For properly functioning in a domain, a Windows computer’s time must be synchronized with the domain. This is primarily important for Kerberos authentication to work. Windows constantly synchronizes the time with the NTP servers. Domain controllers act as NTP servers for computers joining to Active Directory domain.
On a Windows computer that is not a part of an Active Directory domain. By default, computer time is synchronized with one of two Internet Time sources:
- time.windows.com
- time.nist.gov
You can find the list of internet servers that your computer synchronizes time with using the Control Panel > Date and Time > Internet time tab > Change Settings. As you can see this computer is set to automatically synchronize with ‘time.windows.com’ and the Synchronize with an Internet time server option is enabled.
The list of these Internet time servers is stored in the Windows registry under the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\Servers key.
On computers joined to an Active Directory domain, time synchronization works differently.
Features of time synchronization in Active Directory domains:
- All domain computers and servers must use NT5DS domain time;
- Domain workstations and Windows member servers synchronize time with the nearest domain controller;
- Domain controllers synchronize their time with the domain controller that owns the PDC emulator FSMO role;
- The PDC emulator in the child domain must synchronize time with any domain controller in the parent AD domain;
- The PDC emulator in the parent domain must synchronize time with an external NTP source.
Hint. Learn more about time syncing in an Active Directory domain using GPO.
The Windows Time Service (W32Time) is responsible for time synchronization. First of all, make sure this service is running on a Windows client computer using Get-Service cmdlet:
Get-Service W32Time | Select-Object name,status
You can check with which NTP server (NTP source) if your computer is currently synchronizing the time by using the command:
w32tm /query /source
More information on the status of time synchronization on the client device:
w32tm /query /status
In an AD domain, you can list the domain controllers with which time synchronization can be performed:
w32tm /monitor
For computers in an Active Directory domain, you can use the following commands to enable time synchronization with a DC:
w32tm /config /syncfromflags:domhier /update net stop w32time && net start w32time
The Windows Time service parameters are stored under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters registry key. The synchronization mode is set using the Type parameter. If you change the Type value to NoSync, you completely disable time synchronization in Windows.
Windows Time Synchronization in an Active Directory Domain
On all computers joined to the Active Directory domain the closest domain controller is used as the default time source. In this case, the Type parameter must be set to NT5DS. If NTP is specified here, then your computer synchronizes time with an external source time (possibly on the Internet). In this case, the time source for your computer (NTP server) will be specified in the NtpServer registry parameter.
To enable automatic time synchronization of a Windows client with a domain controller, you must set the Type parameter to NT5DS.
If the NT5DS time synchronization type is used, the time source specified in the NtpServer parameter is ignored and Windows synchronizes the time with the nearest domain controller (in accordance with the Active Directory sites and subnets).
You can manually change this parameter by using the Registry Editor (regedit.exe) or with PowerShell:
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\services\W32Time\Parameters -Name "Type" -Value "NT5DS"
Restart Windows Times Service:
Restart-Service -Name w32time
In some cases, for the Windows client to synchronize the time with the AD domain controller, you need to reset the Windows Time service configuration. To do this, open a command prompt as an administrator and run the following commands:
- The first command unregisters the w32time service and removes the settings from the registry:
w32tm /unregister
- The following command registers the service and restores the default time settings:
w32tm /register
- Restart the service:
net stop w32time && net start w32time
- Update settings:
w32tm /config /update
- Synchronize the time:
w32tm /resync
- Check your current sync settings:
w32tm /query /status
The screenshot below shows that Windows is now synchronizing with DC (Source).
Configuring NTP Client on Windows Using GPO
In most cases, time sync with a domain in Windows client doesn’t require any administrator intervention. However, if you find that time synchronization on clients in your domain is not working properly, you can centrally configure client NTP settings on Windows devices using Group Policy.
- Use the gpedit.msc console if you want to change group policy settings on a single computer (this is the best solution if you need to solve synchronization problems on a single computer or test new NTP client settings). If you are setting up a GPO for multiple computers in a domain, use the Group Policy Management Console (gpmc.msc);
- Expand the following node in the left pane of the GPO editor Computer Configuration > Administrative Templates > System > Windows Time Service;
- Open the Enable Windows NTP Client policy in the right pane and enable it;
- Then select the Configure NTP Client option. Change its state to Enabled;
- You need to set the following settings in the Options panel:
NTPServer: your domain name (preferred) or FQDN name of the domain controller with the PDC Emulator role (you can find it with the command: netdom.exe query fsmo)
Type: NT5DS
CrossSiteSyncFlags: 2
ResolvePeerBackoffMinutes: 15
ResolvePeerBackoffMaxTimes: 7
SpecialPollInterval: 64
EventLogFlags: 0
- Restart your computer to apply the new GPO client time settings.
