Windows

Configure a time server for Active Directory domain controllers

Windows Server admins should establish one authoritative time source for their organization. Rick Vanover explains how to configure the authoritative time source.

Time management is one of the more critical aspects of system administration. Administrators frequently rely on Active Directory to sync time from client servers and workstations to the domain. But where does Active Directory get its time configuration? Well, that depends on various factors. Default installations may go directly to Microsoft, and virtual machines may set themselves to update to the host servers.

The best way to ensure the time is accurate on a consistent basis is to establish one authoritative time source for your organization. An authoritative time source is the time server(s) that all systems on your network trust as having the accurate time. The source can be an Internet time server or the pool, or it can be something you fully administer internally. Regardless, a designated authoritative time source for a given organization should be determined ahead of time.

From there, you can configure Active Directory domain controllers with the PDC emulator role in a domain to use this list of servers explicitly for their time. Read this TechNet article to learn how the time service operates within a forest. The main takeaway is the w32tm command is used to set a list of peers for specifying where time is sourced for a domain. The command snippet below sets the time peer to an Internet NTP server:

w32tm /config /manualpeerlist:"nist.expertsmi.com" /syncfromflags:manual /reliable:yes /update

If you want to put in a pool of servers, they can be separated by a space. When executed on a domain controller, it executes once and is reflected in the registry. Figure A shows this on a sample domain controller. Figure A

Click the image to enlarge.

I recommend applying this configuration to all domain controllers and possibly even making it a Group Policy object as a startup script for the \Domain Controllers organization unit within Active Directory.

This tip applies to current Windows Server technologies, though not much has changed over the years with regard to this topic. See what I mean by reading this Mike Mullins tip posted in February 2006: Synchronize time throughout your entire Windows network.

What do you use for an authoritative time source: an Internet NTP server or something hosted in-house? Let us know in the discussion.

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

11 comments
Piyush.Agrawal
Piyush.Agrawal

Time sync uses UTC, so time zones remain intact. You really should sync with the PDC emulator which, in turn, syncronises from an NTP server (preferably not time.microsoft.com which is out of sync half the time). In addition, computers sync with their authenticating DC, not with the PDC emulator. The PDC emulator is the authoratative time source for the domain and is the server that other DC's will sync with, but member servers and client computers will sync with their authenticating DC. Piyush Lepide.com

Maurice Butler
Maurice Butler

You also need a policy on all machines to limit how far your time will jump on an update. If you get a bad time value that jumps your time 300+ years in to the future then corrects by jumping back your domain will be bricked. Please give a full researched story - we are still finding oddites over a year later after recovering from this. see http://support.microsoft.com/kb/884776

DGermantr@Real-World-Systems.com
DGermantr@Real-World-Systems.com

ntp2.usno.navy.mil is a StratumOneTimeServers, restricted time server and should NOT be contacted. use pool.ntp.org Please see NTP.org for more details.

ToR24
ToR24

Using "w32tm /monitor" displays how time sources in a domain are configured. I have been using time-B and time-C.timefreq.bldrdoc.gov for so many years, and have become so complacent in their reliability that I've neglected them completely. I have two time servers using the two different locations, and everything else pointing to them, so that I could, in theory, compare, isolate and recover from any external server failure. The command along with "w32tm /tz" is especially useful on workstations purportedly in a domain, when users claim their clock is wrong.

cbutler
cbutler

Hey Rick, I noticed two snippets: "From there, you can configure Active Directory domain controllers with the PDC emulator role in a domain to use this list of servers explicitly for their time" "I recommend applying this configuration to all domain controllers and possibly even making it a Group Policy object as a startup script for the \Domain Controllers organization unit within Active Directory." Unless I am losing my memory, Isn't there only one DC in any child (or root) domain that carries the PDC FSMO role for that domain? So If one has two or more DCs for any given domain in a forest, shouldn't this be specific to the PDC role holder only? http://www.petri.co.il/understanding_fsmo_roles_in_ad.htm Also, if you set the PDC Role holder DC in the forest root to be reliable and pointing at an external pool of NTP servers or a hardware clock solution for the enterprise, isn't that the only one you need to worry about? All DCs whether Peer in the forest root, or in child domains will reference the Authoritative and Reliable DC in the root, and AD will make sure that behavior is replicated to them All workstations in the child domains will choose a domain-local DC to synchronize their time to http://support.microsoft.com/kb/816042 a discussion on the subject: http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/1a83420e-7a43-46b8-8df4-e0354480a4b0

davidsont
davidsont

I have always found it best to use the Domain Controller as the only network source for time synchronization in a Windows AD environment. Using Group Policy you can tell all computers/servers on the network to use one source for time which should be the Domain Controller. On that box I have always used the source ntp2.usno.navy.mil and rarely get an exception in the Event Viewer for NET Time. Usually means some type of network connectivity issue with the internet if I see any exceptions. It has always worked well for me for more than the past decade. Share some new technology with me if you have something.

davidsont
davidsont

Thanks for the heads up. I have been using the ntp2.usno.navy.mil address since the late nineties and it has always worked well. Apparently about 7 years ago they changed their access policies and I never had a reason the check it. I like the pool.ntp.org address you provided much better, too. It has a pool of over 2000 time servers and picks the one closest to your geographic location that is available for your time request. So much technology and so many changes .. love it .. it keeps your interest and provides job security! It reminds me of the IPv4 to IPv6 migration but without the advertisements! That was a geeky joke, maybe no the best. Try this one - "data is just a bunch of ones and zeros .... and an ocassional two" Thanks again for sharing more current information with me/us.

NassimJD
NassimJD

according to Microsoft, time sincronization is the job of the PDC emulator http://technet.microsoft.com/en-us/library/cc756161(WS.10).aspx. The PDC emulator role is one per domain. Other DCs go after it as a source of time. It should be set to use the NTP protocol and all other PC's in the domain (including member servers) should be set to use the NT5DS protocol to sync from domain hierarchy. This is what should be pushed by a GPO - client targeting of a time source and not the AD's. As for the question, I would go for an in house fabric if one exists, if not I would go for an external reliable time source. Here in Brasil we use the ntp.br servers.

Editor's Picks