Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / Active Directory / Configure NTP Time Source for Active Directory Domain

May 13, 2025

Configure NTP Time Source for Active Directory Domain

Time synchronization in an Active Directory is critical to properly functioning of the domain services and security mechanisms. If a proper and reliable time sync scheme is not configured in the domain, it can lead to problems with authentication, use of cryptographic protocols, and certificate validation when interacting with both internal and external systems. For example, Kerberos authentication requires that the time difference between the client and server be less than five minutes. In this guide, we’ll explore how time synchronization works in an Active Directory and how to configure a domain controller to sync its time with an external accurate NTP time source.

Contents:
  • How Time Synchronization Works in an Active Directory Domain
  • Manually Configure the PDC to Sync Time with External NTP Server
  • Configuring NTP Time Source for PDC with Group Policy
  • Time Sync Settings on Client Computers in AD

How Time Synchronization Works in an Active Directory Domain

The Active Directory time synchronization scheme is based on a strict domain hierarchy:

  • The main time source in the AD is the domain controller with the PDC emulator FSMO role.
  • Other domain controllers synchronize their time with the PDC.
  • Member servers and workstations sync time with the nearest DC in accordance with AD topology ( by default, Windows computers synchronize their time with the external time source time.windows.com, but after joining a domain, time synchronization is performed according to the AD domain hierarchy).

ad time sync schema

Source: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc773013(v=ws.10)?redirectedfrom=MSDN

To ensure accurate time on all domain computers, you must configure the PDC to synchronize its time with a reliable external time source using the NTP protocol.

To find out the name of the domain controller that is running the PDC Emulator FSMO role, run the PowerShell command

Get-ADDomain | Select-Object PDCEmulator

Get-ADDomain PDCEmulator

Manually Configure the PDC to Sync Time with External NTP Server

By default, the Primary Domain Controller (PDC) Emulator synchronizes time with the system’s local CMOS hardware clock on the host machine. Run the command on it to check:

w32tm /query /source

Local CMOS Clock source on a DC

Local CMOS Clock indicates that the local clock is used as the time source. In this case, the Event Viewer log on the PDC contains the Event ID 12 from Time-Service:

Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.

event id 12: manually configure the AD PDC to synchronize with an external time source

If the DC is running on a virtual machine that is configured to synchronize its time with the host (hypervisor), this command returns:

VM IC Time Synchronization Provider

Therefore, on all domain controllers, you should disable time sync in the virtual machine settings or prevent the DC from syncing time with the host by configuring the appropriate registry option:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32time\TimeProviders\VMICTimeProvider /v Enabled /t REG_DWORD /d 0 /f

Let’s reconfigure the Windows Time settings on the PDC to use an external NTP server as the time source. As a time source, you can use the NTP server closest to your location from the https://www.ntppool.org project pool.

For the UK, this can be NTP servers from uk.pool.ntp.org: 0.uk.pool.ntp.org, 1.uk.pool.ntp.org, and 2.uk.pool.ntp.org

Make sure that these NTP servers are accessible from the PDC (and that port 123/UDP is not blocked by firewalls).

w32tm /stripchart /computer:1.uk.pool.ntp.org

w32tm /stripchart - check ntp time source is available from DC

If you receive a response from the NTP server, you can use these external hosts as a time source for the Primary DC. Run the command:

net stop w32time
w32tm /config /syncfromflags:manual /manualpeerlist:"0.uk.pool.ntp.org,0x8 1.uk.pool.ntp.org,0x8 2.uk.pool.ntp.org,0x8"
w32tm /config /reliable:yes
net start w32time
w32tm /config /update

w32tm /config /syncfromflags:manual : set external NTP as reliable time source on domain controller

Sync the host time with NTP:

w32tm /resync

Check that the external NTP server time is now used as the time source on the PDC (check the TimeProviders section):

w32tm /query /configuration

w32tm /query /configuration

Configuring NTP Time Source for PDC with Group Policy

Because the PDC Emulator role can be transferred (seized) to another domain controller, you can configure a Group Policy that automatically applies external NTP synchronization settings to whichever DC currently holds the PDC role.

