Sync Issues Can Arise for PCs with Poor VPN Connections

Microsoft this week reminded IT pros that PC connections through virtual private networks (VPNs) can sometimes lead to time synchronization issues, possibly causing reduced functionality for end users.

With the present work-from-home phenomenon, the timestamp of an Active Directory domain-joined PC can drift from a network's timestamp over time. Such a drift could start to happen if there are domain connectivity issues associated with the VPN that's used by an organization.

Here's how Microsoft expressed the issue:

What is new in recent times is the pervasive use of VPNs by almost everyone to work from home and the quality/reliability of the VPNs available in each case. These factors have affected the time synchronization on the domain client PCs at home. Over a period, domain clients with poor domain connectivity can experience loss of domain functionality or other functionality due to their system time drifting too far from the current time.

One sensitive aspect is the Kerberos security protocol, used for Windows authentications. It uses timestamps to safeguard against attackers that present impersonated credentials in so-called "replay attacks." If the time discrepancy between a network and client are too large, it can lead to issues.

Configuration Changes
Microsoft's announcement included a few "suggested configuration changes" to help ensure that clients get synchronized with Universal Time Coordinated (UTC) in some way, which is what the venerable Network Time Protocol (NTP), available via Internet connections, is supposed to do.

While it's possible for PCs to connect to NTP servers to sync their time, Microsoft offered a cautionary note on doing that, saying that "although this involves the use of unsecured NTP protocol, some techniques can be used to minimize potential risks."

Those techniques to assure security in connecting to NTP servers weren't spelled out in the announcement. Presumably, they are implicit in Microsoft's recommended configuration changes.

Microsoft did create a way to securely sync PCs via its "secure time seeding" feature. Secure time seeding is turned on by default in Windows 10 systems and has available since Microsoft's November 2015 Windows 10 release.

However, secure time seeding is mostly just there to support consumer machines, Microsoft explained:  

Secure time seeding feature was introduced in Windows as a means of correcting very large time errors on consumer PCs. Although this feature was not intended to keep time accurate enough for AD Domains, it can help correct large time errors in certain scenarios and allows SSL/TLS to function. The feature is enabled by default on domain machines also.

It Depends
Microsoft's advice for Active Directory domain-joined PCs consisted of making some possible registry changes to help keep PCs in sync. However, its recommendations were offered with an "it depends" viewpoint.

"The parameters mentioned above may need customization for your specific topology," Microsoft concluded. They will also require validation before rolling into production, the announcement added.

Such advice seemed to get echoed in a article by Microsoft MVP and author Brien Posey. In a somewhat different context, he observed that "in my experience, there is no one single technique that fixes clock sync problems every time."

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Spaceflight Training in the Middle of a Pandemic

    Surprisingly, the worldwide COVID-19 lockdown has hardly slowed down the space training process for Brien. In fact, it has accelerated it.

  • Surface and ARM: Why Microsoft Shouldn't Follow Apple's Lead and Dump Intel

    Microsoft's current Surface flagship, the Surface Pro X, already runs on ARM. But as the ill-fated Surface RT showed, going all-in on ARM never did Microsoft many favors.

  • IT Security Isn't Supposed To Be Easy

    Joey explains why it's worth it to endure a little inconvenience for the long-term benefits of a password manager and multifactor authentication.

  • Microsoft Makes It Easier To Self-Provision PCs via Windows Autopilot When VPNs Are Used

    Microsoft announced this week that the Windows Autopilot service used with Microsoft Intune now supports enrolling devices, even in cases where virtual private networks (VPNs) might get in the way.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.