Configure NTP Time Sync Using Group Policy

The Windows Time service is the basis for the normal functioning of the Active Directory domain. The W32Time service is essential for successful operationing of Kerberos authentication in AD. In the AD environment, the time synchronization is performed according to a domain hierarchy: domain-joined computers and servers get the time from the nearest domain controller on which they are logged on, all domain controllers synchronize their time with a single DC that holds the PDC Emulator FSMO role.

You need to configure your PDC Emulator (Primary Domain Controller) to sync time with a reliable external time source. The external time source is usually one or more public NTP (Network Time Protocol) servers, like time.windows.com or the NTP server of your provider.

How Does Time Sync Works in AD Domain?

This W32Time service on Windows is used to synchronize the time in the AD organization. A computer can be both a client and an NTP server. By default, domain computers synchronize time using the Windows Time service instead of NTP.

By default, the Windows Time Service in Active Directory is configured as follows:

ADVERTISEMENT
  • After performing a clean Windows installation, an NTP client is launched on the computer, which is synchronized with an external time source (time.windows.com);
  • When you join PC to domain, the time sync setting changes. All client computers and member servers in the domain synchronize their time with AD domain controllers;
  • When a member server is promoted to a domain controller, it can be used as a time source for domain computers. All domain controllers synchronize their time with a domain controller with the PDC emulator role;
  • The PDC emulator is the main time server for the entire organization. It synchronizes with an external time source, or with the server’s hardware clock in CMOS/BIOS (this method of time synchronization is not recommended);
  • This time synchronization scheme (according to the AD DS hierarchy) works properly in most cases and doesn’t require admin intervention. However, the structure of the time service in Windows may not follow the domain hierarchy.

If you are facing a problem when the time on clients and domain controllers is different, most likely your domain has a problem with time synchronization and then this article can be very useful for you.

First of all, it is necessary to select an NTP server you want to use. The list of public NTP atomic clock servers is available at http://ntp.org. In our example, we will use 0.us.pool.ntp.org, 1.us.pool.ntp.org, 2.us.pool.ntp.org, and 3.us.pool.ntp.org.

Configuring domain time synchronization using Group Policy consists of 2 steps:

  1. Create a GPO for the domain controller with a PDC role;
  2. Create a GPO for Windows client computers in the AD Domain.

Configuring PDC Domain Controller to Sync Time with External NTP Server

First of all, you need to configure the PDC and enable the NTP service on it. To locate the name of the server with the PDC role in the domain, run the command:

netdom /query fsmo

ntp gpo

Connect to the specified DC, open a command prompt, and run:

w32tm /query /source

ntp group policy

If you see in the output:

  • Local CMOS Clock — the time source on this server is its local hardware clock;
  • VM IC Time Synchronization Provider — then your domain controller with the PDC role is a virtual machine that synchronizes the time with the host.

Disable time synchronization with the host via the registry:

  • Set the Enabled parameter to 0 in the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider

or in the settings of the virtual machine (the screenshot below shows how to disable the time synchronization of the VM with the Hyper-V host using the Time Synchronization option in the Integration Services section).

gpo ntp

ADVERTISEMENT

If you are running a virtualized domain controller on VMware vSphere/ESXi, you can disable time sync in the virtual machine settings (Edit Settings > VM Options > VMware Tools > Time, uncheck the option Synchronize guest time with host).

group policy time server

Note. The virtual PDC emulator must always synchronize the time with an external source, and the time synchronization with the host must be disabled. This also applies to any other VMs joined to the domain.

The best approach is to configure the PDC emulator to synchronize the time directly with an external time source.

Check that the external NTP servers you have chosen are accessible from the primary domain controller (outbound port UDP 123 must be open to the target server). Get the current time from an external NTP server using the command:

w32tm /stripchart /computer:0.us.pool.ntp.org

In this example, the specified NTP server is available and you have successfully obtained the current time from it.

gpo time sync

You can manually configure the time synchronization of the PDC host with an external NTP source using the w32tm.exe tool:

ADVERTISEMENT
net stop w32time

w32tm /config /syncfromflags:manual /manualpeerlist:"1.us.pool.ntp.org,0x8 1.us.pool.ntp.org,0x8 2.us.pool.ntp.org,0x8 3.us.pool.ntp.org,0x8"

w32tm /config /reliable:yes

w32tm /config /update

net start w32time

Check your current configuration:

w32tm /query /configuration

gpo ntp server

Configure External NTP Source on PDC Domain Controller Using GPO

The PDC Emulator role can be transferred with PowerShell between domain controllers, so we need to make sure that GPO is applied only to the current holder of the Primary Domain Controller role. To do this, run the Group Policy Management Console (GPMC.msc). Select the WMI Filters section and create a new WMI filter with the name Filter PDC Emulator and the following WMI query in the root\CIMv2 namespace Select * from Win32_ComputerSystem where DomainRole = 5.

group policy ntp

Create a new GPO and link it to the AD OU named Domain Controllers.

ntp server gpo

Select this GPO and switch to the Edit mode. Go to the following section of Group Policy Editor Console:  Computer Configuration > Administrative Templates > System > Windows Time Service > Time Providers.

