In this article, we will take a look on how to configure a domain controller with the FSMO role PDC Emulator (Primary Domain Controller) to synchronize time with the external time source (NTP server).
First of all, we remind you how time synchronization works in the Active Directory forest:
- All domain computers or member servers synchronize time with the nearest domain controller (in the client AD site), or with the DC with the PDC role (if AD sites are not configured);
- All DCs synchronize time with a domain controller PDC role holder;
- PDC synchronizes time with itself by default, or you can configure it to synchronize with an external time source on the Internet (NTP server).
You can configure time synchronization on the PDC manually or using a GPO.
The w32tm.exe utility is used to manually configure time synchronization.
Open an elevated command prompt on the PDC and run the command:
w32tm.exe /config /manualpeerlist:"0.pool.ntp.org,0x8 1.pool.ntp.org,0x8 2.pool.ntp.org,0x8" /syncfromflags:manual /update
- /Syncfromflags:manual—enables synchronization of the NetTime service with an external source
- /manualpeerlist:”0.pool.ntp.org,0x8 1.pool.ntp.org,0x8 2.pool.ntp.org,0x8″—lists external NTP servers for synchronization. The 0x8 parameter means that synchronization is performed in the NTP client mode in accordance with the interval suggested by the NTP server.
The following values are allowed for synchronization parameters with external NTP servers:
- 0x1 — SpecialInterval, use of a special polling interval;
- 0x2 — UseAsFallbackOnly mode;
- 0x4 — SymmetricActive, symmetric active mode;
- 0x8 — Client, send request in client mode.
Now you need to advertise the PDC-Emulator as a reliable source of time for domain client:
w32tm /config /reliable:yes
Now you need to restart the W32Time service on the PDC:
net stop w32time && net start w32time
To synchronize the time immediately run the command:
Tip. The list of current NTP sources is stored in the registry key HKLMSYSTEMCurrentControlSetServicesW32TimeParameters in the NtpServer parameter.
To configure an external NTP server on a PDC use Group Policy. When using such a policy, you do not have to reconfigure time synchronization settings to DCs when transferring the PDC role to another server.
- Open the Group Policy Management Console (GPMC.msc) and create a new policy PDC_NTP_sync;
- Assign this policy to the OU Domain Controllers;
- Create a WMI filter with the following code and link it to your policy (this WMI filter allows you to find a domain controller with the role of PDC and apply policy only to it): Select * from Win32_ComputerSystem where DomainRole = 5
- Switch to the policy editing mode and go to the section Computer Configuration > Policies > Administrative Templates > System > Windows Time Service > Time Providers. Enable the policy Enable Windows NTP Client and edit the Configure Windows NTP Client policy.
- Specify the following policy settings:
NtpServer: 0.pool.ntp.org,0x8 1.pool.ntp.org,0x8 2.pool.ntp.org,0x8
- It remains to run the following commands on DC:
w32tm /config /syncfromflags:domhier /update net stop w32time && net start w32time
To check the current NTP time sources and their statuses, run the command:
w32tm /query /peers
To reset the time service settings and clear the list of external NTP servers, run the following commands:
net stop w32time w32tm /unregister w32tm /register net start w32time
Note that by default, the domain clients synchronize time with DC using the Windows Time Service (Windows Time), rather than using the NTP protocol.
If your PDC is a virtual machine, we recommend you to check the article Time Configuration for a Virtualized Domain Controllers.