Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘NTP’ Category

(2013-11-17) Time Sync Recommendations For Virtual DCs On Hyper-V – Change In Recommendations (AGAIN)

Posted by Jorge on 2013-11-17


The default time synchronization hierarchy within any AD forest is shown in the picture below.

image_thumb7

Figure 1: Default Time Synchronization Hierarchy Within Any AD Forest

As displayed in figure 1, DCs have their own time synchronization mechanism. When virtualizing DCs the time synchronization mechanism between the virtual DC (the VM guest) and the VM host must be disabled and it must be ensured the time synchronization mechanism natively used by the DCs is NOT disturbed. Reasoning for this is the high dependency that other processes (e.g. replication, authentication, etc.) have with accurate time.

OLD RECOMMENDATIONS:

  • Disable “Time Synchronization” within the Hyper-V Integration Services for each virtual DC VM (VM must be OFFLINE for this!)

image14

Figure 2: Hyper-V Time Synchronization Services In DISABLED State

  • Disable the “VM IC Time Provider” on every virtual DC through the registry or through a custom GPO setting
    • Key: HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider
    • Name: Enabled
    • Type: REG_DWORD
    • Data: 0x00000000

PREVIOUS RECOMMENDATIONS:

  • Leave “Time Synchronization” within the Hyper-V Integration Services ENABLED (DO NOT DISABLE!) for each virtual DC VM (VM must be OFFLINE for this!)
    REMARK: Microsoft documentation or other blogs may still advise in disabling time sync with the host. That information is incorrect! Leave it enabled!
  • Disable the “VM IC Time Provider” on every virtual DC through the registry or through a custom GPO setting
    • Key: HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider
    • Name: Enabled
    • Type: REG_DWORD
    • Data: 0x00000000

NEW RECOMMENDATIONS:

  • Disable “Time Synchronization” within the Hyper-V Integration Services for each virtual DC VM (VM must be OFFLINE for this!)

image14

Figure 3: Hyper-V Time Synchronization Services In DISABLED State

UPDATE (2013-12-14): make sure to have the following hotfix (KB2902014) if the Hyper-V host is running WIN8 or W2K12

Additional information about configuring Time Sync for DCs can be found through the following links:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Core Networking Services, NTP, Virtualization | 6 Comments »

(2011-09-14) Time Sync Recommendations For Virtual DCs On Hyper-V – Change In Recommendations

Posted by Jorge on 2011-09-14


UPDATED: (2013-11-17) Time Sync Recommendations For Virtual DCs On Hyper-V – Change In Recommendations (AGAIN)

The time synchronization hierarchy within any AD forest is shown in the picture below.

image

Figure 1: Default Time Synchronization Hierarchy Within Any AD Forest

As displayed in figure 1, DCs have their own time synchronization mechanism. When virtualizing DCs the time synchronization mechanism between the virtual DC (the VM guest) and the VM host must be disabled and it must be ensured the time synchronization mechanism natively used by the DCs is NOT disturbed. Reasoning for this is the high dependency that other processes (e.g. replication, authentication, etc.) have with accurate time.

PREVIOUS RECOMMENDATIONS:

  • Disable “Time Synchronization” within the Hyper-V Integration Services for each virtual DC VM (VM must be OFFLINE for this!)

image

Figure 2: Hyper-V Time Synchronization Services In DISABLED State

  • Disable the “VM IC Time Provider” on every virtual DC through the registry or through a custom GPO setting
    • Key: HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider
    • Name: Enabled
    • Type: REG_DWORD
    • Data: 0x00000000

NEW RECOMMENDATIONS:

  • Leave “Time Synchronization” within the Hyper-V Integration Services ENABLED (DO NOT DISABLE!) for each virtual DC VM (VM must be OFFLINE for this!)
    REMARK: Microsoft documentation or other blogs may still advise in disabling time sync with the host. That information is incorrect! Leave it enabled!
  • Disable the “VM IC Time Provider” on every virtual DC through the registry or through a custom GPO setting
    • Key: HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider
    • Name: Enabled
    • Type: REG_DWORD
    • Data: 0x00000000

Additional information about configuring Time Sync for DCs can be found through the following links:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), NTP, Virtualization | 4 Comments »

(2010-09-26) Configuring And Managing The Windows Time Service (Part 4)

Posted by Jorge on 2010-09-26


In the previous post (part 3) I discussed how to configure the DCs so that these do not accept and therefore do not time jumps that are too large. Also taking the first post (part 1) and the second post (part 2) into account, it is now interesting to know how you can see what the configuration is a certain DC or AD (member) client is using.

