Home NewsX Secure Time Seeding on DCs: A Note from the Field

Secure Time Seeding on DCs: A Note from the Field

by info.odysseyx@gmail.com
0 comment 1 views


Hi everyone, this is Chris from Directory Services. Lately we have been seeing more and more instances of DCs (Domain Controllers) having issues due to time jumps. Jumping into the future many times. As everyone here knows, time synchronization is critical to Active Directory and other applications. Over time (hyuk hyuk) from simple configuration errors Great rollback. Regardless of the cause, these issues can cause significant disruption to customers, so we released them in Server 2008. New default For the protection configuration of w32Time.

The default values ​​for MaxPosPhaseCorrection and MaxNegPhaseCorrection were changed from “literally whatever” to 48 hours. They also released various guidance on configuring domain controllers for NTP.

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc773263(v=ws…

https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/support-boundary-high…

https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/configuring-your-pdce-with-al…

https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/configuring-an-authoritative-…

Well, Server 2016 came out. Safe Time Seeding (STS). Additional Commentary This release is more of a client solution. Not an exact solution for Active Directory.. However, secure time seeding Enabled by default On all currently supported Windows Server OSes. Also, it does not respect MaxPosPhaseCorrection or MaxNegPhaseCorrection. CSS had a high production impact on customer sites due to STS setting the wrong time when TLS connections were made to woefully misconfigured devices.

You can probably see where this is going. We urge all Active Directory administrators to take this information and consider whether or not this is what you want. From the w32time blog post above:

If you want to trust your system clock over time data generated from SSL traffic and forgo the benefits of this feature, we can help. Set the following registry value: 0 And when you reboot your computer, the secure time seeding feature will be disabled (the standard warning about being careful while modifying the registry applies here).

Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config

Value Name: UtilizeSslTimeData

Value Type: REG_DWORD

What makes things even more complicated is that there is no logging to indicate that STS has set the time. The only way to know that the change was made is to enable w32tm debug logging and see something like this before the change is made:

152929 22:35:45.3014352s - ClockDispln Discipline: *SET*SECURE*TIME*

As with most other debug logging, we do not recommend running w32tm debug logging 24/7 unless absolutely necessary.

Here is a command to check the values ​​of all DCs.


For /f %i IN ('dsquery server -o rdn') do REG QUERY \\%i\HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config /v UtilizeSslTimeData /t REG_DWORD

In conclusion, Secure Time Seeding offers potential benefits, but it can cause problems in Active Directory. Administrators should carefully consider these considerations when deciding whether to disable this feature. Also, consider that it can affect non-DC servers in production. The decision should be based on the specific requirements and configuration of the environment.

Chris Cartwright “All this time”

References:

https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/configure-w32ime-agai…

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/fixing-when-your-domain-trav…

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/domain-time-synchronization-…

https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/bg-p/AskDS/label-name/Time

https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/bg-p/AskDS/label-name/w32time

https://learn.microsoft.com/en-us/archive/blogs/w32time/secure-time-seeding-improving-time-keeping-i…

https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/client-clock-reverts-…





Source link

You may also like

Leave a Comment

Our Company

Welcome to OdysseyX, your one-stop destination for the latest news and opportunities across various domains.

Newsletter

Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Laest News

@2024 – All Right Reserved. Designed and Developed by OdysseyX