Slide 1 of 6 | N10-009 Obj 1.2 | Time Synchronization
NTP & Time Synchronization
Five minutes of clock skew breaks Kerberos. Time is not a nice-to-have.
Kerberos authentication is failing across the domain. The error: "clock skew too great."
Time is 5 minutes off between the DC and workstations. NTP fixes this — but first you need to understand
why time matters, how NTP works, and how to configure it correctly.
Time synchronization is infrastructure. Multiple critical systems break without it.
Kerberos Auth
Kerberos tickets have a 5-minute skew tolerance by default.
If the DC and client clock differ by more than 5 minutes, authentication fails
with KRB_AP_ERR_SKEW. This locks users out of all domain resources.
TLS Certificates
X.509 certificates have a validity window (Not Before / Not After).
A client with the wrong clock rejects a valid certificate as expired or not-yet-valid.
HTTPS breaks. VPN breaks. Mail encryption breaks.
Log Correlation
Security investigations require correlating logs across multiple systems.
A 2-minute clock difference between a firewall and a SIEM makes attack timelines
impossible to reconstruct. Evidence becomes ambiguous.
Scheduled Tasks
Cron jobs, Windows Task Scheduler, and distributed cron systems all depend on
accurate local time. Backup jobs that run at 2 AM run at 1:55 or 2:05.
Replication windows close before sync completes.
The Domain Controller Scenario
In Active Directory, the DC is the authoritative time source for the domain. Workstations sync from the DC.
If the DC itself has drifted — because it lost its upstream NTP source — every machine in the domain drifts together.
Kerberos begins failing at exactly the 5-minute mark. The fix is always: fix the DC time source first.
Clock skew too great: the DC clock is 5 minutes off from the upstream NTP server. Workstations sync from the DC, so they are also 5 minutes off from everything external. Kerberos rejects all authentication.
Slide 3 of 6
NTP Stratum Hierarchy
NTP distributes time through a hierarchy of servers. Stratum number indicates distance from the authoritative source.
Stratum 0
Reference Clock — Atomic / GPS
Atomic clocks (cesium, rubidium), GPS receivers, CDMA radio clocks.
Not directly on the network — these devices connect to Stratum 1 servers via serial or PPS.
Accuracy in the nanosecond range. Examples: US Naval Observatory, GPS constellation.
Stratum 1
Primary NTP Servers — directly connected to Stratum 0
These are the top of the NTP hierarchy accessible on the network.
Accuracy within microseconds of UTC. Public examples: time.nist.gov, pool.ntp.org Stratum 1 members.
Enterprise deployments point their DC to a Stratum 1 or Stratum 2 source.
Stratum 2
Secondary NTP Servers — sync from Stratum 1
Most enterprise NTP servers and pool.ntp.org members operate at Stratum 2.
Accuracy within a few milliseconds. In an AD domain, the PDC Emulator is commonly Stratum 2 or 3.
Multiple Stratum 2 sources provide redundancy.
Stratum 3-15
Downstream clients and servers — each hop adds one stratum
Domain workstations, switches, routers, and printers typically operate at Stratum 3-5.
Accuracy degrades slightly with each hop. Stratum 16 means "unsynchronized" — treat as an error.
Maximum practical stratum depth is 15.
AD time hierarchy: PDC Emulator syncs from an external Stratum 1/2 source.
All other DCs sync from the PDC Emulator. Domain members sync from any DC.
One misconfigured PDC Emulator affects every machine in the entire forest.
Slide 4 of 6
NTP, SNTP, PTP, and NTS
Four time protocols — different accuracy targets, use cases, and security postures.
NTP — Network Time Protocol
RFC: RFC 5905 (NTPv4)
Port: UDP 123
Accuracy: Milliseconds over LAN, tens of ms over WAN
Algorithm: Selects best of multiple sources; filters outliers
Security: MD5 symmetric key auth (weak by modern standards)
Use case: Standard enterprise time synchronization
SNTP — Simple NTP
RFC: RFC 4330
Port: UDP 123 (same as NTP)
Accuracy: Less precise — no clock discipline algorithm
Algorithm: Single server query — set and forget
Security: Same as NTP
Use case: Embedded devices, IoT, thin clients where full NTP is unnecessary
PTP — Precision Time Protocol
Standard: IEEE 1588
Port: UDP 319 / 320
Accuracy: Sub-microsecond to nanosecond with hardware timestamping
Algorithm: Hardware-assisted — timestamps at the NIC level
Security: Optional (PTPv2.1 / IEEE 1588-2019)
Use case: Financial trading systems, telecom, industrial control, 5G
NTS — Network Time Security (RFC 8915)
NTS is the modern security layer for NTP. Uses TLS (TCP 4460) for initial key exchange,
then authenticated UDP 123 for time packets. Protects against on-path attackers injecting
false time packets — a real attack that can defeat MFA and certificate validation.
NTS is the correct NTP implementation for any new deployment. ntpd and chrony both support it.
Slide 5 of 6
NTP Configuration
Fix the DC first. Then verify the entire domain chain is synchronized. Know the commands.
Windows — PDC Emulator (Command Prompt, admin)
# Point PDC Emulator at external NTP source w32tm /config/manualpeerlist:"pool.ntp.org" /syncfromflags:manual /reliable:yes /update
# Restart the service to apply net stop w32tm && net start w32tm
# Force immediate sync w32tm /resync /force
# Check current source and stratum w32tm /query /status Stratum: 3 (secondary reference - syncd by phone) Source: pool.ntp.org Last Successful Sync Time: 03/29/2026 09:02:11
# Check sync status chronyc tracking Reference ID : 9B211104 (pool.ntp.org) Stratum : 3 System time : 0.000000012 seconds fast
# List configured sources and their reach chronyc sources -v
iburst Flag
Sends a burst of 8 packets on first contact instead of 1.
Dramatically speeds up initial synchronization when a server first starts.
Use it on every NTP server declaration.
DC has clock skew: run w32tm /resync /force on the PDC Emulator first. Then verify with w32tm /query /status.
If stratum shows 16, the upstream NTP source is unreachable — fix the network path or switch to a reachable server.
Slide 6 of 6 | N10-009 Obj 1.2
Clock Skew — Problem Solved
Kerberos authentication is failing because the DC clock drifted more than 5 minutes.
You configure the PDC Emulator to sync from pool.ntp.org using w32tm.
After forcing a resync, the clock corrects. Workstations pull the updated time from the DC.
Within minutes, Kerberos tickets are accepted again and users authenticate normally.
The root cause: the PDC Emulator lost its upstream NTP source when a firewall rule
blocked UDP 123 outbound during a security hardening sprint. Time was not in scope for the
change review. It always needs to be.
5 Facts to Carry Out of This Presentation
1Kerberos rejects authentication when clock skew exceeds 5 minutes (default). NTP prevents this from happening.
2Stratum 0 = atomic/GPS reference. Stratum 1 = primary server. Each hop adds one stratum. Stratum 16 = unsynchronized (error).
3NTP uses UDP 123. SNTP uses the same port but lacks clock discipline — acceptable only for simple clients.
4PTP (IEEE 1588) achieves sub-microsecond accuracy with hardware timestamping. Used in finance, telecom, and 5G — not general enterprise.
5NTS (RFC 8915) adds TLS-authenticated key exchange to NTP. Blocks on-path time injection attacks. Use it on new deployments.