In this article, we will take a look at how to configure a domain controller with the FSMO role PDC Emulator (Primary Domain Controller) to synchronize time with the external time source (NTP server) with your NTP configuration.
Why is time synchronization important with Active Directory Domain Controllers?
Time synchronization in a network environment is more than a convenience; it’s an absolute necessity, especially when it comes to domain controllers within an Active Directory Domain Services (AD DS) infrastructure.
Why, though? Imagine having multiple domain controllers spread across your domain hierarchy, each with a different system time. This lack of sync would result in many problems, including authentication failures and inconsistencies in event logs, which are essential for monitoring and security purposes. Inconsistencies can be problematic when tracing an event across multiple domains or even within a single domain with multiple domain controllers.
Windows Time Service
The Windows Time service, integral to both member servers and domain controllers, provides the necessary time synchronization service across your network. This service follows a hierarchical structure, where the primary domain controller (PDC) emulator in the forest root domain stands at the apex.
PDC Emulator plays a key role
The PDC emulator performs a crucial role. The DC that holds the PDC role is configured to synchronize time with an external NTP server, serving as the authoritative time server for the entire AD infrastructure. Other domain controllers and member servers synchronize time with the PDC emulator.
This configuration ensures a reliable time source for all devices within the network. It also enables the Windows NTP client on each domain controller to synchronize time accurately with the PDC emulator.
Time can deviate
However, this internal time synchronization can deviate over time, requiring the DC to synchronize time with an external source. Therefore, configuring DC for sync time with an external NTP server is crucial. External NTP servers, such as public NTP servers, follow the NTP protocol, providing high accuracy and reliability.
What is Network Time Protocol (NTP)?
The Network Time Protocol, commonly referred to as NTP, is a protocol designed for time synchronization among computer systems over packet-switched, variable-latency data networks. Born out of the necessity for reliable and accurate timekeeping in the digital world, NTP has become a cornerstone protocol in today’s internet infrastructure.
External NTP servers, such as public NTP servers available on the internet, usually operate at Stratum 1 or Stratum 2. These servers provide a reliable and accurate time source for other devices to synchronize with, leveraging the NTP protocol.
The beauty of NTP lies in its ability to provide time synchronization with remarkable precision over the public internet, where latency and network jitter can vary significantly. It does this through a complex algorithm that estimates network delay and adjusts time accordingly, even compensating for the time it takes for time requests to travel from the client to the server and back.
In the context of a Windows Server environment, configuring DC for sync time with external NTP server becomes a vital part of ensuring accurate and reliable time across the domain. Domain controllers, including the primary domain controller, are usually configured to synchronize time with these external NTP servers.
How time synchronization works in Active Directory?
First of all, we remind you how time synchronization works in the Active Directory forest:
- All domain computers or member servers synchronize time with the nearest domain controller (in the client AD site) running in your Active Directory Domain Services environment or with the DC with the PDC role (if AD sites are not configured);
- All DCs synchronize time with a domain controller PDC role holder;
- PDC synchronizes time with itself by default, or you can configure it to synchronize with an external time source on the Internet (NTP server).
Configuring time synchronization using w32tm config
You can configure time synchronization on the PDC manually or using a GPO.
The w32tm.exe utility is used to configure time synchronization manually.
Open an elevated command prompt (administrative command prompt) on the PDC and run the command:
w32tm.exe /config /manualpeerlist:"0.pool.ntp.org,0x8 1.pool.ntp.org,0x8 2.pool.ntp.org,0x8" /syncfromflags:manual /update
- /Syncfromflags:manual—enables synchronization of the NetTime service with an external source
- /manualpeerlist:”0.pool.ntp.org,0x8 1.pool.ntp.org,0x8 2.pool.ntp.org,0x8″—lists external NTP servers for synchronization for configured NTP servers. The 0x8 parameter means that synchronization is performed in the NTP client mode in accordance with the interval suggested by the NTP server.
The following values are allowed for synchronization parameters with external NTP servers:
- 0x1 — SpecialInterval, use of a special polling interval;
- 0x2 — UseAsFallbackOnly mode;
- 0x4 — SymmetricActive, symmetric active mode;
- 0x8 — Client, send request in client mode.
