Vulnerability V-243504

This applies to the domain controller with the PDC Emulator role in forest root domain; it is NA for other domain controllers in the forest. Determine the domain controller with the PDC Emulator role in the forest root domain: Windows 2016 or later: Open "Windows PowerShell". Enter "Get-ADDomain -Identity [Forest Root Domain] | FT PDCEmulator", where [Forest Root Domain] is the forest root domain name, such as "example.mil". (This can also be entered without the -Identity parameter if running within the forest root domain.) Windows 2016: Open "Active Directory Users and Computers" from a domain controller in or connected to the forest root (available from various menus or run "dsa.msc"). Select "Action" in the menu, then All Tasks >> Operations Masters. Select the "PDC" tab. On the system with the PDC Emulator role, open "Windows PowerShell" or an elevated "Command Prompt" (run as administrator). Enter "W32tm /query /configuration". Under the "NtpClient" section: If the value for "Type" is not "NTP", this is a finding. If the value for "NtpServer" is not an external DOD time source, this is a finding. If an alternate time synchronization tool is used and is not enabled or not configured to a synchronize with an external DOD time source, this is a finding. The US Naval Observatory operates stratum 1 time servers, identified at https://www.cnmoc.usff.navy.mil/Our-Commands/United-States-Naval-Observatory/Precise-Time-Department/Network-Time-Protocol-NTP/. Time synchronization will occur through a hierarchy of time servers down to the local level. Clients and lower-level servers will synchronize with an authorized time server in the hierarchy.

Configure the forest root PDC Emulator to acquire its time from an external time source. The Windows Time Service can be configured by setting the policy value for Computer Configuration >> Administrative Templates >> System >> Windows Time Service >> Time Providers >> "Configure Windows NTP Client" to "Enabled", and configuring the "NtpServer" field to point to an authorized time server.