Secure Time Seeding on DCs: A Note from the Field by info.odysseyx@gmail.com September 9, 2024 written by info.odysseyx@gmail.com September 9, 2024 0 comment 1 views 1 Hi everyone, this is Chris from Directory Services. Lately we have been seeing more and more instances of DCs (Domain Controllers) having issues due to time jumps. Jumping into the future many times. As everyone here knows, time synchronization is critical to Active Directory and other applications. Over time (hyuk hyuk) from simple configuration errors Great rollback. Regardless of the cause, these issues can cause significant disruption to customers, so we released them in Server 2008. New default For the protection configuration of w32Time. The default values for MaxPosPhaseCorrection and MaxNegPhaseCorrection were changed from “literally whatever” to 48 hours. They also released various guidance on configuring domain controllers for NTP. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc773263(v=ws… https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/support-boundary-high… https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/configuring-your-pdce-with-al… https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/configuring-an-authoritative-… Well, Server 2016 came out. Safe Time Seeding (STS). Additional Commentary This release is more of a client solution. Not an exact solution for Active Directory.. However, secure time seeding Enabled by default On all currently supported Windows Server OSes. Also, it does not respect MaxPosPhaseCorrection or MaxNegPhaseCorrection. CSS had a high production impact on customer sites due to STS setting the wrong time when TLS connections were made to woefully misconfigured devices. You can probably see where this is going. We urge all Active Directory administrators to take this information and consider whether or not this is what you want. From the w32time blog post above: If you want to trust your system clock over time data generated from SSL traffic and forgo the benefits of this feature, we can help. Set the following registry value: 0 And when you reboot your computer, the secure time seeding feature will be disabled (the standard warning about being careful while modifying the registry applies here). Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config Value Name: UtilizeSslTimeData Value Type: REG_DWORD What makes things even more complicated is that there is no logging to indicate that STS has set the time. The only way to know that the change was made is to enable w32tm debug logging and see something like this before the change is made: 152929 22:35:45.3014352s - ClockDispln Discipline: *SET*SECURE*TIME* As with most other debug logging, we do not recommend running w32tm debug logging 24/7 unless absolutely necessary. Here is a command to check the values of all DCs. For /f %i IN ('dsquery server -o rdn') do REG QUERY \\%i\HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config /v UtilizeSslTimeData /t REG_DWORD In conclusion, Secure Time Seeding offers potential benefits, but it can cause problems in Active Directory. Administrators should carefully consider these considerations when deciding whether to disable this feature. Also, consider that it can affect non-DC servers in production. The decision should be based on the specific requirements and configuration of the environment. Chris Cartwright “All this time” References: https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/configure-w32ime-agai… https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/fixing-when-your-domain-trav… https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/domain-time-synchronization-… https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/bg-p/AskDS/label-name/Time https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/bg-p/AskDS/label-name/w32time https://learn.microsoft.com/en-us/archive/blogs/w32time/secure-time-seeding-improving-time-keeping-i… https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/client-clock-reverts-… Source link Share 0 FacebookTwitterPinterestEmail info.odysseyx@gmail.com previous post New on Azure Marketplace: August 25-31, 2024 next post Build the next generation of AI applications with Microsoft Azure at DevIntersection, Las vegas You may also like Get to know Microsoft 365 Copilot in Microsoft OneDrive October 4, 2024 Connecting to Azure Cache for Redis with Entra ID in Azure Government October 4, 2024 Modern Charts in Microsoft Access is GA! October 4, 2024 Cowrie honeypot and its Integration with Microsoft Sentinel. October 4, 2024 Improved Accessibility ribbon in PowerPoint for Windows and Mac October 4, 2024 Introducing the Use Cases Mapper workbook October 4, 2024 Leave a Comment Cancel Reply Save my name, email, and website in this browser for the next time I comment.