How do I synchronize time between Windows domain-joined instances and AWS Managed Microsoft AD?

Short description

Windows machines might have at least one Network Time Protocol (NTP) server that's preset in the registry before joining the AWS Managed Microsoft AD domain. When joining the domain, Windows machines automatically synchronize time with all available mechanisms in the domain. If source NTP servers have differing times, then this setup can cause time skew-related issues.

In the following example, the NtpServer parameter is pre-populated with 169.254.169.123,0x9 before the instance joins the AWS Managed Microsoft AD domain. However, the Type parameter changes to AllSync after joining the domain. This change during configuration can cause a time skew.

Before joining the domain:

PS C:\> w32tm /dumpreg /subkey:parameters | findstr /i "NtpServer Type"
Value Name Value Type Value Data
NtpServer REG_SZ 169.254.169.123,0x9
Type REG_SZ NTP

PS C:\> w32tm /query /configuration | findstr /i "Type NTPServer:"
Type: AllSync (Local)
NtpServer: 169.254.169.123,0x9 time.windows.com,0x8 (Local)

After joining the domain:

PS C:\> w32tm /dumpreg /subkey:parameters | findstr /i "NtpServer Type"
Value Name Value Type Value Data
NtpServer REG_SZ 169.254.169.123,0x9 time.windows.com,0x8
Type REG_SZ AllSync

PS C:\> w32tm /query /configuration | findstr /i "Type NTPServer:"
Type: AllSync (Local)
NtpServer: 169.254.169.123,0x9 time.windows.com,0x8 (Local)

Resolution

As a best practice, use domain controllers to make sure that the Windows domain-joined machines synchronize time through the AWS Managed Microsoft AD domain hierarchy. For more information, see How the Windows Time service works and Windows Time service tools and settings on the Microsoft website.

Prerequisites

Make sure that you complete the following prerequisites:

• Install the Active Directory administration tools on a domain-joined Amazon Elastic Compute Cloud (Amazon EC2) instance.

PS C:\> Install-windowsFeature RSAT-ADDS,RSAT-AD-AdminCenter,RSAT-ADDS-Tools,GPMC,RSAT-DNS-Server
Success Restart Needed Exit Code      Feature Result
------- -------------- ---------      --------------
True    No             Success        {Group Policy Management, DNS Server Tools,…}

• Verify that the EC2 instance is joined to the AWS Managed Microsoft AD domain that you want to set up a time synchronization domain hierarchy for. For more information, see Manually join a Windows instance.

Configure the AWS Managed AD domain time hierarchy

Follow these steps to synchronize time in the AWS Managed AD domain hierarchy using the Group Policy settings:

1.    Log in to the EC2 instance using Remote Desktop Protocol (RDP), and set the domain user as Admin. For more information, see Connect to your Windows instance using RDP.

2.    Run GPMC.msc to open the Group Policy Management console.

3.    Choose Domains, and then choose [Domain Name], [Directory NetBIOS name], Computers.

4.    Choose Computers, and then choose Create a GPO in this domain and Link it here…

Note: Computer objects must be in the organizational unit (OU) or under other OUs within the same hierarchy.

5.    Name the GPO, for example, Domhier Time Sync, and then choose OK.

6.    Choose the GPO that you just created, and then choose Edit.

7.    Choose Computer Configuration, and then choose Administrative Templates, System, WindowsTime Service, Time Providers.

8.    Choose Enable Windows NTP Client, and then select Enabled.

9.    Choose OK.

10.   Choose Configure NTP Client.

11.   Select Enabled, and change the following parameters:

For Type, enter NT5DS.

For SpecialPoolInterval enter 900.

12.    Choose OK.

Verify if the EC2 instance is using the time synchronization hierarchy

Complete the following steps to confirm that the domain controller is synchronizing time through the AWS Managed Microsoft AD domain hierarchy. For more information, see Group Policy: basic troubleshooting steps for beginners on the Microsoft website.

1.    Use the instance from the previous section to force an update of the domain policies. Open a PowerShell prompt as an elevated prompt or as an administrator, and run the following command:

PS C:\> gpupdate /force
Updating policy...
Computer Policy update has completed successfully.
User Policy update has completed successfully.

2.    Confirm that NT5DS is in place.

PS C:\> w32tm /query /configuration | findstr /i "Type NTPServer:"
Type: NT5DS (Policy)

3.    Forcefully discover the time source:

PS C:\> w32tm /resync /rediscover
Sending resync command to local computer
The command completed successfully.

4.    Identify the synchronization server for the instance. In the following example, WIN-A2P2S44M219 is the time source.

PS C:\> w32tm /query /status
Leap Indicator: 0(no warning)
Stratum: 5 (secondary reference - syncd by (S)NTP)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0329001s
Root Dispersion: 0.0868277s
ReferenceId: 0xAC1F0599 (source IP:  172.31.5.153)
Last Successful Sync Time: 9/28/2022 10:41:34 AM
Source: WIN-A2P2S44M219.example.com
Poll Interval: 7 (128s)

5.     Confirm that the server is a domain controller:

PS C:\> Get-ADDomainController -Filter * | select name
name
----
WIN-A2P2S44M219
WIN-E4VM0DELNQ1

Note: The domain controller that's synchronizing the time might change during configuration. The change doesn't cause an issue with time synchronization.

5.    Check the time synchronization between the instance and the domain controller. Ideally, the time difference is as close to zero as possible. For more information, see W32tm on the Microsoft website.

PS C:\> w32tm /stripchart /computer:*WIN-A2P2S44M219.example.com (http://win-a2p2s44m219.example.com/)* /samples:3
Tracking *WIN-A2P2S44M219.example.com* (http://win-a2p2s44m219.example.com/) [172.31.5.153:123].
Collecting 3 samples.
The current time is 9/28/2022 10:42:26 AM.
10:42:26, d:+00.0006938s o:-00.0041540s  [                           *                           ]
10:42:28, d:+00.0006471s o:-00.0041757s  [                           *                           ]
10:42:30, d:+00.0006398s o:-00.0041987s  [                           *                           ]

---