Proper time synchronization is a key part of a healthy Active Directory environment. The Primary Domain Controller (PDC) acts as the main time authority, so it must stay accurately synced with an external NTP server to ensure all systems in the network operate correctly. In this article, you will learn how to configure an NTP time source on a Domain Controller.
Step 1. Find PDC Emulator
Locate the server holding the PDC (Primary Domain Controller) role.
netdom query fsmoStep 2. Check current time source
On the PDC, check what your current timesync source is.
w32tm /query /sourcew32tm /query /peersw32tm /query /statusw32tm /query /configurationNote: If you are in a child domain, this may need to be done on the PDC of the root domain as well. You can also run the query peers command on the other DCs to tell you what server they are syncing with.
Step 3. Disable VM guest time synchronization
Hypervisors such as Hyper-V, VMware, and others provide a guest time sync service that competes with W32Time and causes clock drift. The W32Time must be the sole time authority. Disable the hypervisor time sync before configuring NTP to prevent interference during the initial sync.
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider" -Name "Enabled" -Value 0You must restart the Windows Time service for the changes to take effect.
net stop w32timenet start w32timeVerify that the VMIC Time Provider is disabled.
w32tm /query /configurationThe output for VMICTimeProvider is set as Enabled: 0 (Local).
VMICTimeProvider (Local)
DllName: C:\WINDOWS\System32\vmictimeprovider.dll (Local)
Enabled: 0 (Local)
InputProvider: 1 (Local)Step 4. Configure external NTP peers
Once you have identified the server that appears to be the time source across your Active Directory environment, you can configure it to use an external time source. Change the server to the external NTP server of your choice, but make sure to keep the 0x8 flag at the end, as it is required.
w32tm /config /update /manualpeerlist:"0.pool.ntp.org,0x8 1.pool.ntp.org,0x8 2.pool.ntp.org,0x8 3.pool.ntp.org,0x8" /syncfromflags:manual /reliable:yesStep 5. Restart Windows Time service
Stop the Windows Time service.
net stop w32timeStart the Windows Time service.
net start w32timeStep 6. Force resynchronization
Resync the time from the new source.
w32tm /resync /rediscoverIf the machine was badly out of sync.
w32tm /resync /forceStep 7. Verify new time source
Check the time source info to make sure the time is coming from the NTP server.
w32tm /query /sourcew32tm /query /peersw32tm /query /statusw32tm /query /configurationStep 8. Check offset/drift
You can check your time drift against an external server, which will display the offset in seconds.
w32tm /stripchart /computer:pool.ntp.orgIf you only want to get 5 outputs and data only.
w32tm /stripchart /computer:pool.ntp.org /samples:5 /dataonlyStep 9. Allow time to propagate through the domain
Other DCs and clients should automatically sync through the AD hierarchy. You can manually trigger sync on other DCs.
w32tm /resyncThat’s it!
Read more: Change IP address of Domain Controller »
Conclusion
You learned how to set up an NTP time source on a Domain Controller. The Primary Domain Controller (PDC) must stay in sync with an external NTP server, because it is the main time source for the whole network. If the time is incorrect, users may not be able to sign in, and communication between servers and services can fail.
Did you enjoy this article? You may also like Add Domain Controller to existing domain. Don’t forget to follow us and share this article.