Active Directory Environment

Well as most know, when you create your first Active Directory Domain Controller (DC), it hosts a role called the PDC Emulator. This is the top of the time food chain for every domain member. If the time on this computer goes out of sync with the real world, so with the rest of your domain members.

Let’s take a look at a few AD scenarios.

Scenario 1

  1. You create your first DC (It has the PDC Emulator)
  2. You add a domain member
  3. You add another domain member
  4. Both domain members will query the DC for their time
  5. This scenario seems pretty straight forward.

Scenario 2

  1. You create your first DC (It has the PDC Emulator)
  2. You create 2 more DCs for a total of 3 DCs
  3. You add a domain member
  4. You add another domain member
  5. Both domain members query ANY domain controller for time regardless of where the PDC emulator role is
  6. The DCs that do no have the PDC emulator role will query the PDC for the time and then respond to any time requests

Recap:

  1. So now you can see all DCs without the PDC emulator role sync from the DC (scenario 2) with the PDC emulator role (Top of the time food chain)
  2. All DCs will be in sync and then will respond to any inbound time requests
  3. All domain members will contact a DC within their AD site boundary and request their time

Problem

In most environments that works great. But the question you may have is, where does the PDC Emulator get its time from? Unfortunately, Microsoft has to make some assumptions about every environment. The first DC that is installed will actually try and sync it’s time from time.windows.com.

Thoughts to Ponder on

  1. Where is your closest time server on the internet?
  2. Have you disabled time sync through the VM tools for the virtual DCs?
  3. If using non-Microsoft Virtualization hosts, where do they sync their time from?
  4. Do you sync from your cloud providers time, or have your DC (PDC Emulator) control the time?
  5. In my primary AD site where I usually host my PDC Emulator role, I generally force all of those DCs to time sync manually from an external time source. This means that if someone needs to move the PDC emulator role for whatever reason to another DC, time sync will continue working, or are you fine with using time.windows.com?

Workgroup Environment

Time sync is still great to have in a workgroup but is generally less scrutinized if it’s out of sync by a few seconds, perhaps in some rare cases a few minutes. At the end of the day it’s the same Windows Service that corrects the clock. The difference between a more precise and accurate time on a domain joined machine and a workgroup machine generally fall into 3 changes that take place when a machine is joined to AD. These values are stored in the registry.

Windows Time Service Configuration

The windows time service has tons of difference configurations and values that be configured via w32tm.exe or directly through the registry.

HKLM\System\CurrentControlSet\Services\W32Time

The time service, like many other services and configurations is now hooked into the Windows Task Scheduler. This is essentially what starts the time service, not the services control panel.

Querying the Windows Time Service Configuration

There are several commands that I like to use to see what is going on with the Windows Time Service. The registry works, but knowing these commands is better. The few details that I try and take away from the output of these commands are:

  • Type (NT5DS – This means from your DC, or NTP)
  • NTPServer (This value is used only when type is NTP. This is where we get our time from on the internet or even tell a workgroup computer to use a Domain Controller)
  • UpdateInterval (I like using 30,000 which is the domain default)
  • SpecialPollInterval (I like using 3600 which is the domain default)

Displaying the configuration

W32tm /query /configuration [/verbose]

Viewing the registry values

W32tm /dumpreg /subkey:parameters

Modifying the Windows Time Service Configuration

Configuring a computer to sync from an external location

W32tm.exe /config /syncfromflags:MANUAL /manualpeerlist “0.pool.ntp.org,0x9 1.pool.ntp.org,0x9”

Configuring a domain computer to sync the AD DCs

W32tm.exe /config /syncfromflags:DOMHIER

Configuring a workgroup computer to sync like a domain computer

As mentioned above, regardless of workgroup or domain joined, both use the Windows Time Service. By default, a workgroup computer will check/poll for time updates every 604,800 seconds (every 7 days). It will also slowly correct the clock to bring it into sync every 360,000 clock cycles (ticks). This is so we don’t disrupt the computer as time is not considered mission critical. A domain joined member’s values will be modified to check for new time every hour and will bring the clock closer into synchronization every 30,000 clock cycles (ticks). This drastically shortens the convergence of the time synchronization between all devices in the domain.

reg ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config /v UpdateInterval /t REG_DWORD /d 30000 /f

reg ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient /v SpecialPollInterval /t REG_DWORD /d 3600 /f

w32tm /config /update

To return your computer to a stock workgroup computer, you can run:

reg ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config /v UpdateInterval /t REG_DWORD /d 360000 /f

reg ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient /v SpecialPollInterval /t REG_DWORD /d 604800 /f

w32tm /config /update

Check Firewall Ports/Connectivity

Windows Time service uses the standard Network Time Protocol (NTP) which runs on UDP/123. A telnet check doesn’t work to test this. To easily see if the UDP/123 is opened through a firewall to any particular NTP server running on UDP/123, run the following command:

W32tm /stripchart /computer: 1.pool.ntp.org

W32tm /stripchart /computer: DC01.MyDomain.local

 

Monitoring Time

The Windows Time service logs into the System Channel of the event log under the source Time-Service. I’ve been lucky enough to only have to require this a handful of times. Most of the issues I run across I’ve been able to fix with the above troubleshooting and commands.

There is a win32 /debug command where you can send debug info out to an event log:

w32tm /debug {/disable | {/enable /file:<name> /size:<bytes> /entries:<value>[/truncate]}}

Enable or disable local computer windows time service private log.

disable: disable the private log.

enable: enable the private log.

file:<name> – specify the absolute filename.

size:<bytes> – specify the maximum size for circular logging.

entries:<value> – contains a list of flags, specified by number and separated by commas, that specify the types of information that should be logged. Valid numbers are 0 to 300. A range of numbers is valid, in addition to single numbers, such as 0-100,103,106. Value 0-300 is for logging all information.

truncate: truncate the file if it exists.

One final Note

DO NOT USE THE NET TIME command anymore, it’s deprecated, old and does not give you all the information required to fix modern day time issues!

Reference Links

https://technet.microsoft.com/en-us/library/cc773263(v=ws.10).aspx

https://support.ntp.org/bin/view/Servers/NTPPoolServers

https://blogs.msdn.microsoft.com/w32time

 

As always, post any comments, questions, concerns at the bottom! Is it lunch time!?