Enable the following policy settings:

ADVERTISEMENT
  • Configure Windows NTP Client: Enabled (policy settings are described below);
  • Enable Windows NTP Client: Enabled;
  • Enable Windows NTP Server: Enabled.

gpo time server

Specify the following settings in Configure Windows NTP Client policy:

  • NtpServer: us.pool.ntp.org,0x1 1.us.pool.ntp.org,0x1 2.us.pool.ntp.org,0x1 3.us.pool.ntp.org,0x1;
  • Type: NTP;
  • CrossSiteSyncFlags: 2;
  • ResolvePeerBackoffMinutes: 15;
  • Resolve Peer BAckoffMaxTimes: 7;
  • SpecilalPoolInterval: 3600;
  • EventLogFlags: 0.

Note. Do not forget to configure your firewall properly and allow your PDC to access the external NTP servers over the NTP protocol (UDP port 123).

You can open the NTP port on Windows Defender Firewall using PowerShell:

New-NetFirewallRule -Name 'NTP_Server_123UDP' -DisplayName 'NTP Server Port' -Description 'Allow Inbound Connections to NTP Server' -Profile Any -Direction Inbound -Action Allow -Protocol UDP -Program Any -LocalAddress Any -LocalPort 123

gpo set ntp server

Assign a WMI filter Filter PDC Emulator that you created earlier to the GPO.

configure windows ntp client gpo

It remains to update the Group Policy settings on PDC using gpupdate command:

gpupdate /force

Perform a manual time synchronization with your NTP source:

w32tm /resync

And check the current NTP settings:

w32tm /query /status

Run the command:

w32tm /monitor

When running on a domain controller, this command shows how much time is different between other domain controllers and the external time source for which the PDC is configured.

Tip. If something does not work, try to restart the Windows Time service and reset its configuration:

net stop w32time

w32tm.exe /unregister

w32tm.exe /register

net stop w32tim

Configure Client Time Sync Settings Using GPO

By default in Active Directory, domain clients synchronize their time with domain controllers (option Nt5DS — synchronize time to domain hierarchy). Typically, this behavior does not need to be reconfigured. However, if there are problems with time sync on your domain clients, you can try to specify the time server directly on clients using GPO.

To do this, create a new GPO and assign it to the OU with computers. In the GPO Editor go to the following section Computer Configuration > Administrative Templates > System > Windows Time Service > Time Providers and enable the policy Configure Windows NTP Client.

group policy time sync

As an NTP server specify the name of your domain (preferred) or IP address/FQDN of the PDC:

NTP Server: lon-dc1.adatum.com,0x9

Set Type: NT5DS

CrossSiteSyncFlags: 2
ResolvePeerBackoffMinutes: 15
ResolvePeerBackoffMaxTimes: 7
SpecialPollInterval: 3600
EventLogFlags: 0

Note. Possible values for the Type parameter:

  • NoSync — the NTP server is not synchronized with any external time source. The system clock built into the server’s CMOS chip is used;

  • NTP — the NTP server is synchronized with external time servers, which are specified in the NtpServer registry parameter (this is the default behavior on a stand-alone computer);

  • NT5DS — the NTP server performs synchronization according to the domain hierarchy (used by default on domain-joined computers;

  • AllSync — the NTP server uses all available sources for time synchronization.

Update Group Policy settings on the clients and check the received time sync settings as described above.

How to Manually Configure a Windows Client to Sync Time with NTP Server?

In this section, we will describe how to manually sync time to domain controller on Windows clients. You can use this guide to configure time synchronization on non-domain Windows computers.

First, reset all settings for the time service and remove the service:

w32tm /unregister

group policy ntp server

Restart the computer and then re-register the time service:

w32tm /register

Start the w32Time service:

net start w32Time

Configure the synchronization of the Windows client with the NTP server (your PDC):

w32tm /config /manualpeerlist:"lon-dc01.adatum.com,0x9" /syncfromflags:manual /reliable:yes /update

gpo ntp settings

Restart the service:

net stop w32time && net start w32time

Update the time configuration settings:

w32tm /config /update

Synchronize the time:

w32tm /resync

Check the status:

w32tm /query /status

Enable automatic startup of the Time Service using PowerShell:

Set-Service –Name w32tm–StartupType Automatic

Hint. If you need to quickly synchronize your Windows device with an accurate time server, run:

net time \\your_ntp_server_name /set /y
I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.

