn.com/b/w32time/archive/2009/02/02/group-policy-settings-
explained.aspx).
About NtpServer value syntax and server flags here (http://blogs.technet.com/b/askds/archive
/2007/11/01/configuring-your-pdce-with-alternate-time-sources.aspx) and here
(http://blogs.msdn.com/b/w32time/archive/2008/02/26/configuring-the-time-service-ntpserver-
and-specialpollinterval.aspx).
Hope its simple now!
Imed Boukhaf from NEPA team.
Tags Active Directory (https://blogs.technet.microsoft.com/nepapfe/tag/active-directory/) FSMO

(https://blogs.technet.microsoft.com/nepapfe/tag/fsmo/) PDC Emulator
(https://blogs.technet.microsoft.com/nepapfe/tag/pdc-emulator/) Time Configuration
(https://blogs.technet.microsoft.com/nepapfe/tag/time-configuration/)
Comments (31)
Name *
Email *
Website
Post Comment
Anonymous
September 28, 2017 at 12:58 pm (https://blogs.technet.microsoft.com/nepapfe/2013/03
/01/its-simple-time-configuration-in-active-directory/#comment-6)
4 de 11 9/28/2017 8:58 a. m.
is there any way to find/ping the pdc emulators FQDN ?
Reply (https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-simple-time-
configuration-in-active-directory/?replytocom=6#respond)
Anonymous
Love the blog. one thing missing is the owner of this thread. Got Some comments that I want
to share offline
Anonymous
missprint in w32tm.exe /resync /rediscover /no_wait
right is w32tm.exe /resync /rediscover /nowait
johnredd (https://social.technet.microsoft.com/profile/johnredd)
September 14, 2013 at 8:16 am (https://blogs.technet.microsoft.com/nepapfe/2013/03
The location of the registry is different when you configure NTP using group policy. For that
matter any setting using Group Policy.
In this case: After applying the Global settings the path should be checked in the below REG
path.
HKEY_LOCAL_MACHINESOFTWAREPOLICIESMICROSOFTW32TimeParameters
Frei
October 25, 2013 at 10:07 am (https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-
simple-time-configuration-in-active-directory/#comment-39)
Thanks a lot JR, PDC was ignoring any w32tm configuration changes, policies were "not
configured".
The only assumption i could come to, was that something is overriding all of the changes,
and found it in the registry you specified.
Martin
January 24, 2014 at 6:22 pm (https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-
Hi,
i understand the concept of DCs talking to PDC, talking to external NTP

