How to Sync Domain Controller Time with NTP Server?

In this article, we will take a look at how to configure a domain controller with the FSMO role PDC Emulator (Primary Domain Controller) to synchronize time with the external time source (NTP server) with your NTP configuration.

Table of Contents

Why is time synchronization important with Active Directory Domain Controllers?

Time synchronization in a network environment is more than a convenience; it’s an absolute necessity, especially when it comes to domain controllers within an Active Directory Domain Services (AD DS) infrastructure.

sync domain controller time with ntp server

Active Directory Sites and Services where AD replication is configured

Why, though? Imagine having multiple domain controllers spread across your domain hierarchy, each with a different system time. This lack of sync would result in many problems, including authentication failures and inconsistencies in event logs, which are essential for monitoring and security purposes. Inconsistencies can be problematic when tracing an event across multiple domains or even within a single domain with multiple domain controllers.

Windows Time Service

The Windows Time service, integral to both member servers and domain controllers, provides the necessary time synchronization service across your network. This service follows a hierarchical structure, where the primary domain controller (PDC) emulator in the forest root domain stands at the apex.

PDC Emulator plays a key role

The PDC emulator performs a crucial role. The DC that holds the PDC role is configured to synchronize time with an external NTP server, serving as the authoritative time server for the entire AD infrastructure. Other domain controllers and member servers synchronize time with the PDC emulator.

This configuration ensures a reliable time source for all devices within the network. It also enables the Windows NTP client on each domain controller to synchronize time accurately with the PDC emulator.

Time can deviate

However, this internal time synchronization can deviate over time, requiring the DC to synchronize time with an external source. Therefore, configuring DC for sync time with an external NTP server is crucial. External NTP servers, such as public NTP servers, follow the NTP protocol, providing high accuracy and reliability.

What is Network Time Protocol (NTP)?

The Network Time Protocol, commonly referred to as NTP, is a protocol designed for time synchronization among computer systems over packet-switched, variable-latency data networks. Born out of the necessity for reliable and accurate timekeeping in the digital world, NTP has become a cornerstone protocol in today’s internet infrastructure.

External NTP servers, such as public NTP servers available on the internet, usually operate at Stratum 1 or Stratum 2. These servers provide a reliable and accurate time source for other devices to synchronize with, leveraging the NTP protocol.

The beauty of NTP lies in its ability to provide time synchronization with remarkable precision over the public internet, where latency and network jitter can vary significantly. It does this through a complex algorithm that estimates network delay and adjusts time accordingly, even compensating for the time it takes for time requests to travel from the client to the server and back.

In the context of a Windows Server environment, configuring DC for sync time with external NTP server becomes a vital part of ensuring accurate and reliable time across the domain. Domain controllers, including the primary domain controller, are usually configured to synchronize time with these external NTP servers.

How time synchronization works in Active Directory?

First of all, we remind you how time synchronization works in the Active Directory forest:

All domain computers or member servers synchronize time with the nearest domain controller (in the client AD site) running in your Active Directory Domain Services environment or with the DC with the PDC role (if AD sites are not configured);
All DCs synchronize time with a domain controller PDC role holder;
PDC synchronizes time with itself by default, or you can configure it to synchronize with an external time source on the Internet (NTP server).

Configuring time synchronization using w32tm config

You can configure time synchronization on the PDC manually or using a GPO.

The w32tm.exe utility is used to configure time synchronization manually.

Open an elevated command prompt (administrative command prompt) on the PDC and run the command:

w32tm.exe /config /manualpeerlist:"0.pool.ntp.org,0x8 1.pool.ntp.org,0x8 2.pool.ntp.org,0x8" /syncfromflags:manual /update

/Syncfromflags:manual—enables synchronization of the NetTime service with an external source
/manualpeerlist:”0.pool.ntp.org,0x8 1.pool.ntp.org,0x8 2.pool.ntp.org,0x8″—lists external NTP servers for synchronization for configured NTP servers. The 0x8 parameter means that synchronization is performed in the NTP client mode in accordance with the interval suggested by the NTP server.

The following values are allowed for synchronization parameters with external NTP servers:

0x1 — SpecialInterval, use of a special polling interval;
0x2 — UseAsFallbackOnly mode;
0x4 — SymmetricActive, symmetric active mode;
0x8 — Client, send request in client mode.

Now you need to advertise the PDC-Emulator as a reliable source of time for domain client:

w32tm /config /reliable:yes

Now you need to restart the W32Time service on the PDC:

net stop w32time && net start w32time

To synchronize the time immediately run the command:

w32tm /resync

Tip. The list of current NTP sources is stored in the registry key HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters in the NtpServer parameter.

Configuring time synchronization using Group Policy

To configure an external NTP server on a PDC use Group Policy. When using such a policy, you do not have to reconfigure time synchronization settings to DCs when transferring the PDC role to another server.

