Configure NTP Service in your enterprise domain

Labels: ,

Applies to : Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016

I was asked to help a client who recently created new domain controllers and removed the old ones. It included transfer of FSMO roles too. They were few issues which they were facing.

1. All clients were getting different time zones.
2. Event IDs 50 on PDC [The time service detected a time difference of greater than…]
3. Authentication was stopped for some sites.

When I looked events on PDC, then I found that root cause. NTP settings was not defined properly due to which all these issues were there. It happened because they transferred PDC role from old DCT to new DCT. Here are the steps which I followed and it was fixed after that.

First you need to understand how Windows Time Service works. Check below mentioned image.






Your PDC connects to global time server to sync its time with it. Then your all domain controllers connect to PDC and they make their times as per their time zones. Then, all clients syncs up with their respective DCs. By this, all clients gets proper Windows Time Services configurations. It is know as "Domain Hierarchy-Based Synchronization".
Before start knowing about authoritative NTP servers configuration in your enterprise, It would be good to know about some basic w32tm commands which would be helpful for you while managing or administration of your Time Servers.

w32tm /query /status : It will give you the information about the status of Windows time service. Whether is it enable or not.
w32tm /query /configure : It will show the complete configuration of Windows time service.
w32tm /resync /rediscover : After you made the changes in NTP Server settings, it is require to run this command so that it can sync up with all DCs and external NTP server.
w32tm /stripchart /computer:PDCName : This command shows the chart when your domain controller starts syncing time with PCD.

Port Assignments for the Windows Time Service
NTP: UDP 123
SNTP : UPD 123
Step 1: Configure NTP on Primary domain controller (PDC)
In first place, we will configure PDC to connect to global time zone and make it as NTP Server.
Open a registry editor and navigate to the below path.
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time
In Config, Open "Announced Flag" to 5, by default it would be 10.
In Parameters, Open "NTPServer" and mention your preferred NTP server in the value, in my case i mentioned "0.us.pool.ntp.org,0x9".
In Parameters, Open "Type" and mention "NTP" in the value.

There are many other registry keys which could be require as per your requirement. Better to take a backup of a registry before you edit other keys.
After all these changes, run the command. "w32tm /resync /rediscover".

Step 2: Configure NTP on Member domain controllers
On each DC, open registry editor and navigate to the below mentioned location.
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time
In Config, Open "Announced Flag" to 10, by default it would be 10.
In Parameters, Open "NTPServer" leave the default value. There is no need to mention any thing in it.
In Parameters, Open "Type" and mention "NT5DS" in the value. By this value, it will use Domain hierarchy-based synchronization. 

There are many other registry keys which could be require as per your requirement. Better to take a backup of a registry before you edit other keys.
After all these changes, run the command. "w32tm /resync /rediscover".

On clients, there is no need to make any configuration. If they are joined to domain then they will contact their authoritative domain controllers to sync up their time service.

 Script which can help you to fetch NTP settings from all domain controllers

#*==========================================================================================================================*#
# Enterprise NTP Configuration
#*==========================================================================================================================*#
# Script Created By     :       Ashish Gupta
# Date                  :       1st Feb 2018
#*==========================================================================================================================*#
# It will check all domain controllers and check their NTP Settings and convert them into readable formamt.
#*==========================================================================================================================*#

$MyArray = $null
$MyArray = @()
$domain = Get-ADDomain
$PDC = $domain.PDCEmulator
$AllDcs = $domain | Select-Object -ExpandProperty ReplicaDirectoryServers
foreach ($DC in $AllDcs){
$MyObj = "" | Select "DCName", "DCType", "NTPStatus", "NTPSource", "NTPType", "NTPPollInterval"
$NTPSource = w32tm /query /computer:$DC /Source
$NTPData = w32tm /query /computer:$DC /Configuration
$NTPType = ($NTPData | Where-Object {$_ -match "Type"}).Split(" ")[1]
$NTPStatus = ($NTPData | Where-Object {$_ -Match "Enabled"})[1].Split(" ")[1]
if ($PDC -match $DC){$MyObj.DCType = "Primary Domain Controller"} else {$MyObj.DCType = "Replica Domain Controller"} 
If ($NTPStatus -eq "1"){$MyObj.NTPStatus = "Enabled"} else {$MyObj.NTPStatus = "Disabled"}
$NTPTime = (w32tm /query /computer:$DC /Status | Where-Object {$_ -match "Last Successful Sync Time:"}).Split(" ")[4..6] -Join " "

$MyObj.DCname = $DC
$MyObj.NTPSource = $NTPSource
$MyObj.NTPType = $NTPType
$MyObj.NTPPollInterval = $NTPTime

$MyArray += $MyObj
$MyObj = $null
}
$MyArray | Format-Table -AutoSize

#*==========================================================================================================================*#
# Script End
#*==========================================================================================================================*#

Thank You.
Posted by at Wednesday, January 31, 2018

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)