9/7/19

Many people take for granted ‘time’ as it’s something that is a always a constant. However for Windows Server, especially based on Kerberos V5, time can only have a difference of 5 minutes at the maximum.

Essentially, if you let a clock go over 5 minutes you risk a computer going out-of-sync and risk being tombstoned by Kerberos as a valid domain entity; what this means is nothing good!

So it’s very important you make sure your Windows Domain has accurate time and also gets time from a secure source and no where else.

Two things to take into consideration, in a Windows Server world the FSMO Master that holds the PDC operation is the keeper of time and lastly this all happens over UDP 123.

Let’s get started!

Step 1: using w32time.exe

type the following command on your PDC master (you can find your PDC Master by typing ‘netdom query fsmo’):

w32tm /config /manualpeerlist:timeserver /syncfromflags:manual /reliable:yes /update

Step 2: On all other domain controller that are not the PDC and also non-FSMO holder run the following command:

w32tm /config /syncfromflags:domhier /update

Step 3: create a firewall rule allowing only a specific NTP server thru, like ‘pool.ntp.org’ over port 123 to access the IP address of your forest’s PDC (likewise if you have child domain’s PDC off the forest domain you’ll need a reflective rule for them too)

https://www.ntppool.org/en/

In conclusion, NTP is a very important but often forgotten setting in a Windows world, we just assume that the clock with always work and normally it does, but do you truly know where your time is coming from?

Lock it down, do a search yourself, there in ntp.org and also a few dozen government atomic NTP clock to use. Make sure your time is not used as a weapon!

-Trevor