Standardizing NTP source for all Windows Server joined to domain


Can someone here please share some steps to standardize the time source in my domain-joined Windows Server (2003 up to 2012 R2) and also the Workstations (XP to 8.1) ?

Because when I run the following command to check the NTP source:

net time /querysntp

Open in new window

2008-2012 R2
w32tm /query /source

Open in new window

They are all returns different values from internal domain controller and also some default

The PDC emulator role is Win2003 called PRODDC02 but somehow the other domain controller, which runs on Win2008R2 doesn't refer to this PDC role ? why is that ? is it because the domain controller Windows Server 2003 is too old ?
Senior IT System EngineerIT ProfessionalAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hmmm ... W32time, the timekeeping service in Windows. I experienced enough trouble with that piece of crap when in NTP mode to avoid using it whenever I can.

My recommendation:

Use a Windows port of the classic *ix NTP service, sync a master (or two, three) with an external source (i.e. from and sync the clients and DCs to the master. The NTP service software is free. Easy to install and configure, works like a charm and is stable as a rock. And it is nicer when it comes to one of the rare cases of troubleshooting.

See this article for the "How To".

The NTP service has a low ressource footprint, therefore the NTP functionality could be hooked onto existing machines or VM's like webservers, ftp servers, mailservers or database hosts - even in a DMZ - without visible performance impact.
Dan McFaddenSystems EngineerCommented:
First off, I would identify (properly) what DCs are running what FSMO roles.  Running the following command from an elevated (as Domain Administrator) command prompt will tell you:

netdom query /domain:YourDomainName.extension fsmo

The output should look like this:

Schema master                      servername.domainname.ext
Domain naming master       servername.domainname.ext
PDC                                          servername.domainname.ext
RID pool manager                 servername.domainname.ext
Infrastructure master           servername.domainname.ext
The command completed successfully.

Also, how many DCs are 2003 and how many are 2008+?

I would move any role that may be running on the 2003 DC off to your newest DCs, leaving the 2003 DC with no roles.

Next, you have to configure the DC with the PDC Emulator role, as an authoritive time server.  Here are couple links to time sync best practices and an how to article:


After this is complete and your PDC Emulator role holder is properly syncing time from a reliable source, you should deploy a GPO to configure the time service on your workstations.  The only server or workstation that should something other than NT5DS is the PDC Emulator, which should use NTP.

Reference link:

What all this will do, is allow only the PDC DC to sync its time to an external reliable/trusted time source.  All other DCs, non-DC member servers and workstations will sync to any one of the DCs in your domain.

As an external time source, I recommend (and use) the time servers available in the pool that is local to you:


If you have your own NTP appliance, then use that as the primary external time source, and a pool server as a secondary.

Will SzymkowskiSenior Solution ArchitectCommented:
This is by design! If you have correctly configured your PDC role for an external time source (via registry) and you run the below command.

netdom query fsmo

Make sure that your PDC is correct. If all of these settings are correct from the PDC role. Then having other DC show up when you run w32tm /query /source is completely normal.

This is the hierarchy for time source.
First - External Source (internet)
Second - PDC Emulator
Third - All other DC's in your environment

Anyone of the domain controllers can provide time source to clients PDC is authoritative but DC's get their time from the PDC emulator as well.

Take a look at the following link which provides you a detailed hierarchy of Time Source service.
 Active Directory Time Source Hierarchy Diagram

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Greg HejlPrincipal ConsultantCommented:
After setting up NTP in your AD servers use GPO's to set NTP for all the clients and member servers.
Will SzymkowskiSenior Solution ArchitectCommented:
You can create a GPO and set the time providers but all of the DC's already know which domain controller is the authoritative time provider based on the PDC role holder.

If you ever need to seize or transfer the PDC role for any reason you will need to also wait for group policy to update accordingly.

I have setup and used Time Service for years without specifying it in the GPO. All of the DC's act as a time source and get their time source from the PDC in your environment. This allows for more flexibility if you ever have to transfer or seize this role, you will not be in a situation waiting on Group Policy to process. Other DC's will see that a new DC has been promoted the PDC role and as long as you setup an external  time source via the registry all the DC's will point to the new PDC as the time server.

