How do I synchronize time between Windows domain-joined instances and AWS Managed Microsoft AD?

Short description

Windows machines might have a Network Time Protocol (NTP) server that's preset in the registry before it's joined to the AWS Managed Microsoft AD domain. Windows machines automatically synchronize time with all available mechanisms when joined to the domain. However, if the source NTP servers have different times, this setup can cause time skew-related issues.

In this example, the NtpServer parameter is prepopulated with 169.254.169.123,0x9 before the instance joins the AWS Managed Microsoft AD domain. However, the Type parameter changes to AllSync after joined to the domain. This configuration change might cause a time skew.

Before the domain is joined:

PS C:\> w32tm /dumpreg /subkey:parameters | findstr /i "NtpServer Type"
Value Name Value Type Value Data
NtpServer REG_SZ 169.254.169.123,0x9
Type REG_SZ NTP

PS C:\> w32tm /query /configuration | findstr /i "Type NTPServer:"
Type: AllSync (Local)
NtpServer: 169.254.169.123,0x9 time.windows.com,0x8 (Local)

After the domain is joined:

PS C:\> w32tm /dumpreg /subkey:parameters | findstr /i "NtpServer Type"
Value Name Value Type Value Data
NtpServer REG_SZ 169.254.169.123,0x9 time.windows.com,0x8
Type REG_SZ AllSync

PS C:\> w32tm /query /configuration | findstr /i "Type NTPServer:"
Type: AllSync (Local)
NtpServer: 169.254.169.123,0x9 time.windows.com,0x8 (Local)

Resolution

As a best practice, use domain controllers to make sure that the Windows domain-joined machines synchronize time through the AWS Managed Microsoft AD domain hierarchy. For more information, see How the Windows Time service works and Windows Time service tools and settings on the Microsoft website.

Prerequisites

Make sure that you complete these prerequisites:

• Install the Active Directory administration tools on a domain-joined Amazon Elastic Compute Cloud (Amazon EC2) instance.

PS C:\> Install-windowsFeature RSAT-ADDS,RSAT-AD-AdminCenter,RSAT-ADDS-Tools,GPMC,RSAT-DNS-Server
Success Restart Needed Exit Code      Feature Result
------- -------------- ---------      --------------
True    No             Success        {Group Policy Management, DNS Server Tools, . . . }

• Verify that the EC2 instance is joined to the AWS Managed Microsoft AD domain that you want to configure a time synchronization domain hierarchy for. For more information, see Manually join a Windows instance.

Configure the AWS Managed AD domain time hierarchy

Use the Group Policy settings to synchronize time in the AWS Managed AD domain hierarchy:

1. Use Remote Desktop Protocol (RDP) to log in to the EC2 instance. Then, set the domain user as Administrator. For more information, see Connect to your Windows instance using RDP.
2. Run GPMC.msc to open the Group Policy Management console.
3. Choose Domains, and then choose [Domain Name], [Directory NetBIOS name], Computers.
4. Choose Computers, and then choose Create a GPO in this domain and Link it here:
   Note: Computer objects must be in the organizational unit (OU) or under other OUs within the same hierarchy.
5. Name the GPO. For example, you might use Domhier Time Syn,. Then, choose OK.
6. Choose the GPO that you just created, and then choose Edit.
7. Choose Computer Configuration, and then choose Administrative Templates, System, WindowsTime Service, Time Providers.
8. Choose Enable Windows NTP Client, and then select Enabled.
9. Choose OK.
10. Choose Configure NTP Client.
11. Select Enabled, and then change these parameters:
    For Type, enter NT5DS.
    For SpecialPoolInterval, enter 900.
12. Choose OK.

Verify that the EC2 instance uses the time synchronization hierarchy

Complete these steps to confirm that the domain controller is synchronizing time through the AWS Managed Microsoft AD domain hierarchy.

For more information, see Group Policy: basic troubleshooting steps for beginners on the Microsoft website.

1. Use the instance from the previous section to force an update of the domain policies. Open a Windows PowerShell prompt as an elevated prompt or as an administrator, and then run this command:

   PS C:\> gpupdate /force
   Updating policy...
   Computer Policy update has completed successfully.
   User Policy update has completed successfully.

2. Confirm that NT5DS is in place.

   PS C:\> w32tm /query /configuration | findstr /i "Type NTPServer:"
   Type: NT5DS (Policy)

3. Forcefully discover the time source:

   PS C:\> w32tm /resync /rediscover
   Sending resync command to local computer
   The command completed successfully.

4. Identify the synchronization server for the instance. In this example, IP-C61301F5 is the time source.

   PS C:\>  w32tm /query /status
   Leap Indicator: 0(no warning)
   Stratum: 5 (secondary reference - syncd by (S)NTP)
   Precision: -23 (119.209ns per tick)
   Root Delay: 0.0017265s
   Root Dispersion: 0.2926529s
   ReferenceId: 0xAC1F0DC6 (source IP:  172.31.13.198)
   Last Successful Sync Time: 4/18/2023 12:45:37 PM
   Source: IP-C61301F5.corp.example.com
   Poll Interval: 7 (128s)

5. Confirm that the server is a domain controller:

   PS C:\> Get-ADDomainController -Filter * | select name
   name
   ----
   IP-C61301F5
   IP-C6130214

   Note: The domain controller that's synchronizing the time might change during configuration. The change doesn't cause an issue with time synchronization.

6. Check the time synchronization between the instance and the domain controller. Ideally, the time difference is as close to zero as possible. For more information, see W32tm on the Microsoft website.

   PS C:\> w32tm /stripchart /computer:IP-C61301F5.corp.example.com /samples:3
   Tracking IP-C61301F5.corp.example.com [172.31.13.198:123].
   Collecting 3 samples.
   The current time is 4/18/2023 12:43:11 PM.
   12:43:11, d:+00.0010085s o:-00.0012111s  [                           *                           ]
   12:43:13, d:+00.0015748s o:-00.0011228s  [                           *                           ]
   12:43:15, error: 0x80072733

Related information

How do I troubleshoot time issues with my EC2 Windows instance?

Set the time for a Windows instance

Default network time protocol (NTP) settings for Amazon Windows AMIs