To view the time source a DC or an AD (member) client currently is using to synchronize the time from, use the following command:

W32TM /QUERY /SOURCE

image

To view the Windows Time Service configuration a DC or an AD (member) client currently has, use the following command:

W32TM /QUERY /CONFIGURATION

image

(this picture shows the configuration of the DC with the PDC FSMO role)

The Windows Time Service can be configured to log information into the System event log. The two settings that are available for this are:

  • GPO Node: "Computer Configuration\Policies\Administrative Templates\System\Windows Time Service"
    • GPO Setting: "Global Configuration Settings" = Enabled
      • GPO Setting Item: "EventLogFlags" = 2 (default value)
  • GPO Node: "Computer Configuration\Policies\Administrative Templates\System\Windows Time Service\Time Providers"
    • GPO Setting: "Configure Windows NTP Client" = Enabled
      • GPO Setting Item: "EventLogFlags" = 1 (default value) (The GPO shows "0", but in reality the default value is "1"!)

The first "EventLogFlags" option configures the Windows Time Service to log (or not) an event when it is not able to reach the time server from which it synchronizes the time.

The second "EventLogFlags" option configures the Windows Time Service to log (or not) an event when a time jump is made and/or a new time server is being used to synchronize the time from.

In addition to the information in the System event log, it is possible to enable debug logging for the Windows Time Service. When debugging logging is enabled it is possible to see what is happening under the hood by the Windows Time Service.

To enable debug logging for the Windows Time Service, execute the following command:

W32TM /DEBUG /ENABLE /FILE:<Full Path To Log File> /SIZE:<Log File Size In KB> /ENTRIES:<Type Of Entries To Log>

W32TM /CONFIG /UPDATE

‘<Full Path To Log File>’ is the full path to the log file used for denug logging. For example: "C:WindowsDebugW32Time.log"

‘<Log File Size In KB>’ specifies the maximum size of the log file in KB. For example ‘10000000’ means ’10MB’

‘<Type Of Entries To Log>’ is a numerical mask of the entries you wish to log in the log file. Each number in the range between 1 and 300 represents a specific log entry type you would like to log. Just specifying 0-300 is the easiest way to use this as it will log everything.

A sample of the log file is shown below

image

To disable debug logging for the Windows Time Service, execute the following command:

W32TM /DEBUG /DISABLE

W32TM /CONFIG /UPDATE

For more information about configuring the Windows Time Service debug log see the link: ‘Configuring the Time Service: Enabling the Debug Log‘.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Blog Post Series, Core Networking Services, NTP | 6 Comments »

(2010-09-26) Configuring And Managing The Windows Time Service (Part 3)

Posted by Jorge on 2010-09-26


In the previous post (part 2) I discussed how to configure the DC in the forest root AD domain with PDC FSMO role by using GPOs and a WMI filter. After configuring the DC in the forest root AD domain with an external time source, you want or need to make sure no excessive time jumps occur back or forward on any DC in the AD forest. When excessive time jumps occur you will experience issues with AD replication, Kerberos authentication, object recovery, etc.

The configuration on DCs that prevents such an excessive time jump can either be achieved through local registry configurations or through GPOs. The GPO settings can be configured in the GPOs mentioned earlier and there GPO settings are:

  • GPO Setting Item: "MaxNegPhaseCorrection" = XYZ (default value = 172800 seconds = 48 hours)
  • GPO Setting Item: "MaxPosPhaseCorrection" = XYZ (default value = 172800 seconds = 48 hours)

image

image

By default, the OS (W2K3 and higher) implements a period of 48 hours before the current time and 48 hours after the current time. If the time jump falls within the defined intervals, the time jump is accepted and processed. If the time jump falls outside the defined intervals, the time jump is not accepted and therefore also not processed. This is very good to prevent serious damage to your AD forest. What I do not understand is why Microsoft has chosen a default value of 48 hours. Personnally I still find that interval too big. I would choose an interval that’s more close to 10 or 15 minutes as an acceptable time jump. Taking an interval of 15 minutes into account, the XYZ would be 900 seconds.

For more information about protecting DCs from processing a time jump that’s too large see the links ‘Configuring the Time Service: Max[Pos/Neg]PhaseCorrection‘, ‘Preventing large time offset problems‘ and ‘How to configure the Windows Time service against a large time offset‘.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Blog Post Series, Core Networking Services, NTP | 6 Comments »

(2010-09-26) Configuring And Managing The Windows Time Service (Part 2)

Posted by Jorge on 2010-09-26


In the previous post (part 1) I discussed how to configure the DC in the forest root AD domain with PDC FSMO role manually. The commands mentioned in that post must be executed on DC in the forest root AD domain hosting the PDC FSMO role. To prevent these manual actions, it is also possible to achieve the same result after a one-time configuration in AD through GPOs and a WMI filter. Perform the following tasks.

