Proper time synchronization in a Windows Active Directory Domain is critical for proper operation of the core Kerberos authentication protocol. It is also essential for accurate event log entries.
Within a domain, all domain controllers will automatically function as time servers, and all clients joined to the domain will automatically receive time from the domain controllers. Do *not* change the group policies related to time unless you want to break time synchronization within your domain.
The one *critical* missing link for AD time synchronization is to set your PDC Emulator domain controller to receive time from an outside authoritative source so that your domain will not drift away from the real time.
The “Windows Time Service” is controlled by the command-line program w32tm.
# NOTE: PowerShell comments with "#" and line-continuation with "`" # Compare your local system time with a # central time server (i.e. time.windows.com) w32tm /stripchart /computer:time.windows.com /samples:5 /dataonly # On the PDC Emulator ONLY! # NOTE: the ,0x8 sets each peer for SNTP connections # (we're a simple client of each real time server) w32tm /config /manualpeerlist:"time.nist.gov,0x8 ` time.windows.com,0x8" /syncfromflags:manual ` /reliable:yes /update # On All OTHER Domain Controllers (synchronize only among dc's # - authoritative time from PDC) # NOTE: DomHier shows up in the configuration as Type = NT5DS w32tm /config /syncfromflags:DOMHIER /reliable:NO /update # Force system to update time from remote source w32tm /resync # View remote time peers, use stripchart command to # compare local and peer time w32tm /query /peers w32tm /stripchart /computer:PEER-NAME /samples:5 /dataonly # View Windows Time Service configuration and parameters (settings) # NOTE: Config value for AnnounceFlags: # 5=reliable:YES, 10=reliable:NO w32tm /dumpreg /subkey:Parameters w32tm /dumpreg /subkey:Config w32tm /query /configuration # Control Windows Time Service (stop, start, check status) sc.exe stop W32Time sc.exe start W32Time sc.exe query W32Time
- Windows Time service on the PDC emulator (TechNet)
- Determining FSMO Role Holders (Petri) *to find your PDC Emulator DC*