If you want to know how to properly configure your Active Directory environment, including Domain Controllers and Domain Computers, to have a reliable time service working correctly and synchronising with an external time server, this post shows how to do that in a very easy way.
Active Directory will not work correctly if the clock is not synchronised across all domain controllers and member machines.
One of the services that rely on the correct time configuration is Kerberos, which by default, causes computers that are more than 5 minutes out of sync not to authenticate to the domain. Another example is replication, Active Directory uses timestamps to resolve replication conflicts.
How Does it Work?
In Active Directory, we use the Windows Time service for clock synchronisation: W32Time.
- All member machines synchronise with any domain controller.
- In a domain, all domain controllers synchronise from the PDC Emulator of that domain.
- The PDC Emulator of a domain should synchronise with any domain controller of the parent domain using NTP.
- The PDC Emulator of the root domain in a forest should synchronise with an external time server, which could be a router, another standalone server, an internet time server, etc.
You will get a better understanding of this flow by looking at the following diagram:
From your PDC, open a command prompt as administrator and type:
w32tm /config /manualpeerlist:pool.ntp.org /syncfromflags:manual /reliable:yes /update
net stop w32time
net start w32time
Confirm if your server is properly configured:
w32tm /query /status
Note that you can use pool.ntp.org as your external time server, or you can just change that to the server address you want to set up.
Next, run the following command on all other DCs (that are not PDC):
w32tm /config /syncfromflags:domhier /update
Set your internal firewall and your perimeter firewall to allow outgoing and incoming NTP traffic from/to your server on UDP-123 port.
Don’t forget, if your PDC is a virtual machine hosted on a Hyper-V server, you have to disable the time synchronisation in your VM settings. To do that follow the instruction below:
Open Hyper-V Manager.
- Select the Virtual Guest DC
- Click Settings.
- Click Integration services.
- Clear the Time Synchronisation option.
- Exit Hyper-V Manager.
- Restart the server.
I screwed up my configuration, and now?
Don’t worry, you can restore time service to its default value:
net stop w32time
If you are facing Event ID errors 47, or if your configuration has the source set as “Local CMOS Clock”, try:
Do the above procedures again.
- Make sure you can reach your external NTP server, try to ping it.
- Restart your server and try again.
- Make sure you don’t have any other NTP settings on your domain through Group Policy.
- Make sure your current time is not more than 1000 seconds from the real-time.
- Make sure your server is set to the right time zone.
- You can also check for time advertisement on the PDC by running this command w32tm.exe /resync /rediscover /no_wait, then check for Event ID 139
- You can check the registry entries to see if the domain controller is using NTP (should be on PDC) or NT5DS (on non-PDC): Find the value of Type under:
Renan Rodrigues | LinkedIn
We offer a broad range of services and packages that be customised to your needs. Send us a message today, and we can start you on a path to success.