[Task 1] – Create a WMI filter to only target the DC with the PDC FSMO role.

image

In the GPMC create a WMI filter with the following configuration (without the single quotes):

  • WMI Filter Name: "RWDC With The PDC FSMO role" (can be something else of course)
  • WMI Filter Description: ‘This WMI filter targets the DC with the PDC FSMO Role’ (can be something else of course)
  • WMI Filter Namespace: ‘rootCIMv2’
  • WMI Filter Query: ‘Select * from Win32_ComputerSystem where DomainRole = 5’

[Task 2] – Create a GPO and link it to the Domain Controllers OU to target all DCs. Make sure it is applied after the GPO called "Default Domain Controllers Policy".

image

image

In the GPMC create a GPO with following configuration (without the single quotes):

  • GPO Name: "GPO_C_All-Domain-Controllers" (can be something else of course)
    • GPO Node: "Computer Configuration\Policies\Administrative Templates\System\Windows Time Service"
      • GPO Setting: "Global Configuration Settings" = Enabled
        • GPO Setting Item: "FrequencyCorrectRate" = 4 (default value)
        • GPO Setting Item: "HoldPeriod" = 5 (default value)
        • GPO Setting Item: "LargePhaseOffset" = 50000000 (default value)
        • GPO Setting Item: "MaxAllowedPhaseOffset" = 300 (default value)
        • GPO Setting Item: "MaxNegPhaseCorrection" = XYZ (default value = 172800 seconds = 48 hours) (more about this item later in this blogpost!)
        • GPO Setting Item: "MaxPosPhaseCorrection" = XYZ (default value = 172800 seconds = 48 hours) (more about this item later in this blogpost!)
        • GPO Setting Item: "PhaseCorrectRate" = 7 (default value) (The GPO shows "1", but in reality the default value is "7"!)
        • GPO Setting Item: "PollAdjustFactor" = 5 (default value)
        • GPO Setting Item: "SpikeWatchPeriod" = 900 (default value)
        • GPO Setting Item: "UpdateInterval" = 100 (default value)
        • GPO Setting Item: "AnnounceFlags" = 10 (default value)
        • GPO Setting Item: "EventLogFlags" = 2 (default value)
        • GPO Setting Item: "LocalClockDispersion" = 10 (default value)
        • GPO Setting Item: "MaxPollInterval" = 10 (default value)
        • GPO Setting Item: "MinPollInterval" = 6 (default value)
        • GPO Setting Item: "ChainEntryTimeout" = 16 (default value)
        • GPO Setting Item: "ChainMaxEntries" = 128 (default value)
        • GPO Setting Item: "ChainMaxHostEntries" = 4 (default value)
        • GPO Setting Item: "ChainDisable" = 0 (default value)
        • GPO Setting Item: "ChainLoggingRate" = 30 (default value)

REMARK: You must define all GPO configuration items with default or custom values because all part of the same GPO setting.

[Task 3] – Create a GPO and link it to the Domain Controllers OU to target only the DC with the PDC FSMO role. Make sure it is applied after the GPO called "GPO_C_All-Domain-Controllers".

image

image

In the GPMC create a GPO following configuration (without the single quotes):

  • GPO Name: "GPO_C_RWDC-With-PDC-FSMO-Role" (can be something else of course)
    • GPO Node: "Computer Configuration\Policies\Administrative Templates\System\Windows Time Service"
      • GPO Setting: "Global Configuration Settings" = Enabled
        • GPO Setting Item: "FrequencyCorrectRate" = 4 (default value)
        • GPO Setting Item: "HoldPeriod" = 5 (default value)
        • GPO Setting Item: "LargePhaseOffset" = 50000000 (default value)
        • GPO Setting Item: "MaxAllowedPhaseOffset" = 300 (default value)
        • GPO Setting Item: "MaxNegPhaseCorrection" = XYZ (default value = 172800 seconds = 48 hours) (more about this item later in this blogpost!)
        • GPO Setting Item: "MaxPosPhaseCorrection" = XYZ (default value = 172800 seconds = 48 hours) (more about this item later in this blogpost!)
        • GPO Setting Item: "PhaseCorrectRate" = 7 (default value) (The GPO shows "1", but in reality the default value is "7"!)
        • GPO Setting Item: "PollAdjustFactor" = 5 (default value)
        • GPO Setting Item: "SpikeWatchPeriod" = 900 (default value)
        • GPO Setting Item: "UpdateInterval" = 100 (default value)
        • GPO Setting Item: "AnnounceFlags" = 5 (default value = 10)
        • GPO Setting Item: "EventLogFlags" = 2 (default value)
        • GPO Setting Item: "LocalClockDispersion" = 10 (default value)
        • GPO Setting Item: "MaxPollInterval" = 10 (default value)
        • GPO Setting Item: "MinPollInterval" = 6 (default value)
        • GPO Setting Item: "ChainEntryTimeout" = 16 (default value)
        • GPO Setting Item: "ChainMaxEntries" = 128 (default value)
        • GPO Setting Item: "ChainMaxHostEntries" = 4 (default value)
        • GPO Setting Item: "ChainDisable" = 0 (default value)
        • GPO Setting Item: "ChainLoggingRate" = 30 (default value)

REMARK: You must define all GPO configuration items with default or custom values because all part of the same GPO setting.

