Configure ntp server on active directory
Show
Windows Server 2016 introduced the Accurate Time feature. Microsoft introduced increased polling and clock update frequency in Windows Server 2016 Active Directory, when compared to Windows Server 2008/2012. While this introduces a small additional CPU load on Domain Controllers, it does provide for more Accurate Time for Windows Server 2016 because of more frequent polling, updating and through an algorithm that calculates time difference trends. Now let’s see how to configure it. About the Accurate Time featureThe Accurate Time feature helps admins in Microsoft-oriented networking infrastructures to:
I’ve discussed some of these challenges previously in my blogpost on Managing Active Directory Time Synchronization on VMware vSphere. I mentioned the Accurate Time feature in that context, too, but did not elaborate on how to configure it. The Accurate Time feature is not enabled, by default. About the Active Directory Time HierarchyIn every Active Directory environment, time is synchronized in a hierarchy. This hierarchy is depicted in the below image, courtesy of the Time Synchronization in Active Directory Forests page in the Microsoft TechNet Wiki: The Domain Controller holding the Primary Domain Controller emulator (PDCe) Flexible Single Master Operations (FSMO) role in the root domain represents the top of the hierarchy and is considered the authoritative time source. That’s why the Active Directory Best Practices Analyzer (BPA) reports an action when this Domain Controller does not synchronize its time with an external source, like a pool of NTP servers on the Internet or a couple of GPS-equipped internal appliances, or a combination of both. The Domain Controller holding the PDCe FSMO role represents the top. It is important to identify the Domain Controller with the PDCe FSMO role, as we need to perform changes on this host. How to configure Accurate Time on the Domain Controller with the PDCe FSMO RoleTo configure the Accurate Time feature on the Domain Controller with the PDCe FSMO Role, perform these steps: Determine the Domain Controller with the PDCe FSMO RoleWe start with double-checking the configured time servers on the Domain Controller holding the PDCe FSMO role. Determine the Domain Controller using the following command on the command line of any domain-joined system: netdom.exe query fsmo Get the currently configured time servers for the Domain ControllerSign in interactively to this Domain Controller and start an elevated Windows PowerShell window, or enter a PowerShell remote session. Run the following line to return the comma-separated list of time servers specified: Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\' | Select-Object NtpServer Make sure the NTP servers listed are on the list of Stratum 1 servers, are denoted as OpenAccess (or you have prior arrangements for servers that are denoted as ClosedAccess or RestrictedAccess), are hosted reasonably geographic nearby and maintained by an organization with an excellent reputation. Configure the server to offer accurate timeConfigure the Domain Controller with the PDCe FSMO role to offer the Accurate Time feature using the following lines of Windows PowerShell: $NTP = 'HKLM:\SYSTEM\CurrentControlSet\Services\W32Time' New-ItemProperty -Path $NTP"\Config\" -Name MinPollInterval -Value 6 -Propertytype DWORD New-ItemProperty -Path $NTP"\Config\" -Name MaxPollInterval -Value 6 -Propertytype DWORD New-ItemProperty -Path $NTP"\Config\" -Name UpdateInterval -Value 100 -Propertytype DWORD New-ItemProperty -Path $NTP"\Config\" -Name FrequencyCorrectRate -Value 2 -Propertytype DWORD New-ItemProperty -Path $NTP"\TimeProviders\NtpClient" -Name SpecialPollInterval -Value 64 -Propertytype DWORD w32tm.exe /config /update Restart-Service w32time (Optionally) Configure NTP for 3rd-party systems and appliancesOptionally, make the Domain Controller an authoritative server for 3rd-party systems and appliances, using the following lines of Windows PowerShell: $NTP = 'HKLM:\SYSTEM\CurrentControlSet\Services\W32Time' New-ItemProperty -Path $NTP"\Parameters\" -Name Type -Value NTP -Propertytype DWORD New-ItemProperty -Path $NTP"\Config\" -Name AnnounceFlags -Value 5 -Propertytype DWORD New-ItemProperty -Path $NTP"\TimeProviders\NtpServer\" -Name Enabled -Value 1 -Propertytype DWORD New-ItemProperty -Path $NTP"\Config\" -Name MaxPosPhaseCorrection -Value 1800 -Propertytype DWORD New-ItemProperty -Path $NTP"\Config\" -Name MaxNegPhaseCorrection -Value 1800 -Propertytype DWORD w32tm.exe /config /update Restart-Service w32time How to configure Accurate Time on domain-joined devicesTo perform the steps below, sign in to a system with the Group Policy Management Console (GPMC) installed with an account that is either:
To configure the Accurate Time feature on domain-joined devices, perform these steps: Create a new Group Policy objectTo create a Group Policy Object, perform these steps:
Configure settings for Accurate TimeMake the appropriate changes in the Group Policy object for the Accurate Time feature, while still in the Group Policy Management Console (GPMC):
Note:
Assign the Group Policy object to the DomainTo link the previously created Group Policy Object, perform these steps, while still in the Group Policy Management Console (GPMC):
ConcludingThe Accurate Time feature might benefit your organization. The feature is not enabled by default, but you can enable it easily, using the lines of Windows PowerShell above. Further readingConfigure NTP Time Sync Using Group Policy What is NTP in Active Directory?AD Time Synchronization Origins: Network Time Protocol(NTP)
Network Time Protocol (NTP) is a networking protocol that is used for clock synchronization in computer systems over packet-switched data networks.
Can a domain controller be a NTP server?The DCs not serving as the PDCe are allowed to access the PDCe using the NT5DS protocol [UDP Port 123]. Clients can reach the DCs serving as NTP servers using both the NTP and NT5DS protocol [UDP Port 123].
How does NTP work in domain?In a forest, the domain controllers of a child domain synchronize time with domain controllers in their parent domains. When a time server returns an authenticated NTP packet to a client that requests the time, the packet is signed by means of a Kerberos session key defined by an interdomain trust account.
|