NTP (time service) Configuration in Active Directory
Active Directory relies on accurate time settings on all member servers, Domain Controllers, and domain-joined workstations. When time settings are misconfigured, multiple critical Active Directory services such as replication and Kerberos authentication will fail to bring the entire Active Directory infrastructure to its knees.
- In Active Directory, we use the Windows Time service for clock synchronization: W32Time
- All member machines synchronize with any Domain Controller
- In a domain, all Domain Controllers synchronize from the PDC emulator of that domain using NT5DS (which simply means: follow the domain hierarchy and get me my PDC emulator)
- The PDC Emulator of the root domain in a forest should synchronize with an external time server ( could be clock device, a router, another standalone server, an internet time server, etc) In
In order to properly adhere to the time syncing hierarchy above, the following should be performed for any servers holding the PDC Emulator role.
- First, verify the Domain Controller you're working on is the PDC Emulator by running the following command
a. netdom query fsmo
2. From the PDC Emulator server, run the following commands in the order shown.
a. net stop w32time
b. w32tm /configure /syncfromflags:manual /manualpeerlist:"0.us.pool.ntp.org,0x1 1.us.pool.ntp.org,0x1 2.us.pool.ntp.org,0x1 3.us.pool.ntp.org,0x1"
( The default external time source for Windows Server
is time.windows.com. A better option is to sync from multiple time
servers. In the command above, we're using time servers
maintained by the NTP Pool Project)
c. net start w32time
d. w32tm /configure /reliable:yes /update
e. w32tm /resync
3. If there is more than one Domain Controller in Active Directory, run the following command on each:
w32tm /config /syncfromflags:domhier
4. Verify correct time settings from PDC Emulator by running w32tm /query /status:
correct time settings from all other Domain Controllers by running w32tm /query