Reliable Time Monitor False Positives for AD Domain Member Monitoring

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks.

I had a chance to work with a customer on importing the new AD MP for SCOM. I like this MP in particular, as it’s much less noisy than the old management pack for AD. That said, one thing I’ve seen in a few environments is a warning from the Reliable Time Server Monitor being unable to locate a time server. I had a chance this week to do some digging into this particular monitor, and there appears to be a flaw in the script data source that calculates this monitor.

Why does it matter?

In short, it’s an authentication thing. Protocols such as Kerberos rely on time stamps for authentication, and in order for those to be accurate, all systems in the domain must be using a shared time source.

What is it doing?

The script is straight forward, it runs the following command:  nltest.exe /dsgetdc: /gtimeserv

Documentation for this command can be found here. Interestingly enough, there are two time server commands available. The /gtimeserv command, which our script is using, looks for a master time server, which from what I can tell has to be designated. The /timeserv command simply looks for a time server. I’m not an AD expert, but I can say that in any AD domain, a master time server is not designated from the get go. It’s possible that an admin should do this with an authoritative internet source, but documentation on that process seems rather light in my quick search of the issue. That said, the output from said commands is the same:

image

It’s worth noting the circled items, as these appear to play a role in our script. The key line in the script is here:

image

I don’t pretend to be a VB expert, but from my untrained eye, the script runs the NLTEST command and then does a filter against the string GTIMESERV. Note that this string does not appear anywhere in the NLTEST results. As such, this will generate an alert in almost any (if not every) environment. My guess would be that the preferred solution would be to designated an internet master time server in your environment, though that’s not always reasonable. In that case, the next best thing would be to modify the data source. I’ve recreated this data source with an override to the original monitor.

You can find that management pack here: