Lesson 18 of 60 intermediate

Patching, Replication & Time Sync

Invisible operational hygiene of a domain

Open interactive version (quiz + challenge)

Real-world analogy

A domain is like a fleet of ships. Patching is regular maintenance, replication is ships sharing charts, and time sync is the common clock on the horn that lets them coordinate. Skip any of these and you get silent drift until a storm hits.

What is it?

Patching, replication, and time synchronization are the ‘boring’ hygiene that quietly keeps AD and Windows Server environments working. Most catastrophic incidents you read about trace back to one of these being neglected.

Real-world relevance

A branch begins reporting ‘authentication issues’ only in the morning. A sysadmin checks w32tm — branch DC has drifted 12 minutes because its time source was wrong. Fixing NTP on one DC restores logon across the branch. No users, no apps — just time.

Key points

Patching — boring until it’s not — Unpatched servers are the single most common root cause of major incidents. Enterprise patching flows: test in dev → approve change → stage in test group → roll to production in maintenance window → verify → document. Nothing heroic; all discipline.
WSUS / Intune update rings / Configuration Manager — WSUS centralizes Microsoft update approval. Intune update rings push patches to Entra-joined devices. Configuration Manager (SCCM/MECM) manages both. Juniors should know what each is and when it’s used.
Replication in AD — Domain Controllers replicate directory changes to each other. Healthy replication is invisible. Broken replication = stale passwords, phantom accounts, and logon inconsistencies between offices.
Kerberos time tolerance — Kerberos tickets are time-bound (typically within 5 minutes between client and DC). If a machine’s clock drifts, logon fails with confusing errors — even though the password is correct.
PDC Emulator & authoritative time — One DC (the PDC Emulator FSMO role holder) is the authoritative time source for the forest. It should sync to a reliable external NTP source. Client → DC → PDCe → external NTP. Break the chain and watches drift.
Maintenance windows & change control — Patching during business hours is how you get fired. Maintenance windows exist so users and business know when controlled risk is taken. Every patch cycle is a change with a rollback plan and an approver.
Backups before patches — Always verify recent backups exist before mass patching — especially on DCs and critical app servers. ‘Patch Tuesday surprise’ is real; a rollback path isn’t optional.
Documentation that survives audits — Which servers were patched, which KBs applied, which ones failed, which reboots happened, who approved. Bank auditors ask for this quarterly. Juniors who write it well get noticed.

Code example

// The hygiene trifecta — commands a junior should recognize

--- Replication health ---
repadmin /replsummary
repadmin /showrepl
dcdiag /v

--- Time sync (Windows) ---
w32tm /query /status
w32tm /query /source
w32tm /monitor
w32tm /resync /force

--- Patching (Intune / WSUS / SCCM) ---
Microsoft Update Catalog  -> find specific KBs
Intune > Updates > Update rings, Feature updates
WSUS approvals  -> test group -> production group

--- Change hygiene ---
[ ] recent backup verified
[ ] rollback plan written
[ ] approver and maintenance window set
[ ] post-change verification steps
[ ] ticket notes with KBs applied / failed

Line-by-line walkthrough

1. Hygiene commands block
2. Replication section
3. repadmin summary
4. repadmin detailed
5. dcdiag verbose
6. Blank separator
7. Time sync section
8. Current status
9. Current source
10. Monitor all DCs
11. Force resync
12. Blank separator
13. Patching section
14. Update catalog source
15. Intune update rings
16. WSUS approval path
17. Blank separator
18. Change hygiene checklist
19. Backup verified
20. Rollback plan
21. Approver and window
22. Post-change verification
23. Ticket documentation

Spot the bug

Urgent: DC02 replication broken. Junior decides to force demote DC02 and promote a new one at 3 PM during business hours, with no change ticket.

Need a hint?

Which two rules did this break, and what was the safer order?

Show answer

Broke: (1) no change control / maintenance window; (2) no backup verification; (3) destructive action without diagnosis. Safer order: run repadmin /showrepl + dcdiag to understand the failure, verify backups, raise an emergency change with rollback, schedule a window, then act. Demote/promote is a last resort, not a first move.

Explain like I'm 5

Three jobs nobody notices until they break: updating software, keeping the address book in sync between offices, and making sure every clock agrees. Enterprise IT pays you to notice them before anyone else does.

Fun fact

In 2017, the WannaCry ransomware spread globally in hours and crippled hospitals and banks. The root cause: a Microsoft patch (MS17-010) had been available for two months. Patching discipline literally saves lives.

Hands-on challenge

On a Windows machine, run: w32tm /query /status and w32tm /query /source. Identify the current time source. Describe in 2 lines how this chain should work in a domain.

More resources

Windows Time service (Microsoft Learn)
AD replication (repadmin) (Microsoft Learn)
Windows patching in enterprise (John Savill)

Open interactive version (quiz + challenge) ← Back to course: IT Jobs Bootcamp