The Active Directory domain’s normal operation relies on the Windows Time service. To function properly, Kerberos, the AD primary authentication protocol, relies on the W32Time (Windows Time) time service. Time synchronization in an AD context follows a strict hierarchy: domain-joined PCs and servers obtain their time from the nearest domain controller to which they are signed on, and all domain controllers synchronize their time with a single DC that possesses the PDC Emulator FSMO role.
The PDC Emulator (Primary Domain Controller) uses an external time source to synchronize time. One or more public NTP (Network Time Protocol) servers, such as time.windows.com or your provider’s NTP-server, serve as the external time source. Please keep in mind that clients who use the Windows Time service receive the default time (instead of native NTP).
In a domain, how does the Windows Time Service work?
The W32Time service is available in all versions of Windows. This service is used to keep the AD organization’s time in sync. A machine can operate as both a client and a server for NTP. Clients in the domain synchronize time using the Windows Time service instead of NTP by default.
The Windows Time Service is set up as follows by default:
- An NTP client is opened on the computer after a clean Windows installation, and it is synchronised with an external time source.
The sync type changes when a computer is added to a domain. For time synchronisation, a domain controller is used by all client computers and member servers in the domain.
An NTP server is launched on a member server when it is promoted to a domain controller, and it uses a DC with the PDC emulation role as a time source.- The PDC emulator serves as the organization’s primary time server. At the same time, it synchronises with an external time source or the server’s hardware clock in CMOS (this technique of time synchronisation is not advised);
- this approach works in the vast majority of circumstances and does not require admin interaction. The time service on Windows, on the other hand, may not follow the domain hierarchy.
If you’re having trouble synchronizing time between clients and domain controllers, your domain most certainly has a time synchronization issue, and this article will actually be useful.
First and foremost, you must choose the NTP server you want to utilize. At http://ntp.org, you may find a list of public NTP atomic clock servers. We’ll utilize 0.us.pool.ntp.org, 1.us.pool.ntp.org, 2.us.pool.ntp.org, and 3.us.pool.ntp.org in our example.
There are two steps to set up domain time synchronization using Group Policy:
Create a GPO with the PDC role for the domain controller.
In the AD Domain, create a GPO for Windows client machines.
Setting up the NTP Server on the PDC
First and foremost, the PDC must be configured and the NTP service enabled. Run the following commands from a command prompt:
w32tm /query /source
If you look at the output, you’ll notice:
VM IC Time Synchronization Provider — then your domain controller with the PDC role is a virtual machine that synchronizes the time with the host; Local CMOS Clock — the time source on this server is its local hardware clock; VM IC Time Synchronization Provider — then your domain controller with the PDC role is a virtual machine that synchronizes the time with the host.
Using the registry, disable time synchronization with the host:
In the registry entry HKEY LOCAL HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvideror in the virtual machine’s settings, set the Enabled parameter to 0. (the screenshot below shows how to disable the time synchronization of the VM with the Hyper-V host using the Time Synchronization option in the Integration Services section).
On the PDC DC, configure the NTP settings. Using the GPO
To synchronize time with an external source, you must configure your domain controller with the PDC Emulator role. Because the PDC Emulator role can be moved between domain controllers, we must ensure that the GPO is only applied to the current Primary Domain Controller role bearer. Run the Group Policy Management Console to accomplish this (GPMC.msc). Select the WMI Filters section and create a new WMI filter with the name Filter PDC Emulator and the following WMI query in the root\CIMv2 namespace Select * from Win32_ComputerSystem where DomainRole = 5.
Create a new GPO and link it to the OU named Domain Controllers.
Select this GPO and switch to the Edit mode. Go to the following section of Group Policy Editor Console: Computer Configuration > Administrative Templates > System > Windows Time Service > Time Providers.
Enable the following policy settings:
- Configure Windows NTP Client: Enabled (policy settings are described below);
- Enable Windows NTP Client: Enabled;
- Enable Windows NTP Server: Enabled.
Specify the following settings in Configure Windows NTP Client policy:
- NtpServer: us.pool.ntp.org,0x1 1.us.pool.ntp.org,0x1 2.us.pool.ntp.org,0x1 3.us.pool.ntp.org,0x1;
- Type: NTP;
- CrossSiteSyncFlags: 2;
- ResolvePeerBackoffMinutes: 15;
- Resolve Peer BAckoffMaxTimes: 7;
- SpecilalPoolInterval: 3600;
- EventLogFlags: 0.
Note. Do not forget to configure your firewall properly and allow your PDC to access the external NTP servers over the NTP protocol (UDP port 123).
Assign the GPO a WMI filter Filter PDC Emulator that you already generated.
Tip. You can locate the current PDC server using the command: netdom query fsmo
It remains to update the Group Policy settings on PDC:
gpupdate /forcePerform a manual time synchronization with your NTP source:
w32tm /resyncAnd check the current NTP settings:
w32tm /query /status
Tip. If something does not work, try to restart the Windows Time service and reset its configuration:
net stop w32time w32tm.exe /unregister w32tm.exe /register net stop w32tim
Configure Client Time Sync Settings Using GPO
By default in Active Directory, domain clients synchronize their time with domain controllers (option Nt5DS — synchronize time to domain hierarchy). Typically, this behavior does not need to be reconfigured. However, if there are problems with time sync on your domain clients, you can try to specify the time server directly on clients using GPO.
To do this, create a new GPO and assign it to the OU with computers. In the GPO Editor go to the following section Computer Configuration > Administrative Templates > System > Windows Time Service > Time Providers and enable the policy Configure Windows NTP Client.
As an NTP server specify the name or IP address of the PDC: lon-dc1.adatum.com,0x9
Set Type: NT5DS
Note. Possible values for the Type parameter:
- NoSync — the NTP server is not synchronized with any external time source. The system clock built into the server’s CMOS chip is used;
- NTP — the NTP server is synchronized with external time servers, which are specified in the NtpServer registry parameter (this is the default behavior on a stand-alone computer);
- NT5DS — the NTP server performs synchronization according to the domain hierarchy (used by default on domain-joined computers;
- AllSync — the NTP server uses all available sources for time synchronization.
As indicated above, update Group Policy settings on clients and check received time sync settings.
