Configure DC to synchronize time with external NTP server
As you probably know, in a domain environment there is a domain controller that is special compared to the others. This domain controller, besides other functions also keeps the time in sync in the entire domain/forest; meaning all the workstations, servers, and the rest of the domain controllers will sync their time with this one. For short, this domain controller becomes a reliable time source for all the machines in the domain. If you are thinking about the PDC Emulator, that’s the one, the one that handles time.
Now the thing is that this domain controller also needs to synchronize it’s clock, but this time with an external source or NTP server. An external source can be either a time server out on the internet or a hardware appliance if it’s a highly secure environment and outside communication is restricted. You can use the command lines in this article to configure both options since the only difference is the time server address. In case you have multiple domains, configure the PDC Emulator for the domain at the root of the forest.
Right now if we do a domain controller diagnostic (dcdiag /v), we will see a message that there is no reliable time source configured on the PDC.
Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.
Also, if we open Event Viewer we will have an event ID 12 with the same message as above.
There are two ways to configure this, using the command line or using a GPO.
Configure a time source by command line
Right now, the PDC gets it’s time from the local CMOS clock. We can see this if we issue the bellow command which queries the system time and gives us some useful information.
w32tm /query /status
To configure the PDC Emulator with an external NTP server or hardware appliance for that matter, just use the bellow command line and execute it. Off course, you will need to replace the NTP servers with the ones that exist in your region or if you are using a hardware appliance with it’s FQDN or IP address. You can search the public NTP servers for you region on the ntp.org web site.
Before running the command line, PING the public NTP servers in your region to make sure they are alive. This way you reduce time-outs and a lot of warnings in the PDC Emulator Event Viewer.
Also, port 123 on UDP needs to be opened in your firewall between the PDC Emulator and the NTP server.
w32tm.exe /config /manualpeerlist:"0.ro.pool.ntp.org 1.ro.pool.ntp.org 2.ro.pool.ntp.org" /syncfromflags:manual /reliable:YES /update
As a last step, restart the PDC Emulator time service.
net stop w32time && net start w32time
Now if we query the system time status we can see that it’s updating using an external time source and not using the CMOS clock anymore, which is good, it means our configuration worked.
Configure a time source using Group Policy
Yes, we can do this using Group Policy also, and this way, every time we move the PDC Emulator role to another domain controller it will be automatically set up as a reliable time source for the domain.
On the root forest/domain PDC Emulator open the Group Policy Management console. Right-click the Domain Controllers container and choose Create a GPO in this domain, and Link it here.
Name the GPO based on you company naming convention then right-click it and choose Edit.
Once the Group Policy Management Editor console opens, drill down to Computer Configuration > Policies > Administrative Templates > System > Windows Time Service > Time Providers.
From the right hand side open the Configure Windows NTP Client policy setting, enable it, then move down to the Options section. In the NtpServer box type your public NTP servers followed by the 0x9 flag or the IP/FQDN of you hardware appliance. From the Type drop-down box select NTP then click OK to save the changes.
There are multiple flags that can be set up for a time server and there is a great Technet article that describes every one of them. Basically if we put the 0x9 flag, it designates the NTP Server as being the primary.
0.ro.pool.ntp.org,0x9 1.ro.pool.ntp.org,0x9 2.ro.pool.ntp.org,0x9
Still in the Time Providers folder, open the Enable Windows NTP client policy setting and enable it. Click OK then close the Group Policy Management Editor console.
Now if we leave the policy like this it will apply to all the domain controllers in the environment which is not good. In order to make the policy apply just to the PDC Emulator we need to create a WMI filter and link it to the GPO we just created.
In the Group Policy Management console, right-click the WMI Filters folder and choose New.
Name the WMI Filter then click the Add button. A new window will open, and in the Query box of this new window type the following:
Select * from Win32_ComputerSystem where DomainRole = 5
Now go back to the GPO and link the WMI Filter to it. Answer Yes on the message that pops-up.
After the GPO applies we can see that time is now syncing from an external source.
And what about the clients? you might ask. Not need to worry about them, because they know they need to sync their time from the PDC once they are joined to the domain. You can check it out by using the w32tm /query /status command line.
Other useful commands
The commands used until now are enough to help you configure an NTP server for the domain, for most of the time; but there are situations when you need to troubleshoot or get more information from the time service.
For example, if you want to force synchronizing the time and not wait for re-synchronization you can use the bellow command:
w32tm /resync /nowait
Check the NTP configuration:
w32tm /query /configuration w32tm /query /source
Reset the configuration to default in case something went wrong:
net stop w32time w32tm /unregister w32tm /register net start w32time
Setting up an NTP server for the domain is not a must, your domain will work just fine without it, but it is recommended. As you can see it’s not a difficult operation and at least it will help you get rid of the diagnostic messages from Event Viewer. If you are wondering which one to use between the two, I will always go with the command line option. I don’t know, I like it better.
Want content like this delivered right to your
21 thoughts on “Configure DC to synchronize time with external NTP server”
unfortunately it doesn’t work for me.
MI DC in a VM running Esxi 7, with vm tools synchronization disabled.
my domain is Fu *****. com (same as the website and the public domain) The controller and the rest of the PC respond with an internal IP.
The DC has Internet, port 123 or open NTP ports.
