How to Sync Client Time with Domain Controller on Windows?

For properly functioning in a domain, a Windows computer’s time must be synchronized with the domain. This is primarily important for Kerberos authentication to work. Windows constantly synchronizes the time with the NTP servers. On computers joining an Active Directory domain, domain controllers act as NTP servers.

Hint. Learn more about time syncing in an Active Directory domain using GPO.

The Windows Time Service (W32Time) is responsible for time synchronization. First of all, make sure this service is running:

Get-Service W32Time | Select-Object name,status

sync client time with domain controller

You can check with which NTP server (NTP source) your computer is currently synchronizing the time by using the command:

w32tm /query /source

More information on the status of time synchronization on the client device:

w32tm /query /status

In an AD domain, you can list the domain controllers with which time synchronization can be performed:

w32tm /monitor

For computers in an Active Directory domain, you can use the following commands to enable time synchronization with a DC:

w32tm /config /syncfromflags:domhier /update

net stop w32time && net start w32time

The Windows Time service parameters are stored under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters registry key. The synchronization mode is set using the Type parameter. If you change the Type value to NoSync, you completely disable time synchronization in Windows.

On all computers joined to the Active Directory domain the closest domain controller is used as the default time source. In this case, the Type parameter must be set to NT5DS. If NTP is specified here, then your computer synchronizes time with an external source time (possibly on the Internet). In this case, the time source for your computer (NTP server) will be specified in the NtpServer registry parameter.

To enable automatic time synchronization of a Windows client with a domain controller, you must set the Type parameter to NT5DS.

force clients to sync time with domain controller

If the NT5DS time synchronization type is used, the time source specified in the NtpServer parameter is ignored and Windows synchronizes the time with the nearest domain controller (in accordance with the Active Directory sites).

You can manually change this parameter by using the Registry Editor (regedit.exe) or with PowerShell:

Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\services\W32Time\Parameters -Name "Type" -Value "NT5DS"

Restart Windows Times Service:

Restart-Service -Name w32time

In some cases, in order for the Windows client to synchronize the time with the AD domain controller, you need to reset the Windows Time service configuration. To do this, open a command prompt as an administrator and run the following commands:

  • The first command unregisters the w32time service and removes the settings from the registry:
    w32tm /unregister
  • The following command registers the service and restores the default time settings:
    w32tm /register
  • Restart the service:
    net stop w32time && net start w32time
  • Update settings:
    w32tm /config /update
  • Synchronize the time:
    w32tm /resync
  • Check your current sync settings:
    w32tm /query /status

The screenshot below shows that Windows is now synchronizing with DC (Source).

domain client time sync with domain controller

I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.
Cyril Kardashevsky

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.