Time Service Configuration

Sarang TinguriaTechnical Lead
CERTIFIED EXPERT
Published:
Updated:
Browse All Articles > Time Service Configuration
There have been many people confused about the time service configuration in Windows Domain Environment that what registry settings to be configured in DC what should be my authoritative Time server? On which server should I point external time source ?

This Article discusses some of the steps needed (at least those which I could remember), and the rest you can ask me via comments if there are any doubts or concern or correction

First of all there is no need to touch any of the Time service registry. Avoiding registry changes will save you from much of the confusion which could be created in your mind after seeing the complex time service settings in registry.

You can configure all the required settings via command line in few simple steps which will be illustrated below.

As per time service design, the server holding PDC emulator role should act as a SPOC(Source for time ) for all the Domain controller in domain

All the DC's should be getting the time from PDC role holder server. All the clients should be getting time from any of the DC where they are authenticating themselves

Now the question comes up how do I determine my PDC role holder ?
You can get the name of PDC role holder simply by running 
netdom query fsmo

Open in new window


So now you have to configure Time service on this DC you found as PDC role holder in above command. Use below commands in there order to configure you time service on PDC 

net stop w32time
                      w32tm /unregister
                      w32tm /register
                      net start w32time
                      net time /setsntp: 
                      net stop w32time & net start w32time
                      w32tm /config /manualpeerlist:pool.ntp.org /syncfromflags:manual /reliable:yes /update
                      w32tm /resync /rediscover
                      net stop w32time & net start w32time

Open in new window

If you need description of any of the above command you ask me a question in comment box below, but, I would like to tell you that 7th command sets your PDC role holder to sync with pool.ntp.org server and here you should make sure that your firewall is set to allow traffic to this destination on UDP port 123

Now we need to config the same service on your other domain controllers which are not PDC role holder

Follow below set of commands again on non-PDC role holders to configure time of theese DC's. Run below command from CMD (Run as administrator if you are using 2008) 

net stop w32time 
                      w32tm /unregister 
                      w32tm /register 
                      net start w32time 
                      net time /setsntp: 
                      Net stop w32time & net start w32time 
                      w32tm /config /syncfromflags:domhier /update 
                      W32tm /resync /rediscover 
                      net stop w32time & net start w32time

Open in new window



Now you will ask yourself... how do you make sure that I am getting time from the source which I have configured from above few commands ......Ok lets see a simplest command 
w32tm /monitor

Open in new window

Which will output someting like below

C:\Users\artcileauthorID>w32tm /monitor
DC1.contoso.local *** PDC ***[10.10.10.10:123]:
    ICMP: 2ms delay
    NTP: +0.0000000s offset from DC1.contoso.local
        RefID: 120-88-47-10.infra.hnsdc.com [120.88.47.10]
        Stratum: 3
DC1.contoso.local *** PDC ***[10.10.10.11:123]:
    ICMP: 2ms delay
    NTP: -0.0391449s offset from DC1.contoso.local
        RefID: DC1.contoso.local [10.10.10.10]
        Stratum: 4

In above example DC1 is my time source

=======================================================================

after doing all above run 
dcdiag /test:advertising

Open in new window

to check whether your DC is advertising as authoritative time server and use w32tm /monitor command on DC to see if its time source is correct that's it

one more thing ..If you are following above method DO NOT USE GROUP POLICIES TO CONFIGURE TIME on clients

If time service is running then clients will select there authentication DC as there time source

That was all I could figure out to write here If you have any question/queries/correction please comment below I will answer when time permits :)
3
10,165 Views
Sarang TinguriaTechnical Lead
CERTIFIED EXPERT
Ask a related question

Comments (5)

Venkat SureshArchitect

Commented:
Sarang,

I voted Yes for your article. Add this info in your article, it is useful to the people who uses Domain Controllers on VM. in addition to your settings one needs to add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider Enabled  0 that way we are disabling Time Sync from hostmachine. For more info check below link.

Time Synchronization in Hyper-V
Sarang TinguriaTechnical Lead
CERTIFIED EXPERT
Top Expert 2012

Author

Commented:
Hi Zenvenky

Thanks for the information I have not included any virtualisation scenarios in this article and hoping to get this soon updated as soon as the time permits.
freaky_NL
CERTIFIED EXPERT

Commented:
I really have no clue why you are unregistering the service, reregistering it, reconfiguring it (with /update which forces the changes to take effect - no need to restart thus), forcing it to update again and yet restarting the services again.

Also, it's wise to use more than 1 server. For example

w32tm /config /manualpeerlist:"1.europe.pool.ntp.org 2.europe.pool.ntp.org 3.europe.pool.ntp.org" /syncfromflags:manual /reliable:yes /update
w32tm /resync

should be sufficient.

I never had issues and I never do more than this anyways :).
Shaun VermaakCOG Lead Engineer
CERTIFIED EXPERT
Awarded 2017
Distinguished Expert 2019

Commented:
My prefered method is via GPO with a WMI filter for the PDCe role. This way when you change PDCe the configuration changes automatically
https://blogs.technet.microsoft.com/askds/2008/11/13/configuring-an-authoritative-time-server-with-group-policy-using-wmi-filtering/
Albert WidjajaIT Professional
CERTIFIED EXPERT

Commented:
@Shaun I have followed the instructions in https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-simple-time-configuration-in-active-directory/

Group Policy: Computer Configuration->Administrative Templates->System->Windows Time Service->Time Providers

Policy settings:
Configure Windows NTP Client Enabled 
NtpServer 0.au.pool.ntp.org,0x8 1.au.pool.ntp.org,0x8 
Type NTP 
CrossSiteSyncFlags 2 
ResolvePeerBackoffMinutes 15 
ResolvePeerBackoffMaxTimes 7 
SpecialPollInterval 3600 
EventLogFlags 0 
Enable Windows NTP Client Enabled  
Enable Windows NTP Server Enabled

Open in new window


But somehow the other domain controllers which were set before as the NTP server not changing it as the Stratum 2?

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.