FIX: Windows 2019 CIS Benchmark Image Stopping the Azure VM Becoming the NTP Server After Transferring the PDC Emulator

In a Windows Domain environment the time is always working in a hierarchical manner. Server that holds the PDC emulator role holds the NTP Server and the other DCs will sync time from it and the members will sync time from those domain controllers.

At times you have to change the FSMO Roles to a differnt DC and most oftenly that server can be a VM sitting in Azure.

In most cases the VMs spinning up in the Azure environment must adhear to security policies and a well known benchmarking framework is the CIS Benchmarking images (Center for Internet Security). This has the policies defined and vetted into the server images and will be activated once the server is up and running.

Issue

So as I mentioned above, if you by any chance move the PDC role in to a server as explained, chances are the other servers will stop syncing time and instead, it will refer to the Local CMOS Clock or to the Hypervisor’s time. This will potentially break the hierarchy and you will run in to various issues.

Tip: Make sure the UDP port 123 is opened for communication.

How to resolve?

Before transferring the PDC role to the Azure VM DC, the best way to quickly check if all the DCs are working correctly when it comes to syncing time is to run below on an elevated command prompt.

W32TM /monitor

This will analyze all the DCs and return the results. In my case I got all the DCs syncing with the current PDC except the Azure VM DC.

dc01.domain.local *** PDC *** [xx.xx.xx.xx]:123
ICMP: 0ms delay
NTP: error ERROR_TIMEOUT – no response from server in 1000ms

Once you figured out the server which is we can test the rest

Go to the server which has the issue. In an elevated command prompt, run below

W32TM /query /configuration

Ideally if you don’t have any GPOs setup, you should see the below options as (Local).

However Enabled will be changed to 0 and NtpServer will become (Policy)

These options will be overwritten by the values once a GPO is set.

To find out if the above are correct,

1st check your GPOs, specially default domain policy to investigate if there are NTP related polices setup.

If not, run gpedit.msc in your DC to find out the local policies.

Go to Computer Configueration >Administrative Templates > System > Windows Time Service > Time Providers

Make sure the below options set to “Not configured”

  • Configure Windows NTP Client: Not Configured
  • Enable Windows NTP Client: Not Configured
  • Enable Windows NTP Server: Not Configured

Important! If you are using a CIS Benchmarking Image in Azure, these settings will be different and will show as below

This is because the CIS Benchmark automation script is setting these policies to comply with the standards. However to work the Time Servers properly, we need the DC to be a NTP server.

Change the policy to “Not Configured” and then run below on the server

net stop w32time & net start w32time

W32TM /resync

Once this is done, run below to identify the status

W32TM /monitor

Now perform the PDC Emulator transfer to this server and other DCs will start syncing time from this server and everything will reinstate as expected.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.