To do this, open the Group Policy Management Console (GPMC.msc) and create a new WMI Group Policy filter. Navigate to the WMI Filters section, create a filter named PDC Emulator with the WMI query:

Select * from Win32_ComputerSystem where DomainRole = 5

GPO: Add WMI filter for PDC

Create a new GPO, open it, and go to the Computer Configuration-> Administrative Templates -> System -> Windows Time Service -> Time Providers

Configure the following three GPO options:

  • Configure Windows NTP Client: Enabled (the policy settings are described below)
  • Enable Windows NTP Client: Enabled
  • Enable Windows NTP Server: Enabled

Set the following parameters in the Configure Windows NTP Client policy settings:

  • NtpServer: 0.uk.pool.ntp.org,0x8 1.uk.pool.ntp.org,0x8 2.uk.pool.ntp.org,0x8 3.uk.pool.ntp.org,0x8
  • Type: NTP
  • CrossSiteSyncFlags: 2
  • ResolvePeerBackoffMinutes: 15
  • ResolvePeerBAckoffMaxTimes: 7
  • SpecilalPoolInterval: 1024
  • EventLogFlags: 0

Set PDC time sync source via GPO

Assign the PDC Emulator filter you created earlier to the GPO.

assign wmi filter to gpo

Now link this GPO to the Domain Controllers organizational unit.
Assign time sync GPO to domain controllers OU

Time Sync Settings on Client Computers in AD

In a domain, you only have to manually configure time synchronization on the domain controller with the PDC role. It should sync time with external NTP. No special policies or settings are required for time synchronization on the remaining domain controllers or client computers (workstations). In fact, making such changes can be counterproductive. Time sync in the domain should work fine according to the AD hierarchy (NT5DS).

On the remaining (additional) domain controllers and other clients, time synchronization should be performed according to the domain hierarchy. Verify this:

w32tm /query /configuration

If the configuration is correct, the time source type in the TimeProviders section should be NT5DS (Net Time 5 Directory Service).

NT5DS - used on client to synchronize its time hierarchically with the domain’s structure

The time service settings on the client are stored in the HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters registry key.

If this is not the case, you can reset the client’s time synchronization settings and force it to use the default domain hierarchy time sync scheme

net stop w32time
w32tm.exe /unregister
w32tm.exe /register
net start w32time
w32tm /config /syncfromflags:DOMHIER /update
w32tm /resync

Verify that the closest domain controller (LogonServer) is now used as the time source on the client:

w32tm /query /source

w32tm /query /source - check time source on a domain computer

How to fix common time sync errors on Windows clients.
0 comment
1
Facebook Twitter Google + Pinterest
Active DirectoryGroup PoliciesWindows Server 2022
previous post
How to Cancel Windows Update Pending Restart Loop
next post
Map a Network Drive over SSH (SSHFS) in Windows

Related Reading

Refresh AD Groups Membership without Reboot/Logoff

March 15, 2024

How to Find the Source of Account Lockouts...

March 12, 2024

Configuring Windows Firewall Rules Using Group Policy

March 15, 2024

Allow Non-admin Users RDP Access to Windows Server

March 16, 2024

How to Disable NTLM Authentication in Windows Domain

March 16, 2024

Copy Files and Folders to User Computers via...

March 15, 2024

Configure Windows LAPS (Local Administrator Passwords Solution) in...

March 15, 2024

Extend an Expired User Password in Active Directory

December 23, 2024

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Configuring Windows Protected Print Mode (WPP)

    May 19, 2025
  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Check Windows 11 Hardware Readiness with PowerShell Script
  • Extend an Expired User Password in Active Directory
  • How to Block Common (Weak) Passwords in Active Directory
  • AD Domain Join: Computer Account Re-use Blocked
  • Configure DNS Scavenging to Clean Up Stale DNS Records in AD
  • Collecting Windows and Active Directory Event Logs with Graylog
  • Exclude a Specific User or Computer from Group Policy
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top