Active Directory Time Synchronization

Proper time synchronization in a Windows Active Directory Domain is critical for proper operation of the core Kerberos authentication protocol. It is also essential for accurate event log entries.

Within a domain, all domain controllers will automatically function as time servers, and all clients joined to the domain will automatically receive time from the domain controllers. Do *not* change the group policies related to time unless you want to break time synchronization within your domain.

The one *critical* missing link for AD time synchronization is to set your PDC Emulator domain controller to receive time from an outside authoritative source so that your domain will not drift away from the real time.

The “Windows Time Service” is controlled by the command-line program w32tm.

# NOTE: PowerShell comments with "#" and line-continuation with "`"
# Compare your local system time with a 
#   central time server (i.e. time.windows.com)
w32tm /stripchart /computer:time.windows.com /samples:5 /dataonly

# On the PDC Emulator ONLY!
# NOTE: the ,0x8 sets each peer for SNTP connections 
# (we're a simple client of each real time server)
w32tm /config /manualpeerlist:"time.nist.gov,0x8 `
  time.windows.com,0x8" /syncfromflags:manual `
  /reliable:yes /update

# On All OTHER Domain Controllers (synchronize only among dc's 
#   - authoritative time from PDC)
# NOTE: DomHier shows up in the configuration as Type = NT5DS
w32tm /config /syncfromflags:DOMHIER /reliable:NO /update

# Force system to update time from remote source
w32tm /resync

# View remote time peers, use stripchart command to 
#   compare local and peer time
w32tm /query /peers
w32tm /stripchart /computer:PEER-NAME /samples:5 /dataonly

# View Windows Time Service configuration and parameters (settings)
# NOTE: Config value for AnnounceFlags:
#   5=reliable:YES, 10=reliable:NO
w32tm /dumpreg /subkey:Parameters
w32tm /dumpreg /subkey:Config
w32tm /query /configuration

# Control Windows Time Service (stop, start, check status)
sc.exe stop W32Time
sc.exe start W32Time
sc.exe query W32Time

More Information:

Advertisements

About notesbytom

Keeping technology notes on WordPress.com to free up my mind to solve new problems rather than figuring out the same ones repeatedly :-).
This entry was posted in System Administration and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s