The Windows Time service is the basis for the normal functioning of the Active Directory domain. Kerberos, the AD primary authentication protocol, uses the W32Time (Windows Time) time service to work properly. In the AD environment, the time synchronization is performed according to a strict hierarchy: domain-joined computers and servers get the time from the nearest domain controller which they are logged on, all domain controllers synchronize their time with a single DC that owns the PDC Emulator FSMO role.
PDC Emulator (Primary Domain Controller) synchronizes time with an external time source. The external time source is usually one or more public NTP (Network Time Protocol) servers, like time.windows.com or NTP-server of your provider. Please note that by default the time is provided to clients using the Windows Time service (instead of native NTP).
How Does the Windows Time Service Work in Domain?
All versions of Windows have a W32Time service. This service is used to synchronize the time in the AD organization. A computer can be both a client and an NTP server. By default, clients in the domain synchronize time using the Windows Time service rather than using NTP.
By default, the Windows Time Service is configured as follows:
- After performing a clean Windows installation, an NTP client is launched on the computer, which is synchronized with an external time source;
- If you joined a computer to a domain, the sync type changes. All client computers and member servers in the domain use a domain controller for time synchronization;
- When a member server is promoted to a domain controller, an NTP server is launched on it, which uses a DC with the PDC emulator role as a time source;
- The PDC emulator is the main time server for the entire organization. At the same time, it also synchronizes itself with an external time source, or with the server’s hardware clock in CMOS (this method of time synchronization is not recommended);
- This scheme works in most cases and does not require admin intervention. However, the structure of the time service in Windows may not follow the domain hierarchy.
If you are facing a problem when the time on clients and domain controllers is different, most likely your domain has a problem with time synchronization and then this article can be very useful for you.
First of all, it is necessary to select an NTP server you want to use. The list of public NTP atomic clock servers is available at http://ntp.org. In our example, we will use 0.us.pool.ntp.org, 1.us.pool.ntp.org, 2.us.pool.ntp.org, and 3.us.pool.ntp.org.
Configuring domain time synchronization using Group Policy consists of 2 steps:
- Create a GPO for the domain controller with PDC role;
- Create a GPO for Windows client computers in the AD Domain.
Configuring NTP Server on PDC
First of all, you need to configure the PDC and enable the NTP service on it. Open a command prompt and run:
w32tm /query /source
If you see in the output:
- Local CMOS Clock — the time source on this server is its local hardware clock;
- VM IC Time Synchronization Provider — then your domain controller with the PDC role is a virtual machine that synchronizes the time with the host.
Disable time synchronization with the host via the registry:
- Set the Enabled parameter to 0 in the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider
or in the settings of the virtual machine (the screenshot below shows how to disable the time synchronization of the VM with the Hyper-V host using the Time Synchronization option in the Integration Services section).
If you are running a virtualized domain controller on VMware vSphere/ESXi, you can disable time sync in the virtual machine settings (Edit Settings > VM Options > VMware Tools > Time, uncheck the option Synchronize guest time with host).
Or add the following options to VM advanced configuration:
tools.syncTime = "0" time.synchronize.continue = "0" time.synchronize.restore = "0" time.synchronize.resume.disk = "0" time.synchronize.shrink = "0" time.synchronize.tools.startup = "0" time.synchronize.tools.enable = "0" time.synchronize.resume.host = "0"
Note. The virtual PDC emulator must always synchronize the time with an external source, and the time synchronization with the host must be disabled. This also applies to any other VMs joined to the domain.
Make sure the NTP service is enabled on the domain controller. To do this, open the registry editor, go to the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer and check that the value of the Enabled parameter is 1.
Configure NTP Settings on PDC DC Using GPO
At this step, you need to configure your domain controller with the PDC Emulator role to synchronize time with an external source. PDC Emulator role can be transferred between domain controllers, so we need to make sure that GPO is applied only to the current holder of the Primary Domain Controller role. To do this, run the Group Policy Management Console (GPMC.msc). Select the WMI Filters section and create a new WMI filter with the name Filter PDC Emulator and the following WMI query in the root\CIMv2 namespace Select * from Win32_ComputerSystem where DomainRole = 5.
Create a new GPO and link it to the OU named Domain Controllers.
