This blog post is about Microsoft Domain Controllers and NTP Server configuration for the FSMO PDC emulator role. In this blog, we are going to configure NTP and make sure it works correctly for all the clients.
In this case, we were deploying an entire VMware environment at a customer for testing purposes including domain controllers. This was working fine until we wanted to configure the vCenter Server with domain authentication. It was not possible to login into VMware vCenter with domain accounts only with local accounts. After some looking and comparing we realized that the time synchronization in the environment was not working correctly.
I have been sitting on these simple commands for a long time without actually putting them on my blog but the customer that was suffering from this issue encouraged me to do this. So here we are ;).
Why an NTP Server is important
Short introduction on the Network Time Protocol or in short NTP. NTP is used for clock syncronization between IT systems. The NTP protocol uses port 123 and sends UDP packages. Now going back to Microsoft Domain Controllers ;).
One of the main things, when you are setting up a Domain Controller is that you need to make sure that time synchronization is working. This can be done with an NTP source or NTP GPS source. In most cases, an internet source is used, for example pool.ntp.org.
The domain controllers that are controlling the domain act as NTP sources for the domain members. This is the default setting by Microsoft. Keep in mind: that this can be changed with domain group policies.
So what is acceptable and when are things falling apart? By default a 300 seconds difference is allowed by Kerberos, this sounds a lot but when NTP is not working things quickly go beyond that limit. This 300 seconds interval means that you can be 300 seconds behind or 300 seconds in front of the domain controllers. When you are beyond this limit, Kerberos tickets are not working anymore and then there is a real problem: account login, log entry timestamps are not valid, permissions not working, etc.
I have tested these commands on the following Operating System versions over the years. It doesn’t matter if this is a server with a GUI or core. As long as the PowerShell terminal is accessible!
- Windows Servers 2008
- Windows Servers 2008 R2
- Windows Servers 2012
- Windows Servers 2012 R2
- Windows Servers 2016
- Windows Servers 2019
- Windows Servers 2022
Here is an overview of the NTP commands for a domain controller. The most common way is to run this in a PowerShell terminal with administrative rights. I have listed the steps with a simple explanation:
# 1. Stop the NTP service
net stop w32time
# 2. Run the following command
w32tm /config /syncfromflags:manual /manualpeerlist:"0.nl.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org, 3.nl.pool.ntp.org"
# 3. Trust the time server
w32tm /config /reliable:yes
# 4. Start the NTP service
net start w32time
# 5. Check the configuration
w32tm /query /configuration
# 6. Force time resync
Here are some troubleshooting commands to validate the working and additional settings:
# Show timezone
# NTP Peers/Stratum
w32tm /query /peers
# Sync information
w32tm /query /peers /verbose
# Monitor status
# Read registry values
reg query HKLM\system\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer
So this is my blog post about Microsoft Domain Controllers in combination with an NTP server. I have explained the importance and the issues that can be caused by an invalid NTP Server configuration and provided the commands related to a good configuration.
Do you have additional tips or remarks please respond in the comment section below.
Have a nice day and see you next time!