butis there a technical reason, not to sync all DCs directly with external NTP servers ?
All non-PDC domain controllers should be set to NT5DS (domain hierarchy)
or, is it better to create a new GPO, and then add the DomainRole = 5 filter ?
how do i make sure my DCs sync from my PDC ? i am asking cause i have DCs out of sync by
2 mins
Thanks
Martin
David
February 26, 2014 at 6:14 pm (https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-
5 de 11 9/28/2017 8:58 a. m.
@Martin, To ensure your other DCs are configured to point to the DC with the PDC emulator
role, you can create another GPO with the default NT5DS settings and apply a WMI filter that
will filter for DC without the PDC emulator role Select * from Win32_ComputerSystem where
DomainRole = 4.
nick
March 19, 2014 at 7:07 am (https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-
Its simple? Here are some problems Ive run into as someone who is not a guru in Active
Directory or Group Policy Objects but who can follow along your directions:
1. Open the GPO for edition what does that mean? What edition?
2. Ive assumed this means open the GPO that I created by clicking around since you dont
explain how this gets created, however under Computer Configuration I dont see
Administrative Templates available. Oh, wait its actually Computer
ConfigurationPoliciesAdministrative Templates
3. I assume by then Configure Windows NTP Client + Enable Windows NTP Client that you
mean to Edit the Configure Windows NTP Client policy setting, change the radio button to
Enabled and change the Type option to NTP, leaving all other settings at their defaults.
You also mean by Enable Windows NTP Client that you should Edit the Enable Windows
NTP Client policy and change the radio button to Enabled.
4. You say we do provide some tools for that: w32tm.exe command-line utility and GPO.
You then go on to list three sub-bullets for w32tm.exe, GPO, and Creating a global
settings GPO plus a fourth one for Checking which should be a way of verifying the above?
Presumably these are meant to be either-or, but why do you mention only two options but
list three? Maybe Creating a global settings GPO is not optional?
5. Under Creating a global settings GPO, you say Depending on the use, you may leave the
default values. But depending on what use? How does it depend? Im going to assume that
this was a third alternative which is not necessary since Ive already setup a GPO. Besides
which, the instructions here are also incorrect. The Global Configuration Settings policy is
not under SystemWindows Time ServiceTime Providers its directly under
SystemWindows Time Service.
Next time, it would be quite helpful to explain the steps as if the person you are explaining it
to does not already possess the body of knowledge that you have. You make far too many
assumptions and youre also sloppy in your descriptions, giving the incorrect details from
faulty memory instead of double-checking so that you provide correct information. All in all,
it makes for a very Not Simple! guide to try and follow.
Damin Fiorito
March 19, 2014 at 3:12 pm (https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-
Its very clear for me and works great. Now, we have a policy for both domain controllers
primary and secondary (in my case), the question is, how can i synchronize my computers in
the domain (windows 7, 8, xp etc) with this dcs? With a logon script with net time or with
another gpo pointing to the dcs?
I would appreciate your help.
PS: obvious that these tasks require a basic knowledge of server administration, this post was
the most clear regarding time sincronization,.
Thanks
Damin Fiorito
Neer Patel
6 de 11 9/28/2017 8:58 a. m.
A little more details.. maybe with examples of what youd entire in the fields would help a lot!
Cem Onur
April 14, 2014 at 9:38 pm (https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-
This was a very poorly written technical documentation. It reads like its been written during a
coffee break. No quality control, jumps from topic to topic, no clear path of information flow.
It is in severe need of editing and quality control. Even the sentences are incoherent and
sound like thought streams, not instructions. We need this information, but we need it in
such a way that we can read, and implement, step by step.
Thank you
Yer Scroogled
April 24, 2014 at 4:40 pm (https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-
This article is useless because the person who wrote it just copied it from a TechNet
article. He probably doesnt even understand what hes doing and thats why it sucks!! If you
want to see the actual article and get all the information that is missing then check this link
out:
http://blogs.technet.com/b/askds/archive/2008/11/13/configuring-an-authoritative-time-
server-with-group-policy-using-wmi-filtering.aspx (http://blogs.technet.com/b/askds/archive
/2008/11/13/configuring-an-authoritative-time-server-with-group-policy-using-wmi-
filtering.aspx)
Come on man, if youre going to copy someone at least reference their work at the bottom!
Hey Nick, I doubt that he has any body of knowledge at all.
Mat
August 25, 2014 at 10:24 pm (https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-
Really dodgy article. No background of understanding. Poor communication. "Its simple"?!
What a load of rubbish, the author doesnt even specify how to configure clients in a domain
to look to their domain controller server for time rather than an external
time source!
Vastly lacking in detail for the more technical, and sadly very unclear for even basic
configuration requirements in an AD domain.
Trix
September 4, 2014 at 10:27 am (https://blogs.technet.microsoft.com/nepapfe/2013/03
I have to agree with the concerns about the quality of this article. The layout is non-existent
and the general quality is poor. You can have a friendly style, but still make it readable.
I do think it accurately includes the basics, but it doesnt make it very clear what youre doing
at a particular step, and why.
Sure, you probably dont need to mention all the scenarios, and I actually think the references
at the end are fine, but they should have much better descriptive detail.
As for Mats query about how to configure the clients, you shouldnt need to do so
specifically if they are joined to the domain and using the default configuration. But it might
help to state that in black and white (and maybe link to some info about how to
reset to the defaults for domain clients).
7 de 11 9/28/2017 8:58 a. m.
Daniel Miranda Ulate

