Configure a time server for Active Directory domain controllers

Windows Server admins should establish one authoritative time source for their organization. Rick Vanover explains how to configure the authoritative time source.

Time management is one of the more critical aspects of system administration. Administrators frequently rely on Active Directory to sync time from client servers and workstations to the domain. But where does Active Directory get its time configuration? Well, that depends on various factors. Default installations may go directly to Microsoft, and virtual machines may set themselves to update to the host servers.

The best way to ensure the time is accurate on a consistent basis is to establish one authoritative time source for your organization. An authoritative time source is the time server(s) that all systems on your network trust as having the accurate time. The source can be an Internet time server or the pool, or it can be something you fully administer internally. Regardless, a designated authoritative time source for a given organization should be determined ahead of time.

From there, you can configure Active Directory domain controllers with the PDC emulator role in a domain to use this list of servers explicitly for their time. Read this TechNet article to learn how the time service operates within a forest. The main takeaway is the w32tm command is used to set a list of peers for specifying where time is sourced for a domain. The command snippet below sets the time peer to an Internet NTP server:

w32tm /config /manualpeerlist:"" /syncfromflags:manual /reliable:yes /update

If you want to put in a pool of servers, they can be separated by a space. When executed on a domain controller, it executes once and is reflected in the registry. Figure A shows this on a sample domain controller. Figure A

Click the image to enlarge.

I recommend applying this configuration to all domain controllers and possibly even making it a Group Policy object as a startup script for the \Domain Controllers organization unit within Active Directory.

This tip applies to current Windows Server technologies, though not much has changed over the years with regard to this topic. See what I mean by reading this Mike Mullins tip posted in February 2006: Synchronize time throughout your entire Windows network.

What do you use for an authoritative time source: an Internet NTP server or something hosted in-house? Let us know in the discussion.

About Rick Vanover

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

Editor's Picks