Back to Blog

Active Directory Monitoring: The AD Time Service - Part 2

Image of Jonathan Summers
Jonathan Summers
Businessman typing on laptop keyboard

If you haven't yet read part 1 of this series, you can check it out here!

In the previous article “The Active Directory Time Service – Part 1: AD Monitoring basics of W32time”, you learned about how Network Time Protocol (NTP) and the Windows Time Service work within Active Directory and why they are a critical component of Active Directory Monitoring. In this next section we will learn about how to configure NTP time sync both manually and by using Group Policy. Before we go and make any changes, we need to check the current settings.

Time for Your Configuration Check

Go to any domain member to verify domain time synchronization settings using the registry editor at HKLM\System\CurrentControlSet\Services\W32Time\Parameters\Type:

Picture1-Feb-02-2021-09-45-20-23-PM
Non domain-joined workstation

If you see the value “NTP”, then the computer is synchronizing with the value of NtpServer, which in this case is time.windows.com.

Picture1-Feb-02-2021-09-46-06-61-PM
Domain-joined workstation

If you see the value “NT5DS”, the computer is synchronizing with the Active Directory time hierarchy.

Which events do I need to know for AD Monitoring?

On the domain controller side, you need to be monitoring Event logs and verifying the settings for the Windows Time service. These event logs are enabled by default and can be found in the event viewer under the Applications and Services Log\Microsoft\Windows\Time-Service\Operational channel. The following is a list of the Windows events that are logged regarding the Windows Time service that should be monitored with your AD monitoring solution.

Event 257 – Service Start

When the Windows Time Service is started either manually or by Windows itself, the information about the current time, current tick count, runtime configuration, time providers, and current clock rate are logged and displayed.

Picture1-Feb-02-2021-09-47-01-85-PM

Code Screenshot 2

This information can also be retrieved by using either of the following commands:

Clock rate:

- exe /query /status /verbose

W32Time and time provider information

- exe /query /configuration

Picture1-Feb-02-2021-09-48-14-57-PM

Event 258 – Service Stop

We see this event whenever the Windows time service is stopped. It will log information about current time and the tick count.

Picture1-Feb-02-2021-09-48-52-04-PM

Event 259 – NTP Client Provider Periodic Status

Every eight hours the list of time sources will be logged by the system. This will include the available time sources, the reference time server in use (remember more than one can be logged), and the current tick count.

Picture1-Feb-02-2021-09-49-25-55-PM

This information can also be retrieved manually by using this command

- exe /query /peers

Picture1-Feb-02-2021-09-50-03-46-PM

Event 260 – Time service configuration and status

An event that is logged once every eight hours that includes the Windows Time service configuration and status. This event is almost the same as event 257 except this event is run periodically after the service has already started.

This information can also be retrieved by using either of the following commands:

- exe /query /status /verbose
- exe /query /configuration

Picture1-Feb-02-2021-09-50-57-79-PM

Code Screenshot

Event 261 – System time is set

This event is logged whenever the System Time is modified using the SetSystemTime API. Although this event should rarely occur, you will want it logged each time it happens as it gives insight as to the health of your time synchronization.

Picture1-Feb-02-2021-09-52-07-13-PM

Event 262 - System clock frequency adjusted

W32time modifies the system clock frequency. Any time an adjustment is made that appears “reasonable significant” (Microsoft’s words) it will log the event. These adjustments happen all the time below the threshold so you will not see this event often. That is above min = 128 part per million, default = 800 part per million. The event will only get logged when a clock adjustment is above TimeAdjustmentAuditThreshold values. You can create finer tracking so you can adjust the setting down.

Event 263 - Change in the Time service settings or list of loaded time providers

This event happens when either an administrator or group policy has updated the time providers and restarts W32time. This is a critical piece of your AD monitoring of time synchronization because someone, somewhere has changed the time provider settings on either a PDC emulator or a domain or workgroup member client. When this occurs, it can also have a potential impact on your time synchronization because re-reading this critical setting is causing the setting to be modified in-memory. This can affect the overall accuracy of your time synchronization.

Picture1-Feb-02-2021-09-52-44-71-PM

Code screenshot

Event 264 - Change in time source(s) used by NTP Client

The NTP client records this event when the time server or peer changes its state (when a synchronization is pending, or the timeserver or peer is unreachable). This event happens at a maximum of once every 5 minutes. Any more often than that and the log may be prone to transient issues or bad provider information.

Picture1-Feb-02-2021-09-53-58-28-PM

Event 265 - Time service source or stratum number changes

This event is regarded by some to be the most critical when monitoring your NTP topology. Any changes to the W32time time source or stratum number need to be logged and monitored by your AD monitoring solution. Any time that a time source is removed (or not present), the server will stop acting as a time server and cease advertisement of such. All requests for time synchronization will be ignored and even possibly respond with invalid parameters.

Picture1-Feb-02-2021-09-54-24-33-PM

Event 266 - Time re-synchronization is requested

This event is logged at a maximum of once every five minutes. There are many possible causes for this event to occur:

- An administrator has issued a resynch command
- The computer did not synch for a log time
- When a network change occurred
- When the system has returned from standby or hibernation

There would be an immediate loss of any fine-grained time synchronization accuracy since the NTP client needs to clear its filters. This event is throttled by the system because any time you have a bad network connection (cable/card) this can trigger multiple events and overwhelm your logs.

Picture1-Feb-02-2021-09-55-07-30-PM

Picture1-Feb-02-2021-09-55-43-63-PM

Over the last two article we have covered what needs to be in place for Active Directory monitoring in your enterprise environment. On every PDC Emulator we need to be checking firewall UDP port 123, making sure all network elements are working as they should be, and monitoring for any events that may be logged to ensure that any changes to you W32time service are recorded and addressed accordingly. Please stay tuned for more AD monitoring articles to help you address any and all issues with your AD environment.



Active Directory Monitoring with ENow

Active Directory as the foundation of your network, and the structure that controls access to some of the most critical resources in your organization. ENow uncovers cracks in your Active Directory that can cause a security breach or poor end user experience. In particular, ENow enables you to:

- Report on highly privileged groups (domain admins)
- AD replication errors
- Identify Expensive LDAP queries
- DNS and name resolution problems
- Troubleshoot poor Exchange performance caused by Active Directory

Don’t take our word for it. Start your free trial today!

Learn more

Active Directory configurations pop up

Exchange Can't Start Due to Misconfigured AD Sites

Image of Michel de Rooij
Michel de Rooij

Recently, a customer had issues with their Exchange server which didn’t start properly after...

Read more
Businessman holding alarm clock

Active Directory Monitoring: AD Time Service

Image of Thomas Stensitzki
Thomas Stensitzki

Is time, or more precisely an accurate time, necessary to operate an IT infrastructure? Well,...

Read more