26 comments

  1. One or more Network Time Protocol (NTP) servers have been incorrectly defined on the PDC emulator. Do you have any suggestions?

    The PDC (DC1) is showing the “state” in Pending. This is not the case for DC2 (which is active).

    Peer: 1.us.pool.ntp.org.0x1,
    State: Pending
    Time Remaining: 42611.2161762s
    Mode: 0 (reserved)
    Stratum: 0 (unspecified)
    PeerPoll Interval: 0 (unspecified)
    HostPoll Interval: 0 (unspecified)

    The event log error is “NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on ‘us.pool.ntp.org.0x1.”

    1. C:\Windows\system32>w32tm /stripchart /computer:1.us.pool.ntp.org
      Tracking 1.us.pool.ntp.org [129.6.15.30:123].
      The current time is 4/6/2018 10:52:38 AM.
      10:52:38 error: 0x800705B4
      10:52:41 error: 0x800705B4
      10:52:44 d:-00.0000006s o:+27.2452328s [ |
      @]
      10:52:46 d:-00.0000008s o:+27.2451255s [ |
      @]
      10:52:49 error: 0x800705B4
      10:52:52 error: 0x800705B4
      10:52:55 error: 0x800705B4
      10:52:58 error: 0x800705B4
      10:53:01 error: 0x800705B4
      10:53:04 error: 0x800705B4
      10:53:07 error: 0x800705B4
      10:53:10 d:-00.0000008s o:+27.2458764s [ |

    2. This may be a typo fromwhen this was put on the web, but:
      Peer: 1.us.pool.ntp.org.0x1,

      It’s a comma, not a period between ORG and the ox1
      The ‘0x1’ is a flag value, and not part of the DNS name. The way it is entered here however, the server is going to think the DNS name is 1.us.pool.ntp.org.0x1 without a flag value.

  2. Thanks. This helped me figure out why and how to get my time sync corrected. I did end up using “pool.ntp.org” for my source but everything else was just what the doctor ordered.

  3. Good article but I was getting this error: “The computer did not resync because no time data was available.”

    Found that the NTP Server list is not the right format. The NTP server list should be: us.pool.ntp.org,0x1 1.us.pool.ntp.org,0x1 2.us.pool.ntp.org,0x1 3.us.pool.ntp.org,0x1

    It now works perfectly :D

  4. This is an excellent article but you should correct the typos in the NtpServer: us.pool.ntp.org.0x1
    You entered “.0x1” folllwing “.org” but it should be “,0x1” otherwise this will result in unresponsive DNS queries

  5. So I have been reading a lot of instructions for this setup for the PDC configuration part. This article references 0x1 as a flag but the example in the GPO uses 0x9 as the flag (time.windows.com,0x9) and I see other articles with similar configuration that also reference using the 0x9 flag. Which is the correct flag to use for the PDC that gets its time from NTP internet servers such as the pool.ntp.org servers?

    (Also, this article still needs to correct the comma before the 0x1 flag instead of a period in the NTP server listings).

  6. I am finding this info very helpful in understanding the basic approach to creating Domain time syncing. I have not be able to resolve the issues I have though. Does NT5DS reside in a GPO for clients to have it added for membership? My networking staff expect the Forest to be configured to use NT5DS by default with no modifications and everything suggested to fix the issue revolves around Windows Time at the client. A bit of explanation of my issue, I have some PCs that are specialized in our network that we do not join to the normal set of GPOs and they are the PCs that don’t time sync. I have found Windows Time service disabled but even after enabling it the PCs do not sync. W32TM /query /status returns results that time sync has never occurred. W32TM /query /configuration reveals that the PCs have no DC server designated for time sync. I can’t find a GPO in my forest that has a time sync function. Another wierd thing I found is that the problemed PCs will not run NETDOM either.

  7. Is it possible to correct the original information so the comments below the article are incorporated back into the original article.

    i.e.:

    NtpServer: us.pool.ntp.org,0x9 1.us.pool.ntp.org,0x9 2.us.pool.ntp.org,0x9 3.us.pool.ntp.org,0x9;
    Type: NTP;
    CrossSiteSyncFlags: 2;
    ResolvePeerBackoffMinutes: 15;
    Resolve Peer BAckoffMaxTimes: 7;
    SpecilalPoolInterval: 3600;
    EventLogFlags: 0.

  8. Does anyone have a method to allow AD clients to sync to an Internet time source when they aren’t connected to the corporate network?

