This post is about how to process a Windows Server 2012 or 2016 domain controller to synchronize its time with a trusted external resource. Having a valid and accurate time source is critical for a properly configured domain.
Use your favorite search engine to locate the trusted NTP time servers for your area. I am located in Canada and so I will be using
Log into your domain controller with administrative credentials and launch a command prompt.
Stop the time service:
net stop w32time
Enter the following to configure your NTP time servers:
w32tm /config /syncfromflags:manual /manualpeerlist:"0.ca.pool.ntp.org, 1.ca.pool.ntp.org, 2.ca.pool.ntp.org, 3.ca.pool.ntp.org"
and then hit Enter. Remember to use your time servers in place of *.ca.pool.ntp.org.
Let the domain controller know that these are your trusted servers:
w32tm /config /reliable:yes
Restart the Time Service:
net start w32time
Review the results:
w32tm /query /configuration
Ensure everything is proper and typed correctly and if so, close the command prompt.
You may notice the warning event “NTDS General – The security of this directory server can be significantly enhanced by configuring the server to reject SASL….” in event viewer for the Active Directory Domain Services with regards to LDAP bind. To get rid of the event warning, you can add a Group Policy to configure all domain controllers to reject unsigned and simple LDAP bind requests.
Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Perform the following on a domain controller or a computer that has Remote Server Administration Tools installed.
- Open the Group Policy Management Console
- Expand Forest, Domains objects until you locate the domain object for the set of domain controllers you want to configure.
- Expand the Domain Controllers object, right-click Default Domain Controllers Policy and then click Edit.
- Expand the following objects in the Group Policy Management Editor: Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies, Security Options.
- In the right hand pane, double-click the Domain controller: LDAP server signing requirements policy.
- Ensure that the Define this policy setting check box is checked and then select Require Signing in the drop down box and click OK.
- Review the information in the Confirm Setting Change dialog box and then click the Yes button to continue and save the change.
That should stop the warning events for LDAP signing in event viewer.
If you don’t use the ‘default’ shared folders in Server Essentials and are tired of getting the alert warning daily in your logs, you can remove those shared folders by following these instructions.
In Explorer, stop sharing the folder
Remove the registry entries for the shared folders in HKLM\Software\Microsoft\Windows Server\Storage Service\Folders
Restart the service "Windows Server Essentials Storage Service"
That should stop the errors.