Configure DC to synchronize time with external NTP server

As you probably know, in a domain environment there is a domain controller that is special compared to the others. This domain controller, besides other functions also keeps the time in sync in the entire domain/forest; meaning all the workstations, servers, and the rest of the domain controllers will sync their time with this one. For short, this domain controller becomes a reliable time source for all the machines in the domain. If you are thinking about the PDC Emulator, that’s the one, the one that handles time.

Now the thing is that this domain controller also needs to synchronize it’s clock, but this time with an external source or NTP server. An external source can be either a time server out on the internet or a hardware appliance if it’s a highly secure environment and outside communication is restricted. You can use the command lines in this article to configure both options since the only difference is the time server address. In case you have multiple domains, configure the PDC Emulator for the domain at the root of the forest.

Right now if we do a domain controller diagnostic (dcdiag /v), we will see a message that there is no reliable time source configured on the PDC.

Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.

View of the Time service warning message during Domain Controller diagnostic

Also, if we open Event Viewer we will have an event ID 12 with the same message as above.

View of the Time service warning message in Event ViewerThere are two ways to configure this, using the command line or using a GPO.

 

Configure a time source by command line

Right now, the PDC gets it’s time from the local CMOS clock. We can see this if we issue the bellow command which queries the system time and gives us some useful information.

w32tm /query /status

Query Time service status using the command line

To configure the PDC Emulator with an external NTP server or hardware appliance for that matter, just use the bellow command line and execute it. Off course, you will need to replace the NTP servers with the ones that exist in your region or if you are using a hardware appliance with it’s FQDN or IP address. You can search the public NTP servers for you region on the ntp.org web site.

Before running the command line, PING the public NTP servers in your region to make sure they are alive. This way you reduce time-outs and a lot of warnings in the PDC Emulator Event Viewer.

Also, port 123 on UDP needs to be opened in your firewall between the PDC Emulator and the NTP server.

w32tm.exe /config /manualpeerlist:"0.ro.pool.ntp.org 1.ro.pool.ntp.org 2.ro.pool.ntp.org" /syncfromflags:manual /reliable:YES /update

Setting new NTP server using the command line

As a last step, restart the PDC Emulator time service.

net stop w32time && net start w32time

Restarting the Windows Time service

Now if we query the system time status we can see that it’s updating using an external time source and not using the CMOS clock anymore, which is good, it means our configuration worked.

Query the Time service status on the PDC

 

Configure a time source using Group Policy

Yes, we can do this using Group Policy also, and this way, every time we move the PDC Emulator role to another domain controller it will be automatically set up as a reliable time source for the domain.

On the root forest/domain PDC Emulator open the Group Policy Management console. Right-click the Domain Controllers container and choose Create a GPO in this domain, and Link it here.

Creating a new GPO to configure the Time service with a new NTP server

Name the GPO based on you company naming convention then right-click it and choose Edit.

Editing the new created GPO

Once the Group Policy Management Editor console opens, drill down to Computer Configuration > Policies > Administrative Templates > System > Windows Time Service > Time Providers.

From the right hand side open the Configure Windows NTP Client policy setting, enable it, then move down to the Options section. In the NtpServer box type your public NTP servers followed by the 0x9 flag or the IP/FQDN of you hardware appliance. From the Type drop-down box select NTP then click OK to save the changes.

There are multiple flags that can be set up for a time server and there is a great Technet article that describes every one of them. Basically if we put the 0x9 flag, it designates the NTP Server as being the primary.

0.ro.pool.ntp.org,0x9 1.ro.pool.ntp.org,0x9 2.ro.pool.ntp.org,0x9

Configuring the NTP Client policy setting

Still in the Time Providers folder, open the Enable Windows NTP client policy setting and enable it. Click OK then close the Group Policy Management Editor console.

Enabling the Windows NTP Client policy setting

Now if we leave the policy like this it will apply to all the domain controllers in the environment which is not good. In order to make the policy apply just to the PDC Emulator we need to create a WMI filter and link it to the GPO we just created.

In the Group Policy Management console, right-click the WMI Filters folder and choose New.

Creating a new WMI Filter to link it to the new GPO

Name the WMI Filter then click the Add button. A new window will open, and in the Query box of this new window type the following:

Select * from Win32_ComputerSystem where DomainRole = 5

Configure the WMI Filter to select just the PDC Emulator

Now go back to the GPO and link the WMI Filter to it. Answer Yes on the message that pops-up.

Linking the WMI Filter to the GPO    Confirm the linking of the WMI Filter to the GPO

After the GPO applies we can see that time is now syncing from an external source.

Query the Time service on the PDC after GPO configuration

And what about the clients? you might ask. Not need to worry about them, because they know they need to sync their time from the PDC once they are joined to the domain. You can check it out by using the w32tm /query /status command line.

Query the Time service from a domain joined client

 

Other useful commands

The commands used until now are enough to help you configure an NTP server for the domain, for most of the time; but there are situations when you need to troubleshoot or get more information from the time service.

For example, if you want to force synchronizing the time and not wait for re-synchronization you can use the bellow command:

w32tm /resync /nowait

Check the NTP configuration:

w32tm /query /configuration
w32tm /query /source

Query the Time service full configuration

Reset the configuration to default in case something went wrong:

net stop w32time
w32tm /unregister
w32tm /register
net start w32time

 

Summary

Setting up an NTP server for the domain is not a must, your domain will work just fine without it, but it is recommended. As you can see it’s not a difficult operation and at least it will help you get rid of the diagnostic messages from Event Viewer. If you are wondering which one to use between the two, I will always go with the command line option. I don’t know, I like it better.

Want content like this delivered right to your

email inbox?


