Another good topic to talk about. I’ll blog soon about NTP in general when it comes to stratums and a design. But I want to focus on the Windows AD side now in this post.
What is NT5DS:
`NT5DS` stands for “Net Time 5 Directory Service.” It’s a mode of time synchronization utilized by the Windows Time Service (`w32time`) on computers that are members of an Active Directory (AD) domain.
When a Windows machine is configured to use `NT5DS` mode (which is the default for domain-joined computers), it will synchronize its time hierarchically with the domain’s structure.
Windows Default options:
NTP – Used on computers that are not joined to a domain.
NT5DS – Used on computers that are joined to a domain.
Pretty straight forward. Windows has two default options. Computers NOT joined to the DOMAIN will use NTP and Computer joined to the DOMAIN will use NT5DS, NOT NTP. NT5DS is what every Domain device uses. It’s default. It’s a time service that synchronizes the entire domain hierarchy.
How does NT5DS Work:
1. Domain-Joined Workstations and Servers: These machines will sync their time with any domain controller (DC) in their domain.
2. Domain Controllers: DCs will sync their time with the domain controller that holds the Primary Domain Controller (PDC) Emulator Flexible Single Master Operation (FSMO) role for their domain.
3. PDC Emulator in Child Domains: If there are child domains, the PDC Emulator of the child domain will sync its time with a DC (often the PDC Emulator) in the parent domain.
4. PDC Emulator in the Forest Root Domain: It’s recommended that this DC is configured to synchronize its time from a reliable external NTP (Network Time Protocol) source. This ensures the entire AD hierarchy stays in sync with real-world time.
The hierarchical nature of `NT5DS` mode ensures that there’s a consistent and unified time source throughout the AD domain, which is crucial for operations like authentication and replication. Time discrepancies can lead to various problems in AD, including Kerberos authentication failures.
For computers that aren’t members of an AD domain, or if you want a specific machine to sync with an external time server regardless of its domain membership, you’d typically use the `NTP` mode.
Next we’ll look at the Flexible Single Master Operation (FSMO) roles to find who that PDC server is.
Looking at FSMO Roles to find the PDC
Flexible Single Master Operations (FSMO) are Active Directory (AD) roles. Special roles are assigned to one or more domain controllers in an AD environment. Here’s a brief description of each:
1. Schema Master (one per forest)
- Role: This role manages updates and modifications to the AD schema. The schema defines the kinds of objects and their attributes that can be created within AD.
- Scope: There is only one Schema Master in the entire forest.
2. Domain Naming Master (one per forest)
- Role: It adds or removes domains within the AD forest. When you want to add or delete a domain, the domain naming master ensures that the domain name is unique across the forest.
- Scope: There is only one Domain Naming Master in the entire forest.
3. Primary Domain Controller (PDC) Emulator (one per domain)
- Role: Among other things like Time, the PDC Emulator handles password changes and is the master time server for the domain. If a logon authentication fails due to a bad password at another DC, the request is passed to the PDC Emulator for a final check before rejection.
- Scope: There’s one PDC Emulator per domain.
4. Relative ID (RID) Master (one per domain)
- Role: It’s responsible for allocating blocks of unique Relative IDs (RIDs) to each domain controller in a domain. When an object, such as a user or computer, is created in AD, it’s given a Security Identifier (SID). The SID consists of a domain SID, common to all SIDs created in the domain, and a RID, unique for each SID created in the domain.
- Scope: There’s one RID Master per domain.
5. Infrastructure Master (one per domain)
- Role: The Infrastructure Master is responsible for updating references from objects in its domain to objects in other domains. For example, if you add a user from one domain to a security group from a different domain, the Infrastructure Master ensures that cross-domain object references are correctly handled.
- Scope: There’s one Infrastructure Master per domain.
- Note: In a domain with only one domain controller, or where all domain controllers are Global Catalog servers, the Infrastructure Master role doesn’t perform any tasks.
Each FSMO role is critical to ensuring an AD environment’s proper functioning and consistency. When designing and managing an AD infrastructure, it’s essential to know which domain controllers hold these roles and to monitor them to ensure their continued availability.
Time synchronization is critical in Active Directory environments, primarily because of the Kerberos authentication protocol, which is sensitive to time discrepancies. In an AD domain:
- PDC Emulator: This role holder in each domain acts as the authoritative time source for that domain. It’s best practice to configure the PDC Emulator to synchronize its clock with an external reliable time source, such as official NTP (Network Time Protocol) servers. This ensures that the entire domain (and forest, in multi-domain environments) remains in sync with “real-world” time.
