Time and Time Again

As well as DNS, an important aspect to Active Directory is Time. Time across devices in your environment should be within 5 minutes of each other for fully functioning Kerberos authentication to work. Replication is dependent on time (USN primarily but time plays a part) as well to ensure that changes are not overwritten in error.

By default, all clients will attempt to use your Primary Domain Controller Emulator (PDCE) FSMO Role holder as its source for the correct time. We touched on this with one of our first blog posts (Our first GPO – Time Sync). In the GPO we set up the PDCE to sync it’s time from an external source (pool.ntp.org). Using the GPO with the WMI Filter means that should you change your PDCE, it will always sync externally.

So, how do we check whether the time is in sync across all the domain controllers? Well, there is a command for that:

w32tm /monitor

This produces an output that when you have a large number of domain controllers, can be difficult to read.

dc1.adsubdomain.domain.tld *** PDC ***[10.1.1.1:123]:
ICMP: 0ms delay
NTP: +0.0000000s offset from pool.ntp.org
RefID: time.netweaver.uk [185.182.62.7]
Stratum: 3
dc2.adsubdomain.domain.tld [10.1.1.2:123]:
ICMP: 34ms delay
NTP: -0.0020732s offset from dc1.adsubdomain.domain.tld
RefID: dc1.adsubdomain.domain.tld [10.1.1.1]
Stratum: 0
dc3.adsubdomain.domain.tld[10.1.1.3:123]:
ICMP: 39ms delay
NTP: +0.0020732s offset from dc1.adsubdomain.domain.tld
RefID: dc1.adsubdomain.domain.tld [10.1.1.1]
Stratum: 5

If the list is large and has a number of servers that cannot be contacted from where you run the w32tm command, it can be difficult to read. To alleviate this, I have written a script in PowerShell that parses all this information and lists it in a table that is easier to read. With a little modification (I might complete this), it would be possible to email this table as a daily report so you can catch any time sync issues before they become a big deal. An example output is below

Server                                 TimeDrift Connected SourceServer
------                                 --------- --------- ------------
dc1.adsubdomain.domain.tld *** PDC *** +0.0000000 True time.netweaver.uk
dc2.adsubdomain.domain.tld             +0.0000872 True dc1.adsubdomain.domain.tld

The script can be found in my GitHub Repository. Feel free to edit and pull request if you can improve on it.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.