Time Drift – means a deviation in the clocks when servers or endpoint do not receive an update every certain time cycle. It is very important to update clocks in the organization (some of them will be mentioned below) for the proper work sequence of the organization’s systems.
This is where NTP (Network Time Protocol) comes into play. This protocol is part of the PDC role which is one of the five FSMO roles that exist in the organization. The DC server that will hold this role will be the source in the organization against which all other stations will be synchronized (“PDC operations masters”).
When there is a deviation in the clocks we may meet the following problems:
Replication problem between DC servers – a situation of lack of synchronization of information and even loss of information. A “Timestamp” is a value that helps DC servers determine whether replication should be performed when the update sequence number (USN) is the same between two servers. When the timestamp is confused, information synchronization may go wrong.
Kerberos – based on the NTP service. Kerberos is a protocol based on “tickets” as access privileges to different users or services in the organization. These cards are time limited, so lack of time synchronization between systems can prevent access authorization.
Configuring NTP using Windows Time Service on a DC server that holds the role of a PDC emulator:
- It is necessary to define the time source to which the other servers in the organization will pointed. This setting determines direct synchronized against the PDC server and not from the BIOS.1
HKLM\System\CurrentControlSet\Services\W32Time\Parameters
Type = NTP- We must to define time source which the PDC server will refer. The PDC server should also receive time updates. Therefore we will have to configure the PDC server to synchronize against an external address.
HKLM\System\CurrentControlSet\Services\W32Time\Parameters
NtpServer = 0.asia.pool.ntp.org,0x1.
This is an example of an external server that the PDC server will point to:
0.asia.pool.ntp.orgThe sources list can be an IP address or FQDN. When using a DNS name, the suffix 0x1 must be appended to the end of each DNS address. 0x1 is translated the value “.” (dot), its meaning the end of a line, and after then you can add another sequence of addresses when a space is separates them.
- The PDC server must be set as a trusted time source. It is important to note: this setting goes hand in hand with the previous setting so it is important to perform both of them.
HKLM\System\CurrentControlSet\Services\W32Time\Config
AnnounceFlags = 5
4. לאחר הגדרות אלו יש לאתחל את שירות הזמן – w32time – בעזרת הפקודות הבאות:
When you done to configure the NTP server, you need to initialized the time service (w32time) – using the following commands:
net stop w32time
net start w32time
w32tm /resync /rediscoverMicrosoft’s official documentation on the subject:
This Article Was Written By Shira Peretz and translated to English by Matan Sigavker
