Configuring DC for Sync Time with External NTP Server

Configuring DC for Sync Time with External NTP Server


In this article, we will take a look on how to configure a domain controller with the FSMO role PDC Emulator (Primary Domain Controller) to synchronize time with the external time source (NTP server).
First of all, we remind you how time synchronization works in the Active Directory forest:

  • All domain computers or member servers synchronize time with the nearest domain controller (in the client AD site), or with the DC with the PDC role (if AD sites are not configured);
  • All DCs synchronize time with a domain controller PDC role holder;
  • PDC synchronizes time with itself by default, or you can configure it to synchronize with an external time source on the Internet (NTP server).

You can configure time synchronization on the PDC manually or using a GPO.

The w32tm.exe utility is used to manually configure time synchronization.

Open an elevated command prompt on the PDC and run the command:

w32tm.exe /config /manualpeerlist:"0.pool.ntp.org,0x8 1.pool.ntp.org,0x8 2.pool.ntp.org,0x8" /syncfromflags:manual /update
  • /Syncfromflags:manual—enables synchronization of the NetTime service with an external source
  • /manualpeerlist:”0.pool.ntp.org,0x8 1.pool.ntp.org,0x8 2.pool.ntp.org,0x8″—lists external NTP servers for synchronization. The 0x8 parameter means that synchronization is performed in the NTP client mode in accordance with the interval suggested by the NTP server.

The following values are allowed for synchronization parameters with external NTP servers:

  • 0x1 — SpecialInterval, use of a special polling interval;
  • 0x2 — UseAsFallbackOnly mode;
  • 0x4 — SymmetricActive, symmetric active mode;
  • 0x8 — Client, send request in client mode.

Now you need to advertise the PDC-Emulator as a reliable source of time for domain client:

w32tm /config /reliable:yes

Now you need to restart the W32Time service on the PDC:

net stop w32time && net start w32time

To synchronize the time immediately run the command:

w32tm /resync

Tip. The list of current NTP sources is stored in the registry key HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters in the NtpServer parameter.

time sync server

To configure an external NTP server on a PDC use Group Policy. When using such a policy, you do not have to reconfigure time synchronization settings to DCs when transferring the PDC role to another server.

  1. Open the Group Policy Management Console (GPMC.msc) and create a new policy PDC_NTP_sync;
  2. Assign this policy to the OU Domain Controllers;
  3. Create a WMI filter with the following code and link it to your policy (this WMI filter allows you to find a domain controller with the role of PDC and apply policy only to it): Select * from Win32_ComputerSystem where DomainRole = 5

microsoft ntp server time synchronization server

  1. Switch to the policy editing mode and go to the section Computer Configuration > Policies > Administrative Templates > System > Windows Time Service > Time Providers. Enable the policy Enable Windows NTP Client and edit the Configure Windows NTP Client policy.
  2. Specify the following policy settings:
    Enabled
    NtpServer: 0.pool.ntp.org,0x8 1.pool.ntp.org,0x8 2.pool.ntp.org,0x8
    Type: NTP
    CrossSiteSyncFlags: 2
    ResolvePeerBackoffMinutes: 15
    ResolvePeerBackoffMaxTimes: 7
    SpecialPollInterval: 1024
    EventLogFlags: 0
    sync time with ntp server
  3. It remains to run the following commands on DC:
    w32tm /config /syncfromflags:domhier /update
    
    net stop w32time && net start w32time

To check the current NTP time sources and their statuses, run the command:

w32tm /query /peers

To reset the time service settings and clear the list of external NTP servers, run the following commands:

net stop w32time 
w32tm /unregister 
w32tm /register 
net start w32time

Note that by default, the domain clients synchronize time with DC using the Windows Time Service (Windows Time), rather than using the NTP protocol.

If your PDC is a virtual machine, we recommend you to check the article Time Configuration for a Virtualized Domain Controllers.

You may also like:

Deploy LGPO with MDT 2013 Local Group Policy (LGPO) of computer is configured through gpedit.msc snap-in, which does not provide the possibility to export/import settings. That...
Using PsExec to Run Commands Remotely The PsExec is an easy Windows utility to replace the telnet tool. It allows you to run programs and processes on remote systems, using all the feature...
How to Mount Windows Folder into VMware ESXi In this article we will take a look on how to connect a network folder from Windows 2012 R2 Server as a datastore on the VMware ESXi host and use it t...
How to Migrate User Profiles with User State Migra... One of the most popular tools to migrate user profiles from one Windows computer to another is the set of CLI utilities – User State Migration Tool (U...
Store BitLocker Recovery Keys using Active Directo... In corporate segment one of the advantages of BitLocker Drive Encryption technology is the ability to store the Bitlocker recovery keys for encrypted ...

Add Your Comment