For properly functioning in a domain, a Windows computer’s time must be synchronized with the domain. This is primarily important for Kerberos authentication to work. Windows constantly synchronizes the time with the NTP servers. On computers joining an Active Directory domain, domain controllers act as NTP servers.
Hint. Learn more about time syncing in an Active Directory domain using GPO.
The Windows Time Service (W32Time) is responsible for time synchronization. First of all, make sure this service is running:
Get-Service W32Time | Select-Object name,status
You can check with which NTP server (NTP source) your computer is currently synchronizing the time by using the command:
w32tm /query /source
More information on the status of time synchronization on the client device:
w32tm /query /status
In an AD domain, you can list the domain controllers with which time synchronization can be performed:
For computers in an Active Directory domain, you can use the following commands to enable time synchronization with a DC:
w32tm /config /syncfromflags:domhier /update net stop w32time && net start w32time
The Windows Time service parameters are stored under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters registry key. The synchronization mode is set using the Type parameter. If you change the Type value to NoSync, you completely disable time synchronization in Windows.
On all computers joined to the Active Directory domain the closest domain controller is used as the default time source. In this case, the Type parameter must be set to NT5DS. If NTP is specified here, then your computer synchronizes time with an external source time (possibly on the Internet). In this case, the time source for your computer (NTP server) will be specified in the NtpServer registry parameter.
To enable automatic time synchronization of a Windows client with a domain controller, you must set the Type parameter to NT5DS.
If the NT5DS time synchronization type is used, the time source specified in the NtpServer parameter is ignored and Windows synchronizes the time with the nearest domain controller (in accordance with the Active Directory sites).
You can manually change this parameter by using the Registry Editor (regedit.exe) or with PowerShell:
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\services\W32Time\Parameters -Name "Type" -Value "NT5DS"
Restart Windows Times Service:
Restart-Service -Name w32time
In some cases, in order for the Windows client to synchronize the time with the AD domain controller, you need to reset the Windows Time service configuration. To do this, open a command prompt as an administrator and run the following commands:
- The first command unregisters the w32time service and removes the settings from the registry:
- The following command registers the service and restores the default time settings:
- Restart the service:
net stop w32time && net start w32time
- Update settings:
w32tm /config /update
- Synchronize the time:
- Check your current sync settings:
w32tm /query /status
The screenshot below shows that Windows is now synchronizing with DC (Source).