Now you need to advertise the PDC-Emulator as a reliable source of time for domain client:
w32tm /config /reliable:yes
Now you need to restart the W32Time service on the PDC:
net stop w32time && net start w32time
To synchronize the time immediately run the command:
Tip. The list of current NTP sources is stored in the registry key HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters in the NtpServer parameter.
Configuring time synchronization using Group Policy
To configure an external NTP server on a PDC use Group Policy. When using such a policy, you do not have to reconfigure time synchronization settings to DCs when transferring the PDC role to another server.
- Open the Group Policy Management Console (GPMC.msc) and create a new policy PDC_NTP_sync;
- Assign this policy to the OU Domain Controllers;
- Create a WMI filter with the following code and link it to your policy (this WMI filter allows you to find a domain controller with the role of PDC and apply policy only to it): Select * from Win32_ComputerSystem where DomainRole = 5.
- Switch to the policy editing mode and go to the section Computer Configuration > Policies > Administrative Templates > System > Windows Time Service > Time Providers. Enable the policy Enable Windows NTP Client and edit the Configure Windows NTP Client policy.
- Specify the following policy settings:
Enabled NtpServer: 0.pool.ntp.org,0x8 1.pool.ntp.org,0x8 2.pool.ntp.org,0x8 Type: NTP CrossSiteSyncFlags: 2 ResolvePeerBackoffMinutes: 15 ResolvePeerBackoffMaxTimes: 7 SpecialPollInterval: 1024 EventLogFlags: 0
- It remains to run the following commands on DC to force synchronizing. Open elevated command prompt and type:
w32tm /config /syncfromflags:domhier /update net stop w32time && net start w32time
To check the current NTP time sources and their statuses, run the command:
w32tm /query /peers
To reset the time service settings and clear the list of external NTP servers, run the following commands:
net stop w32time w32tm /unregister w32tm /register net start w32time
Note that by default, the domain clients synchronize time with DC using the Windows Time Service (Windows Time), rather than using the NTP protocol.
If your PDC is a virtual machine, we recommend you to check the article Time Configuration for a Virtualized Domain Controllers.
1. What happens when a domain controller’s time isn’t synchronized?
When a domain controller isn’t synchronizing time correctly, it can lead to a cascade of issues. These can range from authentication failures, due to Kerberos ticket mismatches, to confusing or inaccurate event logs. It’s essential to configure DC to synchronize time properly to maintain network integrity.
2. How does the PDC emulator role affect time synchronization in a multiple-domain controller environment?
In a multiple-domain controller environment, the PDC emulator plays a vital role as the master timekeeper. All other network domain controllers and member servers synchronize their time with the PDC emulator, ensuring a uniform and reliable time source throughout the infrastructure.
3. Can I manually configure my PDC to sync with multiple external NTP servers?
Multiple external NTP servers can be specified when configuring your PDC for time synchronization. This is done for redundancy, ensuring time synchronization continues uninterrupted even if one server goes offline. In the ‘w32tm’ config command, the /manualpeerlist parameter can list multiple NTP servers, separated by spaces.
4. What does the ‘/syncfromflags:manual’ command do in time synchronization?
The /syncfromflags:manual command enables the NetTime service on your PDC to synchronize with an external source rather than following the domain hierarchy. It allows the domain controller to maintain accurate system time even when other controllers in the hierarchy may be unavailable or inaccurate.
5. What’s the purpose of the ‘w32tm /config /reliable:yes’ command?
The ‘w32tm /config /reliable:yes’ command is used to designate the PDC emulator as a reliable time source for the network. This setting is crucial because it establishes the PDC emulator as the master time server from which all other servers and clients in the network synchronize their time.
In essence, configuring a Domain Controller (DC) to synchronize time with an external NTP server is a fundamental yet crucial aspect of managing an Active Directory Domain Services (AD DS) environment. Understanding the importance of time synchronization and the role played by the PDC emulator allows us to see why this configuration is essential.
Active Directory’s hierarchical nature, particularly the PDC emulator’s role, ensures that time is consistent across the domain hierarchy, from multiple domain controllers to individual member servers. However, to maintain the highest accuracy and reliability, the PDC emulator should be configured to sync with an external time source.
Network Time Protocol (NTP) is indispensable for accurate and reliable time synchronization, offering a robust solution for maintaining system time across various networks. By configuring the DC to sync with external NTP servers, we harness the power of the NTP protocol to keep our AD environment running smoothly.