If you’re of a certain age, you might remember the popular 1970 song by Chicago, “Does Anybody Really Know What Time It Is?” That’s this week’s topic in a nutshell: How do servers in a domain know what time it is? And why would they care in the first place? The answer, in a word, is Kerberos, the authentication mechanism used by Windows 2000 and all later Windows OSs. Kerberos depends on time synchronization between the computer that issues Kerberos tickets (the Key Distribution Center—KDC) and the computers that request them. Interestingly, Kerberos doesn’t depend on the time being accurate. As long as the client and server clocks are within five minutes of each other, it doesn’t matter if the actual time or date matches the real world.

However, Windows tries to keep time both accurate and synchronized by providing a built-in Network Time Protocol (NTP) service, W32Time. The operation of this service, on both the client and server, is detailed in the Microsoft article “Basic Operation of the Windows Time Service” if you’re interested. The basic thing to remember is that there’s a single authoritative time source for each forest: The computer holding the PDC emulator role for the forest is treated as authoritative. Member servers and workstations use the domain controller (DC) that authenticated them for time information, and that DC seeks a time source in the current domain or the parent domain.

The authoritative time source for the domain can synchronize to any time source you like. By default, it uses time.windows.com, but you’re welcome to change it if you need a more precise time source. (You can even bring in your own time hardware, such as an HP Z3801A, and get government-level accuracy for a few hundred dollars).

This synchronization mechanism turns out to be really important when it comes to virtualization. For many administrators, DCs seem like a great place to start applying virtualization technology; if you don’t have a huge load of authentication traffic, starting with DCs seems like a reasonable approach. However, it’s important to realize where your DCs are getting their time data from. The clock on virtualized servers isn’t guaranteed to stay accurate over time. Worse still, the default behavior with both Hyper-V and VMware is for the virtualized DC to synchronize time with the physical host computer. If that host isn’t a domain member or it isn’t getting regular time updates, the time on the DC and clients will inevitably skew, and when the skew exceeds the 5-minute window that Kerberos allows, you’ll start having authentication problems.

Microsoft’s recommendation is simple: Don’t have your virtualized DCs synchronize time with their physical host. Instead, you should configure the PDC emulator to synchronize with an outside source. Active Directory MVP Jorge de Almeida Pinto has a detailed blog post explaining how to configure the time synchronization behavior of your PDC Flexible Single-Master Operation (FSMO) role.