    1. Chris,

      In my experience, it works to apply the policy The IT Bros suggest above for PDC DC, to AD clients. I have a private/internal time server (let’s call it pvtntpserver.mydomain) configured much as this post suggests for PDC DC (but the server isn’t a DC). For AD clients, my NtpServer setting/list looks like: pvtntpserver.mydomain,0x1 0.something.pool.ntp.org,0x1 1.something.pool.ntp.org,0x1 2.something.pool.ntp.org,0x1 3.something.pool.ntp.org,0x1
      Otherwise, my AD client Windows NTP Client Group Policy config is as this post recommends for PDC DC. Of course, make sure the policy is linked to an OU where the policy will apply to your AD clients. This seems to work fine for me.

      1. just to clarify, for AD Clients (Windows desktop/laptop users) you set up the NTP servers through GPO – to pvtntpserver.mydomain,0x1 0.something.pool.ntp.org,0x1 .something.pool.ntp.org,0x1 2.something.pool.ntp.org,0x1 3.something.pool.ntp.org,0x1. – when they connect to corp network (using VPN) does this time source change to PDC as source due to domain hierarchy? or it will stay using external time source set up on GPO. thank you.

  9. Can someone please help me on how to sync to NTP server that we recently setup? We setup NTP server on CentOS7 but have not joined in our domain. Just want to use the server IP to sync.

  10. Hi team,
    in my company, i configured group policy for ntp. all servers and desktops are taking time from my active directory server thats good. But my ad server taking the time from its cmos clock,its not good. actually ad server should take time from my fortigate firewall.can you please help on this issue.Is there anything to do in ad server group policy or in the firewall it self. we are using firewall as ntp server.

  11. Hi,

    What happens if the PDC fails?

    Secondary DC gets the PDC role and become the Time Server for the domain?

    Thank you very much for sharing.

    1. If the PDC fails, you have to manually transfer the FSMO roles that it was assigned to another domain controller. DC1 fails, you transfer the roles to DC2. If you are using this GPO with the WMI filter, the filter will apply the GPO to the DC2 server (as it would now hold the PDC emulator role).

  12. Thanks much. Worked great for me with one tweak.

    I sync all internal time to a Cisco device configured as a time server. Windows fetches time from Cisco devices using SNTP. If anyone wants to the same, change “0x1” to “0x8” for the NtpServer list in the NTP Client Policy.

    Peer: myCiscoDevice.myDomain.com,0x8
    State: Active
    Time Remaining: 26.0140877s
    Mode: 3 (Client)
    Stratum: 4 (secondary reference – syncd by (S)NTP)
    PeerPoll Interval: 6 (64s)
    HostPoll Interval: 6 (64s)

    The detailed instructions provided in this post are greatly appreciated!

  13. Very well done. The article is formatted nicely, very clear, very concise. In the days when Internet how-to articles are 90% rubbish, this one shines on many fronts.

  14. This is incorrect
    w32tm.exe /config /manualpeerlist:”0.pool.ntp.org,0x8 1.pool.ntp.org,0x8 2.pool.ntp.org,0x8″ /syncfromflags:manual /update

    This is correct
    w32tm.exe /config /manualpeerlist:”0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org,0x8″ /syncfromflags:manual /update

    “,0x8” should only be on the line once

    1. Hi
      I asked @ startpage.com: Microsoft w32tm.exe /config /manualpeerlist:”0.pool.ntp.org
      ..and @ https://social.technet.microsoft.com/Forums/windowsserver/en-US/dccf1344-0f6c-4de6-87bc-1a1a65eb1582/synchronizing-time-with-external-source-on-2088-r2?forum=winservergen
      ..got this answer:

      Synchronizing time with external source on 2088 r2

      The answers:

      w32tm /config /syncfromflags:manual /manualpeerlist: “0.ntp.pool.org,0x1 1.ntp.pool.org,0x1 2.ntp.pool.org,0x1″

      ……/manualpeerlist:”X.Y.Z.IP1,0x9 X.Y.Z.IP2,0x9″ (notice the space)

      w32tm /config /syncfromflags:manual /manualpeerlist:”0.au.pool.ntp.org,0x1 1.au.pool.ntp.org,0x1 2.au.pool.ntp.org,0x1 3.au.pool.ntp.org,0x1”

      HTH

  15. To get this to work correctly I had to reconfigure the order of objects being applied to sit above my default domain controller policy to work on the PDC otherwise it was being ignored. Incase others come across the same issue.

  16. and certainly, the firewall rule should be Outbound, not Inbound (as it is in the Powershell command listed). We do not have traffic on UDP 123 initiated from outside and do not need to create an Inbound rule.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.