Open the Group Policy Management Console (GPMC.msc) and create a new policy PDC_NTP_sync;
Assign this policy to the OU Domain Controllers;
Create a WMI filter with the following code and link it to your policy (this WMI filter allows you to find a domain controller with the role of PDC and apply policy only to it): Select * from Win32_ComputerSystem where DomainRole = 5.
Switch to the policy editing mode and go to the section Computer Configuration > Policies > Administrative Templates > System > Windows Time Service > Time Providers. Enable the policy Enable Windows NTP Client and edit the Configure Windows NTP Client policy.
Specify the following policy settings:
```
Enabled 

NtpServer: 0.pool.ntp.org,0x8 1.pool.ntp.org,0x8 2.pool.ntp.org,0x8 

Type: NTP 

CrossSiteSyncFlags: 2 

ResolvePeerBackoffMinutes: 15 

ResolvePeerBackoffMaxTimes: 7 

SpecialPollInterval: 1024 

EventLogFlags: 0
```
It remains to run the following commands on DC to force synchronizing. Open elevated command prompt and type:
```
w32tm /config /syncfromflags:domhier /update

net stop w32time && net start w32time
```
To check the current NTP time sources and their statuses, run the command:
```
w32tm /query /peers
```

To reset the time service settings and clear the list of external NTP servers, run the following commands:

net stop w32time

w32tm /unregister

w32tm /register

net start w32time

Note that by default, the domain clients synchronize time with DC using the Windows Time Service (Windows Time), rather than using the NTP protocol.

If your PDC is a virtual machine, we recommend you to check the article Time Configuration for a Virtualized Domain Controllers.

FAQs

1. What happens when a domain controller’s time isn’t synchronized?

When a domain controller isn’t synchronizing time correctly, it can lead to a cascade of issues. These can range from authentication failures, due to Kerberos ticket mismatches, to confusing or inaccurate event logs. It’s essential to configure DC to synchronize time properly to maintain network integrity.

2. How does the PDC emulator role affect time synchronization in a multiple-domain controller environment?

In a multiple-domain controller environment, the PDC emulator plays a vital role as the master timekeeper. All other network domain controllers and member servers synchronize their time with the PDC emulator, ensuring a uniform and reliable time source throughout the infrastructure.

3. Can I manually configure my PDC to sync with multiple external NTP servers?

Multiple external NTP servers can be specified when configuring your PDC for time synchronization. This is done for redundancy, ensuring time synchronization continues uninterrupted even if one server goes offline. In the ‘w32tm’ config command, the /manualpeerlist parameter can list multiple NTP servers, separated by spaces.

4. What does the ‘/syncfromflags:manual’ command do in time synchronization?

The /syncfromflags:manual command enables the NetTime service on your PDC to synchronize with an external source rather than following the domain hierarchy. It allows the domain controller to maintain accurate system time even when other controllers in the hierarchy may be unavailable or inaccurate.

5. What’s the purpose of the ‘w32tm /config /reliable:yes’ command?

The ‘w32tm /config /reliable:yes’ command is used to designate the PDC emulator as a reliable time source for the network. This setting is crucial because it establishes the PDC emulator as the master time server from which all other servers and clients in the network synchronize their time.

Wrapping up

In essence, configuring a Domain Controller (DC) to synchronize time with an external NTP server is a fundamental yet crucial aspect of managing an Active Directory Domain Services (AD DS) environment. Understanding the importance of time synchronization and the role played by the PDC emulator allows us to see why this configuration is essential.

Active Directory’s hierarchical nature, particularly the PDC emulator’s role, ensures that time is consistent across the domain hierarchy, from multiple domain controllers to individual member servers. However, to maintain the highest accuracy and reliability, the PDC emulator should be configured to sync with an external time source.

Network Time Protocol (NTP) is indispensable for accurate and reliable time synchronization, offering a robust solution for maintaining system time across various networks. By configuring the DC to sync with external NTP servers, we harness the power of the NTP protocol to keep our AD environment running smoothly.

Windows

3 comments

David Puckett October 28, 2021 - 9:38 am

This is incorrect
w32tm.exe /config /manualpeerlist:”0.pool.ntp.org,0x8 1.pool.ntp.org,0x8 2.pool.ntp.org,0x8″ /syncfromflags:manual /update

This is correct
w32tm.exe /config /manualpeerlist:”0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org,0x8″ /syncfromflags:manual /update

“,0x8” should only be on the line once

Randy Harris December 7, 2022 - 12:04 pm

Terrific info, thanks very much!

Steve November 15, 2023 - 12:35 pm

What happens when the PDC moves to a different DC… then the old PC is still going external for the NTP Time source as opposed to the new ( Role Moved ) PDC.

How can the NTP Settings revert back to the default model ( instead of being tattooed to stay going to the external time source ) of all DCs looking to the PDC and the PDC going to atomic clock.