What is Network Time Protocol?
Network Time Protocol (or NTP for short) is a network protocol that allows computers systems on a network to keep time with each other. It is a hierarchal structure, starting with Atomic Clocks at the top and ending up going to your workstation in the office. The inner workings and design of it is a lot more complex and I would recommend checking out the video below by Half as Interesting on the subject. It’s a very entertaining way to learn about it.
How does NTP work in a Windows environment?
Generally in a Windows environment there are two time keepers, Domain Controllers and Hyper-V Hosts. Domain Controllers usually hand out time to workstations or servers joined on its domains. A workstation reaches to any domain controller for the time and applies that to itself. The domain controllers (if there are multiple) also get their time from a domain controller with the PDC Emulator FSMO role. You can check to see what domain controller holds that role by running the following command in command prompt:
netdom query fsmo
This special domain controller acts as the time keeper of the domain and itself is synced to an external time source (whether that be another NTP server, free-running system clock, or host). You can check what your server or workstation is using for its time source by running the following commands in command prompt below. They will display useful information such as the last sync time, the NTP server it is pulling time from and poll interval.
w32tm /query /status
w32tm /query /configuration
A Hyper-V host can also serve as a time keeper. The Hyper-V host passes down time to its virtual machines. The host itself is synced to a time source such as a free-running system clock, another NTP server or a domain controller.
Best Practices
It is generally considered best practice to keep the hierarchy design of NTP in mind when setting it up in your internal environment. In your environment you want to have one time server (in Windows AD environments, that’d be the PDC Emulator we talked about earlier) and have all other servers, and workstation query said time server so every machine in the environment has the same time. What you don’t want to do is continuously bombard external NTP servers with request from all of your devices, just one, and have that one share the time with the rest. If for some reason a workstation is not using a domain controller as the time server, you can use the following commands to set the domain controller as the time server for the workstation/server/machine.
net stop w32time
w32tm /config /syncfromflags:DOMHIER
w32tm /config /reliable:yes
net start w32time
w32tm /resync
This is important as lot of services including ones for Active Directory itself require time to be relatively close in order to function properly. Having time drift of less than 5 minutes is generally ok as most systems are designed with a bit of tolerance, but any more than that could cause issues. That is why, although often overlooked, time is a crucial thing to get correct in your environment.
- CRITIAL: If changing the time on a production environment, please keep in mind the effect a time change could have on the environment. For windows environments, I make sure there is way to login locally to machines/servers in case Active Directory authentication stops working.
Set an External NTP Server
1. Select your NTP server. This can be a standalone server or your PDC Emulator if you have a Windows Active Directory environment. Once identified we are going to login and open command prompt in an elevated session (Run as Administrator)
2. Stop the time service. Use the following command to stop the time service so we can make changes to it.
net stop w32time
3. Set your external time server. It is recommended to use a reputable external time source. There are many available out there, here is a sample list. I personally prefer to use the NTP pool from ntppool.org. If you are in the US, and would like to use them as well enter the following command or replace the list with your own choice of servers.
w32tm /config /syncfromflags:manual /manualpeerlist:“0.us.pool.ntp.org,1.us.pool.ntp.org,2.us.pool.ntp.org,3.us.pool.ntp.org”
4. Set source as reliable. This step only applies to if you are doing these instructions on domain controllers.
w32tm /config /reliable:yes
5. Start time service and sync. Go ahead and start up the time service again and use the command below to force the device to sync. The sync command may need to run several times before puling the right time.
net start w32time
w32tm /resync
6. Clean up. If applicable, make sure all other domain controllers and in sync with the PDC emulator by running the resync command. Go through and make sure all servers are also syncing. You can either wait or for sync with the same command.
Wrapping Up
In conclusion, although it may seem trivial, and often overlooked, time plays a critical role in network infrastructure. Make sure it is set up correctly is crucial for operations and security. Hopefully this guide provided some good insight into what needs to be done in order to set it up and on best practice when it comes to NTP.