- Other Domain Controllers: They will sync their clocks with the PDC Emulator of their respective domains.
- Member Servers and Workstations: In a domain, they will generally sync their clocks with the domain controller that authenticated them at login.
Because of this time synchronization hierarchy, it’s crucial that the PDC Emulator maintains accurate time. If the PDC Emulator’s time drifts, it could potentially cause time drift throughout the domain, leading to issues like Kerberos authentication failures due to time discrepancies.
Based on the information above, you’re looking for the PDC.
C:\>netdom /query FSMO
Schema master kc-dc1.cordero.me
Domain naming master kc-dc1.cordero.me
PDC kc-dc1.cordero.me
RID pool manager kc-dc1.cordero.me
Infrastructure master kc-dc1.cordero.me
The command completed successfully.
Finding the time source
On a computer, use the below command to see who it’s getting its time from. The output should be the PDC from above.
C:\>w32tm /query /source
kc-dc1.cordero.me
Look at the local time configuration to find the type of NTP being used
Now you can look to see how the time is getting synched, NTP or NT5DS. Since this device is domain joined, it’s using NT5DS.
C:\>w32tm /query /configuration
[Configuration]
EventLogFlags: 2 (Local)
AnnounceFlags: 10 (Local)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 10 (Local)
MaxPollInterval: 15 (Local)
MaxNegPhaseCorrection: 4294967295 (Local)
MaxPosPhaseCorrection: 4294967295 (Local)
MaxAllowedPhaseOffset: 300 (Local)
FrequencyCorrectRate: 4 (Local)
PollAdjustFactor: 5 (Local)
LargePhaseOffset: 50000000 (Local)
SpikeWatchPeriod: 900 (Local)
LocalClockDispersion: 10 (Local)
HoldPeriod: 5 (Local)
PhaseCorrectRate: 1 (Local)
UpdateInterval: 30000 (Local)
[TimeProviders]
NtpClient (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
CrossSiteSyncFlags: 2 (Local)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Local)
ResolvePeerBackoffMaxTimes: 7 (Local)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 1 (Local)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Local)
Type: NT5DS (Local)
NtpServer (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 0 (Local)
InputProvider: 0 (Local)
Looking at the PDC with External DNS settings
You can use the same command to look a remote computer. Below we are looking out our DC that happens to be the PDC. You can see that the server is configured to get its time from external sources and the type is NTP.
C:\>w32tm /query /computer:{REMOTE_DEVICE_NAME} /configuration
[Configuration]
EventLogFlags: 2 (Local)
AnnounceFlags: 5 (Local)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 6 (Local)
MaxPollInterval: 10 (Local)
MaxNegPhaseCorrection: 172800 (Local)
MaxPosPhaseCorrection: 172800 (Local)
MaxAllowedPhaseOffset: 300 (Local)
FrequencyCorrectRate: 4 (Local)
PollAdjustFactor: 5 (Local)
LargePhaseOffset: 50000000 (Local)
SpikeWatchPeriod: 900 (Local)
LocalClockDispersion: 10 (Local)
HoldPeriod: 5 (Local)
PhaseCorrectRate: 7 (Local)
UpdateInterval: 100 (Local)
[TimeProviders]
NtpClient (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Local)
ResolvePeerBackoffMaxTimes: 7 (Local)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 1 (Local)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Local)
Type: NTP (Local)
NtpServer: pool.ntp.org time.nist.gov (Local)
NtpServer (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombinations: 1 (Local)
VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
Configuring NTP Settings Manually
So how do you configure the external time sources on the PDC? Below is the command you would use or something like it. You want the PDC to use reliable NTP sources.
Below we are prioritizing pool.ntp.org over time.nist.gov:
w32tm /config /manualpeerlist:"pool.ntp.org,0x8 time.nist.gov,0xa" /syncfromflags:manual /update
You can also use the “UseAsFallbackOnly flag (0x2)” to de-prioritize one of them. Or make them both 0x8. So you have options.
Below are the options:
0x1 SpecialInterval
0x2 UseAsFallbackOnly
0x4 SymmetricActive: For more information about this mode, see Windows Time Server: 3.3 Modes of Operation.
0x8 Client
How to resync the time
This will tell the computer to resynch as soon as possible.
w32tm /resync [/computer:] [/nowait] [/rediscover] [/soft]