I check with NTP tools to time.google.com, several ntp servers from pool.ntp.org (0, 1, 2, ar, etc) I check. I ping all the servers, I arrive by IP or by FQDN, my DNS resolves the addresses.
w32tm / query / status
Jump flag: 0 (no warning)
Layer: 1 (primary reference – clock radio synchronized)
Accuracy: -23 (119.209ns per tick)
Root delay: 0.0000000s
Root spread: 10.0000000s
Reference ID: 0x4C4F434C (source name: “LOCL”)
Last correct time sync: 3/29/2021 3:56:40 PM
Origin: Local CMOS Clock
Polling interval: 6 (64s)
or free-time windows server
regedit is according to:
and about 10 or 20 similar pages.
Still not working
First of all, if you PING a server and replies it does not mean that the service you want it’s available. ICMP (PING) and NTP use different ports. All you are checking with PING is that server it’s running.
Second, is you are using a VM. Every VM has a time synchronization with the host trough VMware Tools -seen in the Origin: Local CMOS Clock-. Disable time sync for the VM by editing it’s settings and it will work. For more info take a look at VMware KB 1189.
tools.syncTime = “0”
time.synchronize.continue = “0”
time.synchronize.restore = “0”
time.synchronize.resume.disk = “0”
time.synchronize.shrink = “0”
time.synchronize.tools.startup = “0”
time.synchronize.tools.enable = “0”
time.synchronize.resume.host = “0”
I have previously configured VMware KB 1189. Vmware tools sync is always set to off.
It does not work either by GPO, not even by Powershell Commands, nor by editing regedit.
Will it be my domain? Due to policy, I cannot change my domain to loca.domain.com or corp.fomain.com, it must be the same as my public domain, domain.com, verifying that my DNS in my LAN NETWORK points where it corresponds
Will it be my DNS?
I don’t know what other option to apply.
I cannot answer these questions since I don’t know your network and how it is configured. You will have to give me more details about the layout and everything.
If you want to take it even further, I am also an IT consultant. Go to the Contact page and write me a message with your details so we can talk.
I fixed the problem. Turns out I was using an unreliable timer server. Once I set everything up to use time.windows.com, everything changed over. Thank you for the technical info. I couldn’t have done this without it.
Glad you could find the issue and thank you for sharing it.
I am running 2019 server standard on a bare bones machine and no matter what I try, (both methods to the Tee from above), I am still running the NTP server off the CMOS clock. Any advice?
Congrats, Thank you for your help!!! GPO in DC solved my problem.
Glad I could help
Hi ! I followed your guide and it works great ! Thanks for the post.
I just want to ask one – two additional things about time sync and Kerberos.
In every forum I have read it is said that if the time difference between DC and Client machine is greater than 5 minutes the user that uses the client machine should not be able to login (due to Kerberos). I am trying to simulate that using your tutorial and Hyper-V virtualization Technology.
I have set up an environment of 3 VM machines windows server 2008 R2 Enterprise : DC1 – Domain Cntrlr (PDC) , DC2 – Domain Contrlr and PC1 – Client. After I set up the environment I change the time/date of the client PC1 using local Admin account but after that I am still able login to PC1 using Domain User account. My question is : Why does this happen? How can I simulate Time Difference between client and domain controller using VM machines ??
P.S. I apologize that my question is not fully related to the topic
Thanks for your appreciation and I’m glad I could help out.
To make the time synchronization work between the DC and the workstations when running on a hypervisor, make sure you remove the synchronization service option for every VM. Right-click the VM, the DC for example and choose Settings > Integration Services. Remove the check box from the Time synchronization option. Do this for every VM you have on this lab.
Now your VMs should take the time from the DC and be influenced by the Hyper-V synchronization service.
Let me know how it works.
Thanks for your excellent guide, it was the first what mentioned Event Viewer Code 12 at all!
Following your steps i was able to manage time sync on my test VM PDC. And respecting your work, I will leave the .ro NTP servers in the config. 😉 Cheers!
Thank you. Trying to make the articles as clear as possible.
Does not function on my PDC, This is what I did:
C:\Windows\system32>w32tm.exe /config /manualpeerlist:”0.nl.pool.ntp.org 1.nl.po
ol.ntp.org 2.nl.pool.ntp.org” /syncfromflags:manual /reliable:YES /update
The command completed successfully.
C:\Windows\system32>net stop w32time && net start w32time
The Windows Time service is stopping.
The Windows Time service was stopped successfully.
The Windows Time service is starting.
The Windows Time service was started successfully.
C:\Windows\system32>w32tm /query /status
Leap Indicator: 0(no warning)
Stratum: 1 (primary reference – syncd by radio clock)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0000000s
Root Dispersion: 10.0000000s
ReferenceId: 0x4C4F434C (source name: “LOCL”)
Last Successful Sync Time: 5-11-2018 10:08:20
Source: Local CMOS Clock
Poll Interval: 6 (64s)
Do you have an active internet connection?
Is the Domain Controller a VM? If it is a VM make sure you stop the time synchronization service.
thanks for the guide, excellent.
Thank you. Doing what I can to help the community.
I am very fed up with this issue. I did all the recommended steps.Still i am getting Local cmos clock time
If your are running your machines as virtual ones make sure you disable time synchronization with the host.
Hyper-V has a built-in option and for VMware you will have to edit the .VMX file of the VM(s).
Running the VM’s virtual (hyper-V), have followed your steps to the letter, even checked if that option to sync from Hyper-V was (or was not) set, its unchecked, still getting that sync from LOCAL.
Try stopping the Hyper-V Service inside the guest OS see if that will do the trick. The guest OS is still getting it’s time from the host somehow.