October 16, 2014 at 7:25 pm (https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-
Excelent, It worked flawlessly.
Andy
November 11, 2014 at 11:34 am (https://blogs.technet.microsoft.com/nepapfe/2013/03
You may find this article about synchronizing windows using NTP more informative:
http://www.timetoolsglobal.com/2013/06/21/how-to-synchronize-microsoft-windows-to-
a-ntp-server-1/ (http://www.timetoolsglobal.com/2013/06/21/how-to-synchronize-microsoft-
windows-to-a-ntp-server-1/)
Other article references are bad and outdated

Wow, hard to believe all of the foul comments being posted about this FREE article. It is much
more up to date and to the point than the other articles, both of which require editing the
registry directly, something you would be hard-pressed to get approved
in change control versus PowerShell commands IMHO. And, no, it isnt a repeat of someone
elses work unless you mean it summarizes and presents freely available Microsoft
documentation in a different format, which pretty much sums up every blog post on the
Internet.
Grow up, people.
Josh Dauwalter
This guide was great. Got a clients servers times all syncd up from the DC with this.
Name
"Open the GPO for edition and go to:" makes no sense
Arptro
Usually TechNet articles are the gospel. They should have reviewed and removed this one. I
think this GPO is going to lead to multiple sources of time if you move the PDC emulator
role.
DARIUS
June 2, 2015 at 11:09 am (https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-
8 de 11 9/28/2017 8:58 a. m.
Actually what would have been good is an idea of what you should receive when you run
"w32tm /query /Status"
So that you know if you got it right.
Cause there is no "check that you set it up correct like this" section of the article
ethernaut.org (https://social.technet.microsoft.com/profile/ethernaut.org)
June 4, 2015 at 2:04 pm (https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-
When I applied this WMI Filter in Windows Server 2012 R2 I received an error message about
the namespace, however the policy still worked. I would suggest ignoring the error and
manually verifying that the policy worked by looking in the registry on your
DCs. Many other people have also had this problem as indicated in this other post:
(https://social.technet.microsoft.com/Forums/windowsserver/en-US/e554a894-6481-4f94-
aa06-5b1a1b76c97f/gpo-wmi-filters-are-failing?forum=winserverGP)https:
//social.technet.microsoft.com/Forums/windowsserver/en-US/e554a894-6481-4f94-
aa06-5b1a1b76c97f/gpo-wmi-filters-are-failing?forum=winserverGP
(https://social.technet.microsoft.com/Forums/windowsserver/en-US/e554a894-6481-4f94-
aa06-5b1a1b76c97f/gpo-wmi-filters-are-failing?forum=winserverGP)
ethernaut.org (https://social.technet.microsoft.com/profile/ethernaut.org)
w32tm /monitor is another great way of testing settings. The RefID field shows where each
DC is pulling time from, everything other than your PDC should show the DNS name of the
PDC as its source. FYI if you are using pool.ntp.org as your upstream time,
the PDC RefID entry will show the specific member of the pool you most recently pulled time
from instead of the pool.ntp.org DNS names
kjstech
would I also use this same group policy element in a GPO attached to an OU where client
computers reside to point the time synchronization to our domain controller?
For example I had a pc yesterday where the time was 2 minutes ahead. Ran net time \dc1 and
saw the proper domain time. Ran net time \computername and I saw time that was 2 minutes
ahead. I tried the command w32tm /config /syncfromflags:domhier /update and
it said that Windows Time Service was not running. I tried net time \dc1 /set /y and it was
access denied. I think I was able to remotely start the w32tm service via an MMC snap in, and
remotely execute that w32tm sync command via psexec as an admin and I
believe that worked.
But instead of doing this per pc as people call, Id rather have it automated. The only change
we made recently was a GPO to remove "Domain Users" from the local administrators group
on the machines. We used to run as local admins for application compatibility,
but we recently worked hard on getting the right permissions changes to certain files and
folders that were required for our apps to run properly, so we took local admin away so
people can run things like mimikatz out of the metasploit package in order to
get cleartext passwords and use that account to spread malware to every other pc under that
local admin context.
dsabbott
9 de 11 9/28/2017 8:58 a. m.
This article is GREAT! It gave me, an experienced admin, everything I needed to know quickly
and simply so I didnt have to spend a lot of time researching the basics. I can now go
forward ON MY OWN. Thanks and love the diagram!
anonymouscommenter
A host of reference material for AD and Group Policy
R.Serg
If you guys need great time accuracy (1-5ms) on your network I would like you to take a look
at NTS software (includes NTP server/client apps for Windows)
http://nts.softros.com (http://nts.softros.com)
Bryan Heath (https://social.technet.microsoft.com/profile/Bryan+Heath)