Select this GPO and switch to the Edit mode. Go to the following section of Group Policy Editor Console: Computer Configuration > Administrative Templates > System > Windows Time Service > Time Providers.
Enable the following policy settings:
- Configure Windows NTP Client: Enabled (policy settings are described below);
- Enable Windows NTP Client: Enabled;
- Enable Windows NTP Server: Enabled.
Specify the following settings in Configure Windows NTP Client policy:
- NtpServer: us.pool.ntp.org,0x1 1.us.pool.ntp.org,0x1 2.us.pool.ntp.org,0x1 3.us.pool.ntp.org,0x1;
- Type: NTP;
- CrossSiteSyncFlags: 2;
- ResolvePeerBackoffMinutes: 15;
- Resolve Peer BAckoffMaxTimes: 7;
- SpecilalPoolInterval: 3600;
- EventLogFlags: 0.
Note. Do not forget to configure your firewall properly and allow your PDC to access the external NTP servers over the NTP protocol (UDP port 123).
You can open the NTP port on Windows Defender Firewall using PowerShell:
New-NetFirewallRule -Name 'NTP_Server_123UDP' -DisplayName 'NTP Server Port' -Description 'Allow Inbound Connections to NTP Server' -Profile Any -Direction Inbound -Action Allow -Protocol UDP -Program Any -LocalAddress Any -LocalPort 123
Assign a WMI filter Filter PDC Emulator that you created earlier to the GPO.
Tip. You can locate the current PDC server using the command:netdom query fsmo
It remains to update the Group Policy settings on PDC:
Perform a manual time synchronization with your NTP source:
And check the current NTP settings:
w32tm /query /status
Run the command:
When running on a domain controller, this command shows how much time is different between other domain controllers and the external time source for which the PDC is configured.
Tip. If something does not work, try to restart the Windows Time service and reset its configuration:net stop w32time w32tm.exe /unregister w32tm.exe /register net stop w32tim
Also, you can configure your PDC to use the external time source using the w32tm.exe tool:
w32tm.exe /config /manualpeerlist: "us.pool.ntp.org 1.us.pool.ntp.org 2.us.pool.ntp.org 3.us.pool.ntp.org,0x8" /syncfromflags:manual /update
After specifying the NTP server list, you need to inform the time service to update the settings:
w32tm /config /update
Configure Client Time Sync Settings Using GPO
By default in Active Directory, domain clients synchronize their time with domain controllers (option Nt5DS — synchronize time to domain hierarchy). Typically, this behavior does not need to be reconfigured. However, if there are problems with time sync on your domain clients, you can try to specify the time server directly on clients using GPO.
To do this, create a new GPO and assign it to the OU with computers. In the GPO Editor go to the following section Computer Configuration > Administrative Templates > System > Windows Time Service > Time Providers and enable the policy Configure Windows NTP Client.
As an NTP server specify the name or IP address of the PDC:
Note. Possible values for the Type parameter:
NoSync — the NTP server is not synchronized with any external time source. The system clock built into the server’s CMOS chip is used;
NTP — the NTP server is synchronized with external time servers, which are specified in the NtpServer registry parameter (this is the default behavior on a stand-alone computer);
NT5DS — the NTP server performs synchronization according to the domain hierarchy (used by default on domain-joined computers;
AllSync — the NTP server uses all available sources for time synchronization.
Update Group Policy settings on the clients and check received time sync settings as described above.
How to Manually Configure a Windows Client to Synchronize Time with NTP Server?
In this section, we will describe how to manually configure time synchronization on Windows clients. You can use this guide to configure time synchronization on non-domain Windows computers.
First, reset all settings for the time service and remove the service:
Restart the computer and then re-register the time service:
Start the w32Time service:
net start w32Time
Configure the synchronization of the Windows client with the NTP server (your PDC):
w32tm /config /manualpeerlist:"lon-dc01.adatum.com,0x9" /syncfromflags:manual /reliable:yes /update
Restart the service:
net stop w32time && net start w32time
Update the time configuration settings:
w32tm /config /update
Synchronize the time:
Check the status:
w32tm /query /status
Enable automatic startup of the Time Service using PowerShell:
Set-Service –Name w32tm–StartupType Automatic
Hint. If you need to quickly synchronize your Windows device with an accurate time server, run:net time \\your_ntp_server_name /set