Tag Archives: domain

Configuring time for Azure IaaS Domain Joined Machines

Synopsis: When placing a Virtual Machine on the Azure Platform, by default it inherits time controls from the underlying hypervisor: Hyper-V.  The default behavior for these VMs is to synchronize the system clock with the host via the Hyper-V TimeSync service (VMIC) for Hyper-V hosts and guests running prior operating systems to Windows Server 2016.

Windows 2016 guests will find the most accurate clock, rather than defaulting to the host. It was for this reason that we advised to manually disable Hyper-V Time Provider setting for machines participating in a domain in Windows 2012R2 and below.  More information on Windows Server 2016 time can be found here: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/windows-time-service/windows-2016-accurate-time

To disable the Hyper-V Time Provider, we recommend creating a new Group Policy template and targeting your Azure VMs.

Validate that your machine is synchronized to the Hyper-V Time Provider

Open command prompt and execute the following command: w32tm /query /status

If you see VM IC Time Synchronization Provider, the Guest OS is synchronized to the VM Host

Create a new group policy to disable the Hyper-V Time Provider (VM IC Time Synchronization)

  1. Create a new Group Policy and target it to an OU that contains the machines synchronized to the Hyper-V Time Provider
  2. Edit the new Group Policy Object
  3. Navigate to Computer configuration -> Preferences -> Windows Settings -> Registry and Add a new item

  4. Navigate to the following Key HKLM:SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider and select the Enabled Value
  5. Change the Value data to 00000000 and click OK

  6. Restart each of the Azure Virtual Machines or login to each machine and execute the following command to restart the Windows Time service: net stop w32time && net start w32time

  7. Validate that the Source is now pointing to your NTP server/domain by running the following command: w32tm /query /status

How to prevent users from adding a machine from Active Directory - the domain

Interestingly enough, by default Microsoft's Active Directory ships out with the ability for all Authenticated Users to join their machine to a domain up to 10 times.  Why 10?  Who knows.  Personally, I do not want my users to be able to add machines to the domain, so the steps below can be achieved to prevent these actions.

  1. Logon to one of your domain controllers or a machine with ADSI Edit
  2. Open up ADSI Edit
    1. Start->Administrative Tools->ADSI Edit
  3. If you have logged into one of your DCs, you can leave the Name, Connection Point, and Computer to default, otherwise enter in the proper information to connect to your DC and click OK.
    1. Image of default settings to connect
    2. ADSEI Edit - Connection Settings
  4. Expand the context that was added and right click on DC=[domain],DC=[TLD] and click Properties.
    1. ADSI Edit - Properties
  5. Scroll down to ms-DS-MachineAccountQuota and click Edit
    1. ADSI - ms-DS-MachineAccount
  6. Change the Value of 10 to 0, click OK
    1. ADSI Edit - Integer Attribute Editor
  7. Click OK on the DC=[domain],DC=[TLD] dialog box

At this point, users inside of the Domain Admins or Enterprise Admins groups will only be able to add machines to the domain.