November 20, 2015 at 8:20 am (https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-
FYI If time synchronization enabled on Virtual Domain Controllers they will default to the
VM IC Time provider. I referred to the following to resolve the issue in Hyper-V.
https://technet.microsoft.com/en-us/library
/virtual_active_directory_domain_controller_virtualization_hyperv
(https://technet.microsoft.com/en-us/library
/virtual_active_directory_domain_controller_virtualization_hyperv)(WS.10).aspx
"For virtual machines that are configured as domain controllers, it is recommended that you
disable time synchronization between the host system and guest operating system acting as
a domain controller. This enables your guest domain controller to synchronize
time from the domain hierarchy.
To disable the Hyper-V time synchronization provider, shut down the VM and clear the Time
synchronization check box under Integration Services."
P.S. thanks for the tidbits on the WMI filter queries for PDCE and non PDCE systems. It may
help to update the Wiki so we dont have to peruse the comments.
ajhstn
I would like to do this with GPs. I see you have configured a GP for the PDC emulator, using
the filter and configuring the external time provider using "NTP".
For my other DCs, do I need a 2nd GP, to configure them to use "w32tm /config
/syncfromflags:domhier /update "
rather then manually going to every DC and running this?
TimeMaster
Thank you for writing this arcticle. Very helpful.
10 de 11 9/28/2017 8:58 a. m.
SprintGeek
I found this article helpful. Thank you!
Privacy & Cookies (https://msdn.microsoft.com/dn529288)

(https://www.microsoft.com
Terms of Use (https://msdn.microsoft.com/cc300389) 2017 Microsoft
Trademarks (https://www.microsoft.com/en-us/legal/intellectualproperty/Trademarks/EN-U
11 de 11 9/28/2017 8:58 a. m.

"It's Simple!" - Time Configuration in Active Directory - NEPA PFE

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

"It's Simple!" - Time Configuration in Active Directory - NEPA PFE

Hochgeladen von

Copyright:

Verfügbare Formate

Its Simple! Time Configuration in Active Directory NEPA PFE https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-simple-time-...

(http://technet.microsoft.com/)| TechNet Search

Its Simple! Time Configuration in

Mohamed Tawfik AMHIL (https://social.technet.microsoft.com/profile/Mohamed+Tawfik+AMHIL) March 1, Popular Tags

w32tm /config /manualpeerlist:timeserver /syncfromflags:manual /reliable:yes /update All of 2014

Once done, restart W32Time service.

Using GPO with WMI filter

Create a GPO and link it to the Domain Controllers container

Select * from Win32_ComputerSystem where DomainRole

Open the GPO for edition and go to: Computer Configuration\Administrative

All non-PDC domain controllers should be set to NT5DS (domain hierarchy).

Creating a global settings GPO

Create a GPO and link it to Domain Controllers organizational unit,

Hope its simple now!

Imed Boukhaf from NEPA team.

Tags Active Directory (https://blogs.technet.microsoft.com/nepapfe/tag/active-directory/) FSMO

is there any way to find/ping the pdc emulators FQDN ?

i understand the concept of DCs talking to PDC, talking to external NTP

Hey Nick, I doubt that he has any body of knowledge at all.

Daniel Miranda Ulate

Other article references are bad and outdated

Grow up, people.

Bryan Heath (https://social.technet.microsoft.com/profile/Bryan+Heath)

rather then manually going to every DC and running this?

Privacy & Cookies (https://msdn.microsoft.com/dn529288)

Das könnte Ihnen auch gefallen