Domain control time synchronization settings

Time:2020-11-26

background

In order to facilitate daily management, all hosts and servers in the company’s network have been added to the domain environment. Self built exchange is used to realize the sending and receiving of office mail. However, a few days ago, e-mail could not be sent or received. After investigation, it was found that the time difference between the exchange server and the domain control server was abnormal, and the time difference was more than 5 minutes. After adjusting the time, the mail returns to normal. In order to prevent such failures from happening again, it is decided to synchronize the time for domain members through domain control, which is synchronized with the NTP time of alicloud.

to configure

The configuration is divided into two steps: the first step is to configure the time synchronization between the domain control server and Alibaba cloud NTP; the second step is to synchronize the time of domain control server by members in the domain through group policy.

1、 Domain control server configuration NTP
1. Add the time server address (domain name or IP) (the key below holds the list of time servers)

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionDateTimeServers

Right click on the right window to create a new “string value”, and name the “string value” as 6. Double click the new string value and enter the address: ntp.aliyun.com , save. Change the default (the first string value) to 6. The previous time servers are:

time.windows.com
time.nist.gov
time-nw.nist.gov
time-a.nist.gov
time-b.nist.gov

2. Specify time source

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeParameters
The value of the modification key ntpserver is ntp.aliyun.com ,0x6

3. Set time calibration period

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeTimeProvidersNtpClientSpecialPollInterval
Modify the value of specialpollinterval to 1800 in decimal (1800 seconds, half an hour)

4. Restart the service
Restart service net stop w32time & Net start w32time

5. Verify configuration

C:\Users\Administrator>w32tm /query /status
Leap indicator: 0 (no warning)
Level: 3 (secondary reference - synchronized with (s) NTP)
Accuracy: - 6 (15.625ms per quarter)
Root delay: 0.0424652s
Root dispersion: 0.0296346s
Reference ID: 0xcb6b0658 (source IP: 203.107.6.88)
Last successful synchronization time: 2020 / 7 / 20 11:19:13
Source: ntp.aliyun.com ,0x6
Polling interval: 10 (1024s)


C:\Users\Administrator>w32tm /query /peers
#Equivalent number: 1

Equivalence: ntp.aliyun.com ,0x6
Status: running
Remaining time: 759.4448167s
Mode: 1 (active symmetry)
Level: 2 (secondary reference - synchronized with (s) NTP)
对等机Polling interval: 10 (1024s)
主机Polling interval: 10 (1024s)

2、 Configure authoritative server and group policy
1. Set up authoritative server
Open the registry on the domain control server and find the key value

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeConfig
Modify the value of announceflags to 10 in decimal

2. Enable ntpserver

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeTimeProvidersNtpServer
Modify the value of enabled key to decimal 1

3. Configure group policy and set time synchronization

(1) Open “active directory users and computers”, create a new organizational unit named “desktop & server”, and move all computers in computers to the new organizational unit. (This step is important, see the pit filling instructions

(2) Open group policy management: control panel – management tools – Group Policy Management

(3) Select the new desktop & server, right-click and select Create GPO in this domain and link here , enter the name of the new GPO (optional)

(4) In the group policy object below, select the new GPO and right-click edit

(5) Computer configuration policy management template system Windows time service, double-click global time configuration and select enabled.
Modify maxnegphasecorrection to 3600 (3600 seconds, 1 hour)
Modify maxposphasecorrection to 3600 (3600 seconds, 1 hour)
Modify the value of announceflags to 5
Click “apply” and “OK”.

(6) Computer configuration policy management template system Windows time service time provider, enable windows NTP client, and select enabled.
Configure windows NTP client and select enabled.
Modify the value of ntpserver to dc.rybb.com ,0x6
Note: dc.rybb.com Is the name of your domain controller, that is, the host name of the domain controller
Change the value of type to NTP
Change the value of specialpollinterval to 1800 (30 minutes)

4. Intra domain member synchronization policy
Refresh Group Policy Directive: gpupdate / force
Restart service net stop w32time & Net start w32time

5. Intra domain member authentication configuration

C:\Users\Administrator>w32tm /query /status
Leap indicator: 0 (no warning)
Level: 4 (secondary reference - synchronized with (s) NTP)
Accuracy: - 6 (15.625ms per quarter)
Root delay: 0.0738678s
Root dispersion: 0.1001609s
Reference ID: 0xac10f665 (source IP: 172.16.1.10)
Last successful synchronization time: 2020 / 7 / 20 12:17:49
Source: dc.rybb.com ,0x6
Polling interval: 10 (1024s)


C:\Users\Administrator>w32tm /query /peers
#Equivalent number: 1

Equivalence: dc.rybb.com ,0x6
Status: running
Remaining time: 810.3614176s
Mode: 1 (active symmetry)
Level: 3 (secondary reference - synchronized with (s) NTP)
对等机Polling interval: 10 (1024s)
主机Polling interval: 10 (1024s)

3、 Description of pit filling
If a time synchronization policy is added under “default domain policy”, the domain control server will also obtain and execute the policy. Due to the high priority of group policy, the synchronization policy configured in the first step with Alibaba cloud NTP will be invalid. The time accuracy of domain control server itself is not guaranteed. Therefore, by creating a new organizational unit, the policy is issued to computers other than domain control servers. Make sure all members have accurate time.