<

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

Time Service Configuration

Published on
31,564 Points
8,264 Views
3 Endorsements
Last Modified:
Approved
There have been many people confused about the time service configuration in Windows Domain Environment that what registry settings to be configured in DC what should be my authoritative Time server? On which server should I point external time source ?

This Article discusses some of the steps needed (at least those which I could remember), and the rest you can ask me via comments if there are any doubts or concern or correction

First of all there is no need to touch any of the Time service registry. Avoiding registry changes will save you from much of the confusion which could be created in your mind after seeing the complex time service settings in registry.

You can configure all the required settings via command line in few simple steps which will be illustrated below.

As per time service design, the server holding PDC emulator role should act as a SPOC(Source for time ) for all the Domain controller in domain

All the DC's should be getting the time from PDC role holder server. All the clients should be getting time from any of the DC where they are authenticating themselves

Now the question comes up how do I determine my PDC role holder ?
You can get the name of PDC role holder simply by running
netdom query fsmo 

Open in new window


So now you have to configure Time service on this DC you found as PDC role holder in above command. Use below commands in there order to configure you time service on PDC

net stop w32time
w32tm /unregister
w32tm /register
net start w32time
net time /setsntp: 
net stop w32time & net start w32time
w32tm /config /manualpeerlist:pool.ntp.org /syncfromflags:manual /reliable:yes /update
w32tm /resync /rediscover
net stop w32time & net start w32time

Open in new window

If you need description of any of the above command you ask me a question in comment box below, but, I would like to tell you that 7th command sets your PDC role holder to sync with pool.ntp.org server and here you should make sure that your firewall is set to allow traffic to this destination on UDP port 123

Now we need to config the same service on your other domain controllers which are not PDC role holder

Follow below set of commands again on non-PDC role holders to configure time of theese DC's. Run below command from CMD (Run as administrator if you are using 2008)

net stop w32time 
w32tm /unregister 
w32tm /register 
net start w32time 
net time /setsntp: 
Net stop w32time & net start w32time 
w32tm /config /syncfromflags:domhier /update 
W32tm /resync /rediscover 
net stop w32time & net start w32time

Open in new window



Now you will ask yourself... how do you make sure that I am getting time from the source which I have configured from above few commands ......Ok lets see a simplest command
w32tm /monitor

Open in new window

Which will output someting like below

C:\Users\artcileauthorID>w32tm /monitor
DC1.contoso.local *** PDC ***[10.10.10.10:123]:
    ICMP: 2ms delay
    NTP: +0.0000000s offset from DC1.contoso.local
        RefID: 120-88-47-10.infra.hnsdc.com [120.88.47.10]
        Stratum: 3
DC1.contoso.local *** PDC ***[10.10.10.11:123]:
    ICMP: 2ms delay
    NTP: -0.0391449s offset from DC1.contoso.local
        RefID: DC1.contoso.local [10.10.10.10]
        Stratum: 4

In above example DC1 is my time source

=======================================================================

after doing all above run
dcdiag /test:advertising 

Open in new window

to check whether your DC is advertising as authoritative time server and use w32tm /monitor command on DC to see if its time source is correct that's it

one more thing ..If you are following above method DO NOT USE GROUP POLICIES TO CONFIGURE TIME on clients

If time service is running then clients will select there authentication DC as there time source

That was all I could figure out to write here If you have any question/queries/correction please comment below I will answer when time permits :)
3
Comment
Author:Life1430
5 Comments
LVL 10

Expert Comment

by:ZenVenky
Sarang,

I voted Yes for your article. Add this info in your article, it is useful to the people who uses Domain Controllers on VM. in addition to your settings one needs to add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider Enabled  0 that way we are disabling Time Sync from hostmachine. For more info check below link.

Time Synchronization in Hyper-V
1
LVL 18

Author Comment

by:Life1430
Hi Zenvenky

Thanks for the information I have not included any virtualisation scenarios in this article and hoping to get this soon updated as soon as the time permits.
0
LVL 4

Expert Comment

by:freaky_NL
I really have no clue why you are unregistering the service, reregistering it, reconfiguring it (with /update which forces the changes to take effect - no need to restart thus), forcing it to update again and yet restarting the services again.

Also, it's wise to use more than 1 server. For example

w32tm /config /manualpeerlist:"1.europe.pool.ntp.org 2.europe.pool.ntp.org 3.europe.pool.ntp.org" /syncfromflags:manual /reliable:yes /update
w32tm /resync

should be sufficient.

I never had issues and I never do more than this anyways :).
1
LVL 47

Expert Comment

by:Shaun Vermaak
My prefered method is via GPO with a WMI filter for the PDCe role. This way when you change PDCe the configuration changes automatically
https://blogs.technet.microsoft.com/askds/2008/11/13/configuring-an-authoritative-time-server-with-group-policy-using-wmi-filtering/
2
LVL 9

Expert Comment

by:Senior IT System Engineer
@Shaun I have followed the instructions in https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-simple-time-configuration-in-active-directory/

Group Policy: Computer Configuration->Administrative Templates->System->Windows Time Service->Time Providers

Policy settings:
Configure Windows NTP Client Enabled 
NtpServer 0.au.pool.ntp.org,0x8 1.au.pool.ntp.org,0x8 
Type NTP 
CrossSiteSyncFlags 2 
ResolvePeerBackoffMinutes 15 
ResolvePeerBackoffMaxTimes 7 
SpecialPollInterval 3600 
EventLogFlags 0 
Enable Windows NTP Client Enabled  
Enable Windows NTP Server Enabled 

Open in new window


But somehow the other domain controllers which were set before as the NTP server not changing it as the Stratum 2?
0

Featured Post

Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Join & Write a Comment

This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Other articles by this author

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month