  • GPO Node: "Computer Configuration\Policies\Administrative Templates\System\Windows Time Service\Time Providers"
    • GPO Setting: "Configure Windows NTP Client" = Enabled
      • GPO Setting Item: "NtpServer" = <NTPSRV1>,<flag> <NTPSRV2>,<flag> <NTPSRVx>,<flag> (default value = time.windows.com,0x9)
      • GPO Setting Item: "Type" = NTP (default value = NT5DS)
      • GPO Setting Item: "CrossSiteSyncFlags" = 2 (default value)
      • GPO Setting Item: "ResolvePeerBackoffMinutes" = 15 (default value)
      • GPO Setting Item: "ResolvePeerBackoffMaxTimes" = 7 (default value)
      • GPO Setting Item: "SpecialPollInterval" = 3600 (default value)
      • GPO Setting Item: "EventLogFlags" = 1 (default value) (The GPO shows "0", but in reality the default value is "1"!)

REMARK: You must define all GPO configuration items with default or custom values because all part of the same GPO setting.

For more information about configuring the DC in the forest root AD domain with the PDC FSMO through a GPO and WMI Filter see the link ‘Configuring an Authoritative Time Server with Group Policy Using WMI Filtering‘.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Blog Post Series, Core Networking Services, NTP | 7 Comments »

(2010-09-26) Configuring And Managing The Windows Time Service (Part 1)

Posted by Jorge on 2010-09-26


One of the important configurations required in your AD forest is the configuration of the Windows Time Service. Processes within AD, such as for example ‘Kerberos authentication’ and ‘AD replication’ depend on the correct time on systems. A great explanation on how the windows time service works with an AD forest can be found at the following links ‘Keeping the Domain On Time‘, ‘Windows Time Service Technical Reference‘ and ‘How the Windows Time Service Works‘.

The time synchronization hierarchy within an AD forest is shown in the picture below.

image

As you can see in the picture above, all systems within an AD forest use certain logic on which other system can be contacted to synchronize the time with. There is not much reason to change this and my suggestion is not to change this. Even in a virtualized environment I still suggest the virtualized systems to synchronize their time using the default configuration and not to synchronize with the host. At the top of the picture above you can see the PDC FSMO of the forest root AD domain needs to be configured with a (trusted) external time source. For a list of time servers available on the internet please see the link ‘A list of the Simple Network Time Protocol (SNTP) time servers that are available on the Internet‘.

One of the main reasons, not to use the AD infrastructure for time synchronization and rather implement/use a custom time synchronization solution/configuration, is when you have systems or applications that require a very high accuracy in time synchronization. For more information about this see the link ‘High Accuracy W32time Requirements‘.

With regards to manually configuring DC in the forest root AD domain with the PDC FSMO role, the following commands can be used. On the DC in the forest root AD domain with the PDC FSMO role execute the following command:

W32TM /CONFIG /MANUALPEERLIST:"<NTPSRV1>,<flag> <NTPSRV2>,<flag> <NTPSRVx>,<flag>" /SYNCFROMFLAGS:MANUAL /RELIABLE:YES /UPDATE

‘<NTPSRV>’ is the actual NTP Server from which the time should be synchronized and can be noted by FQDN or IP Address.

‘<flag>’ can be any of the following values or combinations of values:

  • 0x1 — use special poll interval SpecialInterval
  • 0x2 — UseAsFallbackOnly
  • 0x4 — send request as SymmatricActive mode (the host configured in "symmatric active mode" uses another NTP hosts to sync time, but also gives those other NTP hotes to sync time with the local host)
  • 0x8 — send request as Client mode (the loca host configured in "client mode" uses the other remote NTP host to sync time)

When you seize or transfer the FSMO role to a new DC in the forest root AD domain, you have to execute the previous command on the new target DC. If you are performing a transfer, then you also have to reconfigure the old target DC to use the default windows time service configuration, i.e. the domain hierarchy. For that execute the following command on the old target DC:

W32TM /CONFIG /SYNCFROMFLAGS:DOMHIER /RELIABLE:NO /UPDATE

For more information about configuring the DC in the forest root AD domain with the PDC FSMO role see the link ‘Configure the Windows Time service on the PDC emulator in the Forest Root Domain‘ and ‘Configuring the Time Service: NtpServer and SpecialPollInterval‘.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Blog Post Series, Core Networking Services, NTP | 7 Comments »