blog_listing_hero_img.jpg

Active Directory Monitoring: AD Time Service

Is time, or more precisely an accurate time, necessary to operate an IT infrastructure? Well, it all depends.

In order to operate a secure IT infrastructure, all computer systems must have precise time information. Computer systems can query time information via the NTP (Network Time Protocol) from other systems, so-called NTP servers or NTP sources, and adjust their local system time in the event of a deviation.

This article deals with the importance of providing accurate time information and how this should affect Active Directory Monitoring within your organization. This article will also dive into the requirements in an Active Directory forest and why you shouldn't leave computer time information to itself. 

Time information in Active Directory

All computers and systems that are members of an Active Directory domain synchronize their system time based on the Active Directory hierarchy. A computer system queries accessible domain controllers for time synchronization. These, in turn, synchronize their time information with the domain controller that holds the PDC functional role within the Active Directory forest.

A domain controller with the PDC functional role does not use any other NTP server as a time source in the default configuration. This configuration is not the optimal operating mode for the secure operation of an Active Directory forest.

Windows Authentication via the Kerberos protocol allows for a maximum time difference between client and server of five minutes. This default value is part of the Default Domain Policy configuration. In most cases, this value remains unchanged over the lifetime of an Active Directory forest. If a system's time deviates from the domain controller used for authentication by more than five minutes, the issued Kerberos authentication-token has technically expired, and the logon will fail.

This examples illustrates why it is vital to implement the appropriate Active Directory Monitoring Solution in order to ensure you're providing accurate time information to all your systems within your IT infrastructure. Inaccurate time information on two domain controllers also affects Active Directory replication since server-to-server communication requires authentication.

Verify the time service (W32Time) on your local computer and the domain controller with the PDC functional role. For security reasons, querying the time service configuration requires that you use an administrative command-line session.

General configuration:
w32tm /query /configuration

Configured time source:
w32tm /query /source

Trusted Time Sources

A computer system's local system time is subject to physical fluctuations and automatically deviates from the "real" time. The domain controller with PDC functional role is subject to this time deviation as well. Therefore, you must configure an external and trusted time source for the PDC. Time is a central part of your IT security strategy, so choose the time source carefully.

A PDC can obtain time information from an "official" NTP server using the NTP protocol. More than 4,000 NTP servers are available to you worldwide as part of the NTP pool project. The time information request requires that the PDC communicates with the selected NTP sources via NTP on UDP port 123. Ensure that your firewall policies allow this communication.

If using external NTP sources is not an option for your IT infrastructure, you only have the choice to set up a local time server within your company network. Such a time server receives the official time signal via GPS or radio waves, such as DCF77 in Germany and Europe. Such devices are available in industrial quality and are very robust.

Operating a PDC on a virtualization platform has unique challenges. Due to the hypervisor's dynamic processor clocking, the PDC encounters unusual time fluctuations. Hypervisor vendors promise remedy by synchronizing the time information with the help of the hypervisor tools. These tools, installed in the guest operating system, synchronize the PDC time with the time of the hypervisor host system. The idea is well-meant but leads to problems if the host systems do not receive their time from an official NTP source.

Configuration

The easiest way to configure the local PDC time service (W32Time) is via an administrative command line. If you want to synchronize the information from time server 0.nettime.pool.ntp.org, use the following command.

w32tm.exe /config /syncfromflags:manual /manualpeerlist:0.nettime.pool.ntp.org,0x8 /reliable:yes /update

After executing this command, you will find an event ID 143 entry in the system event log: The time service has started advertising as a good time source.

The PDC thus acts as a trustworthy time source within the Active Directory forest. Remember that this is a local Windows configuration and is not associated with the PDC functional role. When you transfer the PDC functional role to another domain controller, you must configure the time service on that computer separately.

Monitoring

The Windows time service monitoring is essential for the reliable and secure operation of an Active Directory forest. Active Directory Monitoring includes checking whether the Windows service is running and monitoring the event log for time service events.

The following two events are particularly noteworthy:

- Event Id 37
The time provider NtpClient is currently receiving valid time data from DC01.varunagroup.de (ntp.d|0.0.0.0:123->192.168.55.16:123).

This event shows which domain controller the local system uses and the resolved IP address. In particular, check this event when you make changes to your domain controller or any other domain controller related DNS changes.

- Event ID 12
Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.

This event shows that the local system has the PDC functional role but does not have a configured external time source. Pay attention to this event when moving the PDC role to a different domain controller, and the new system has no configured external time source.

You must monitor your Active Directory forest with a proactive Active Directory monitoring solution. Your Active Directory is the backbone of your IT infrastructure and requires dedicated and reliable monitoring so that you are not surprised by operational disruptions.

Summary

The Active Directory time service is an inconspicuous little service among all the other Windows services that run on a computer system. The importance of this service for an Active Directory forest is all the more remarkable. The effects of a misconfigured and outdated Active Directory infrastructure represent an enormous operational risk.

Time-based authentication problems affect not only a stand-alone on-premises Active Directory forest but have an immediate effect on a hybrid configuration with Azure AD single-sign-on.

Configure the time in your Active Directory forest and proactively monitor the domain controllers' time services. The Active Directory monitoring solution from ENow helps you.

Links

- Maximum tolerance for computer clock synchronization
- How the Windows Time Service Works
- Configure the Windows Time Service
- Network Time Protocol
- NTP Pool Project


Active Directory Monitoring with ENow

Active Directory as the foundation of your network, and the structure that controls access to some of the most critical resources in your organization. ENow uncovers cracks in your Active Directory that can cause a security breach or poor end user experience. In particular, ENow enables you to:

- Report on highly privileged groups (domain admins)
- AD replication errors
- Identify Expensive LDAP queries
- DNS and name resolution problems
- Troubleshoot poor Exchange performance caused by Active Directory

Don’t take our word for it. Start your free trial today!

Learn more