«

»

Nov 13 2017

Configure DC to synchronize time with external NTP server

As you probably know, in a domain environment there is a domain controller that is special compared to the others. This domain controller, besides other functions also keeps the time in sync in the entire domain/forest; meaning all the workstations, servers, and the rest of the domain controllers will sync their time with this one. For short, this domain controller becomes a reliable time source for all the machines in the domain. If you are thinking about the PDC Emulator, that’s the one, the one that handles time.

Now the thing is that this domain controller also needs to synchronize it’s clock, but this time with an external source or NTP server. An external source can be either a time server out on the internet or a hardware appliance if it’s a highly secure environment and outside communication is restricted. You can use the command lines in this article to configure both options since the only difference is the time server address. In case you have multiple domains, configure the PDC Emulator for the domain at the root of the forest.

Right now if we do a domain controller diagnostic (dcdiag /v), we will see a message that there is no reliable time source configured on the PDC.

Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.

View of the Time service warning message during Domain Controller diagnostic

Also, if we open Event Viewer we will have an event ID 12 with the same message as above.

View of the Time service warning message in Event ViewerThere are two ways to configure this, using the command line or using a GPO.

 

Configure a time source by command line

Right now, the PDC gets it’s time from the local CMOS clock. We can see this if we issue the bellow command which queries the system time and gives us some useful information.

Query Time service status using the command line

To configure the PDC Emulator with an external NTP server or hardware appliance for that matter, just use the bellow command line and execute it. Off course, you will need to replace the NTP servers with the ones that exist in your region or if you are using a hardware appliance with it’s FQDN or IP address. You can search the public NTP servers for you region on the ntp.org web site.

Setting new NTP server using the command line

As a last step, restart the PDC Emulator time service.

Restarting the Windows Time service

Now if we query the system time status we can see that it’s updating using an external time source and not using the CMOS clock anymore, which is good, it means our configuration worked.

Query the Time service status on the PDC

 

Configure a time source using Group Policy

Yes, we can do this using Group Policy also, and this way, every time we move the PDC Emulator role to another domain controller it will be automatically set up as a reliable time source for the domain.

On the root forest/domain PDC Emulator open the Group Policy Management console. Right-click the Domain Controllers container and choose Create a GPO in this domain, and Link it here.

Creating a new GPO to configure the Time service with a new NTP server

Name the GPO based on you company naming convention then right-click it and choose Edit.

Editing the new created GPO

Once the Group Policy Management Editor console opens, drill down to Computer Configuration > Policies > Administrative Templates > System > Windows Time Service > Time Providers.

From the right hand side open the Configure Windows NTP Client policy setting, enable it, then move down to the Options section. In the NtpServer box type your public NTP servers followed by the 0x9 flag or the IP/FQDN of you hardware appliance. From the Type drop-down box select NTP then click OK to save the changes.



There are multiple flags that can be set up for a time server and there is a great Technet article that describes every one of them. Basically if we put the 0x9 flag, it designates the NTP Server as being the primary.

Configuring the NTP Client policy setting

Still in the Time Providers folder, open the Enable Windows NTP client policy setting and enable it. Click OK then close the Group Policy Management Editor console.

Enabling the Windows NTP Client policy setting

Now if we leave the policy like this it will apply to all the domain controllers in the environment which is not good. In order to make the policy apply just to the PDC Emulator we need to create a WMI filter and link it to the GPO we just created.

In the Group Policy Management console, right-click the WMI Filters folder and choose New.

Creating a new WMI Filter to link it to the new GPO

Name the WMI Filter then click the Add button. A new window will open, and in the Query box of this new window type the following:

Configure the WMI Filter to select just the PDC Emulator

Now go back to the GPO and link the WMI Filter to it. Answer Yes on the message that pops-up.

Linking the WMI Filter to the GPO    Confirm the linking of the WMI Filter to the GPO

After the GPO applies we can see that time is now syncing from an external source.

Query the Time service on the PDC after GPO configuration

And what about the clients? you might ask. Not need to worry about them, because they know they need to sync their time from the PDC once they are joined to the domain. You can check it out by using the w32tm /query /status command line.

Query the Time service from a domain joined client

 

Other useful commands

The commands used until now are enough to help you configure an NTP server for the domain, for most of the time; but there are situations when you need to troubleshoot or get more information from the time service.

For example, if you want to force synchronizing the time and not wait for re-synchronization you can use the bellow command:

Check the NTP configuration:

Query the Time service full configuration

Reset the configuration to default in case something went wrong:

 

Summary

Setting up an NTP server for the domain is not a must, your domain will work just fine without it, but it is recommended. As you can see it’s not a difficult operation and at least it will help you get rid of the diagnostic messages from Event Viewer. If you are wondering which one to use between the two, I will always go with the command line option. I don’t know, I like it better.

Want content like this delivered right to your

email inbox?


Leave a Reply

Your email address will not be published. Required fields are marked *

*

css.php