Either way will work this is just my own opinion.

Here is how I view time services in Windows.  It's easy as pie.  As others have stated, ensure that the PDCe FSMO Holder is configured (either via Registry or via Group Policy using a WMI Filter) to obtain it's time from an external source (or even from an internal source [it should be implied that the internal source is not another DC] that get's it's time from an external source; e.g. - your router or a *nix based proxy).

Don't change anything else, don't fiddle with the clients, servers or other DC's (save to reset their time service to default settings).  Don't set any policies directing clients, servers or other DC's where to get their time from.  By default; *BY DEFAULT* the windows time service is configured to get it's time from:
In a domain - the DC that contains the PDCe FSMO role.
In a workgroup - (which Microsoft admits is not a reliable time source).

The only other consideration has to deal with Virtual DC instances, you want to make sure that you disable the time service Integration Service for the Guest operating system in the Hyper Visor configuration (I ran into this issue where a PDCe was configured as a VM and because of this, the time was off by exactly 5 minutes on all of the domain computers).

My current configuration is based on a WMI filter and uses the default time service registry entries coupled with the following GPO settings:In Group Policy Management -> Linked to the Domain Controllers OU is the Authoritative Time Server Policy.The Authoritative Time Server policy uses a WMI Filter called PDCe Role.Here are the settings of the PDCe Role WMI Filter.And here are the settings for the Authoritative Time Server Policy.With these in place, the only thing you should need to do is reset the time service settings on all of the DC's (with exception to the PDCe holder) to their default values and everything will fall into place.

Configuring the Windows Time Service for Windows Server
Configuring an Authoritative Time Server with Group Policy Using WMI Filtering
Hyper-V Time Sync

Senior IT System EngineerIT ProfessionalAuthor Commented:
Ok, so after I transfer the FSMO role to the new Win2k8r2 VM, should I force replicate AD from this new PDC emulator ?

And then after that, create the GPO with WMI Filter applied to Domain Controllers OU, do I have to Force Replicate AD again ?

Lastly, after the GPO takes into effect for the PDC emulator role, I assume that I do not have to do anything on the domain joined server & workstations.

Is that correct ?
It won't hurt anything to do a replication.  Really the only thing you would probably force is a group policy update so that the time policies take affect immediately.  Other than that, I would only recommend doing a reset of the time services on all of the servers (starting with the PDCe) just to ensure a clean slate.

Personally I would do the steps in this order.

1. Reset the time service to default values on the server you are transferring the PDCe FSMO role to.

Run the following from an elevated command prompt to reset the time service:
net stop w32time
w32tm /unregister
w32tm /register
net start w32time

Open in new window

2. Transfer the PDCe FSMO role to the server you want.

3. Setup the group policy with the WMI filter.

4. Force a group policy update on the PDCe FSMO holder.

5. Reset the time service on each additional DC and set it to use the Domain Hierarchy for completeness.

Run the following from an elevated command prompt to reset the time service:
net stop w32time
w32tm /unregister
w32tm /register
w32tm /config /syncfromflags:domhier /update
w32tm /resync /rediscover
net start w32time

Open in new window

Other than that, the domain joined computers and servers should just fall in line so long as they have no special registry settings that override the defaults.

Also, make sure that you heed the advice concerning Hyper-V time synchronization.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Greg HejlPrincipal ConsultantCommented:
Well done saige!  I hadn't thought to use a wmi filter to identify the PDC,  thats a great idea!  Thanks for sharing!
Senior IT System EngineerIT ProfessionalAuthor Commented:
Ok, so in this case for the PDC emulator WMI filtered Timesycnh GPO to be created, shall I put it on the root domain and as the priority #2 below the default domain policy?

is that correct.
Greg HejlPrincipal ConsultantCommented:
Put it on your Domain controller OU.
Senior IT System EngineerIT ProfessionalAuthor Commented:
Many thanks all !
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.