Windows Server PDC Emulator Sync Issue with Manually Configured NTP Server

Rodney BarnhardtServer Administrator
I have over 30 years in the IT industry. During this time I have worked with a variety of products in a variety of industries.
The Need
In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more than five minutes, network login and authentication fails. I am not sure if anyone has ran into this problem or not. There seems to be various reasons for time sync problems, but I found this an odd problem\solution. Recently, as part of the move off of Windows Server 2003 domain controllers, I had to move the FSMO roles from our 2003 DC’s to 2008. The 2003 server was set to sync its time, and therefore the domain, against a Cisco switch. I made a screen capture of the current settings as shown below:

NTP1.jpgAs per a number of Microsoft Knowledge Base articles, I manually configured the new time servers via the command line with the following command:
W32tm /config /manualpeerlist: /syncfromflags:manual /reliable:yes /update
                      Net stop w32time
                      Net start w32time

Open in new window

However, two days later, I receive a call about authentication problems. It seems the time on all of the systems was off by 20 minutes, even the time on the new PDC Emulator. When running the command:
w32tm /query /status

Open in new window

 the server indicated it was performing its synchronization from the local CMOS clock.

ntp2.jpgSince this server was running in a virtual environment, my first thought was to verify it was not syncing against the host, which is was not. Next, I checked the configuration via the command line, which also indicated it was receiving the information from the local CMOS clock. 

ntp3.jpgntp4.jpgThe Solution
Pretty much the entire company had now been down for nearly three hours while we tried to resolve this problem. Myself and my co-workers had probably read every article on setting the NTP time server on a PDC emulator, reviewed various other articles on sync problems, yet nothing we tried seemed to force the server to sync with our NTP server. I decided to open a Microsoft support case. Once connected via a web session, he reviewed the settings on both servers. There was one attributed that he noted needed to be changed. In the registry setting located at HKLM-SYSTEM-CurrentControlSet-Services-W32Time-Parameters there is a setting called “Type”. By default, this is set to NT5DS. He referred me to the Microsoft KB 816042 “How to configure an authoritative time server in Windows Server” ( ). This article explains that the setting NT5DS needs to be change to NTP, which was a setting in the previous 2003 server, but since nothing I had read indicated this needing to be change, I left it with the default value. I changed the registry key, stopped and started the W32time service, then checked the status. Now, the status showed the IP address of the NTP server in the “ReferenceID” line. I have blacked it out in the screen shot below. However, if you refer to the first query screen shot shown previously, you will see it showed the source as “LOCL”. 

ntp5.jpgThe Analysis
The question is why did we not find any reference to changing the default NT5DS. A coworker started to look deeper into that setting. He did locate Microsoft KB 223184, which was for Windows Server 2000 ( ). This provides the following information on this registry entry:

Type : REG_SZ
Used to control how a computer synchronizes.
Nt5DS = synchronize to domain hierarchy [default]
NTP = synchronize to manually configured source
NoSync = do not synchronize time 

Also, you may have notices in the first screen shot that besides the IP address for the NTP server there was an entry of “0x8”. This needs to be added to have the server send the request as a client. This is explained in Microsoft KB 875424 ( ). The settings are as follows:

  • 0x1 – use special poll interval SpecialInterval
  • 0x2 – UseAsFallBackOnly
  • 0x4 – send request as SymmetricActive mode
  • 0x8 – send request as Client Mode
Basically, in order to make the PDC emulator sync with a non-Windows, outside source, the registry entry should look like the screen shot below (real address blacked out). This will help avoid any potential domain problems due to authentication and time synchronization. 

ntp6.jpgThank you for reading my article. I hope you find it useful and that it either helps you avoide a potential time synchronization problem or helps you resovle an issue with your environment. If you found it helpful, please indicate so with the button below this article. Any feedback is appreciated. 

Thank you, 
Rodney Barnhardt
Rodney BarnhardtServer Administrator
I have over 30 years in the IT industry. During this time I have worked with a variety of products in a variety of industries.

Comments (4)

Great article. Very informative.
Awesome article Rodney!  The 0x8 was missing on mine.  Put it in and voila!  Thanks!
Thanks for your article.
I've added the 0x8 on the registry configuration. After restarting Windows time in services, the time source changes to "Local CMOS CLOCK" again!
Rodney BarnhardtServer Administrator


Is this by chance a virtual machine? If so, it may be configured to sync with the host. The setting depends on the type of hypervisor, but that can cause problems on a PDC emulator running NTP if it is set that way.

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.