21 thoughts on “Configure DC to synchronize time with external NTP server

  • 30/03/2021 at 14:56
    Permalink

    unfortunately it doesn’t work for me.

    MI DC in a VM running Esxi 7, with vm tools synchronization disabled.

    my domain is Fu *****. com (same as the website and the public domain) The controller and the rest of the PC respond with an internal IP.

    The DC has Internet, port 123 or open NTP ports.
    I check with NTP tools to time.google.com, several ntp servers from pool.ntp.org (0, 1, 2, ar, etc) I check. I ping all the servers, I arrive by IP or by FQDN, my DNS resolves the addresses.

    w32tm / query / status
    Jump flag: 0 (no warning)
    Layer: 1 (primary reference – clock radio synchronized)
    Accuracy: -23 (119.209ns per tick)
    Root delay: 0.0000000s
    Root spread: 10.0000000s
    Reference ID: 0x4C4F434C (source name: “LOCL”)
    Last correct time sync: 3/29/2021 3:56:40 PM
    Origin: Local CMOS Clock
    Polling interval: 6 (64s)

    or free-time windows server

    regedit is according to:

    https://www.elcegu.com/windows-server-2012-r2-configuracion-del-ntp-client-en-el-directorio-activo-usando-gpo/

    http://www.sysadminlab.net/windows/configuring-ntp-on-windows-using-gpo

    https://michlstechblog.info/blog/windows-enable-ntp-client-and-server/

    and about 10 or 20 similar pages.
    Still not working

    https://tutorialesit.com/windows-server-como-configurar-un-servidor-horario-en-nuestro-dominio/

    https://docs.microsoft.com/es-es/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings

    https://www.elcegu.com/windows-server-2012-r2-configuracion-del-ntp-client-en-el-directorio-activo-usando-gpo/

    http://www.sysadminlab.net/windows/configuring-ntp-on-windows-using-gpo

    https://michlstechblog.info/blog/windows-enable-ntp-client-and-server/

    Reply
    • 30/03/2021 at 19:00
      Permalink

      Hi Marcelo,
      First of all, if you PING a server and replies it does not mean that the service you want it’s available. ICMP (PING) and NTP use different ports. All you are checking with PING is that server it’s running.
      Second, is you are using a VM. Every VM has a time synchronization with the host trough VMware Tools -seen in the Origin: Local CMOS Clock-. Disable time sync for the VM by editing it’s settings and it will work. For more info take a look at VMware KB 1189.

      tools.syncTime = “0”
      time.synchronize.continue = “0”
      time.synchronize.restore = “0”
      time.synchronize.resume.disk = “0”
      time.synchronize.shrink = “0”
      time.synchronize.tools.startup = “0”
      time.synchronize.tools.enable = “0”
      time.synchronize.resume.host = “0”

      Reply
    • 01/04/2021 at 14:33
      Permalink

      Hello Adrian,
      I have previously configured VMware KB 1189. Vmware tools sync is always set to off.
      It does not work either by GPO, not even by Powershell Commands, nor by editing regedit.

      Will it be my domain? Due to policy, I cannot change my domain to loca.domain.com or corp.fomain.com, it must be the same as my public domain, domain.com, verifying that my DNS in my LAN NETWORK points where it corresponds
      Will it be my DNS?

      I don’t know what other option to apply.

      Thanks

      Reply
      • 01/04/2021 at 19:59
        Permalink

        I cannot answer these questions since I don’t know your network and how it is configured. You will have to give me more details about the layout and everything.

        If you want to take it even further, I am also an IT consultant. Go to the Contact page and write me a message with your details so we can talk.

        Reply
  • 07/02/2021 at 23:07
    Permalink

    I fixed the problem. Turns out I was using an unreliable timer server. Once I set everything up to use time.windows.com, everything changed over. Thank you for the technical info. I couldn’t have done this without it.

    Reply
  • 07/02/2021 at 22:12
    Permalink

    I am running 2019 server standard on a bare bones machine and no matter what I try, (both methods to the Tee from above), I am still running the NTP server off the CMOS clock. Any advice?

    Reply
  • 03/02/2021 at 22:35
    Permalink

    Congrats, Thank you for your help!!! GPO in DC solved my problem.

    Reply
  • 25/09/2020 at 15:01
    Permalink

    Hi ! I followed your guide and it works great ! Thanks for the post.
    I just want to ask one – two additional things about time sync and Kerberos.
    In every forum I have read it is said that if the time difference between DC and Client machine is greater than 5 minutes the user that uses the client machine should not be able to login (due to Kerberos). I am trying to simulate that using your tutorial and Hyper-V virtualization Technology.
    I have set up an environment of 3 VM machines windows server 2008 R2 Enterprise : DC1 – Domain Cntrlr (PDC) , DC2 – Domain Contrlr and PC1 – Client. After I set up the environment I change the time/date of the client PC1 using local Admin account but after that I am still able login to PC1 using Domain User account. My question is : Why does this happen? How can I simulate Time Difference between client and domain controller using VM machines ??

    P.S. I apologize that my question is not fully related to the topic

    Reply
    • 25/09/2020 at 19:18
      Permalink

      Hi Nikolov,
      Thanks for your appreciation and I’m glad I could help out.

      To make the time synchronization work between the DC and the workstations when running on a hypervisor, make sure you remove the synchronization service option for every VM. Right-click the VM, the DC for example and choose Settings > Integration Services. Remove the check box from the Time synchronization option. Do this for every VM you have on this lab.
      Now your VMs should take the time from the DC and be influenced by the Hyper-V synchronization service.

      Let me know how it works.

      Reply
  • 03/11/2019 at 13:36
    Permalink

    Thanks for your excellent guide, it was the first what mentioned Event Viewer Code 12 at all!
    Following your steps i was able to manage time sync on my test VM PDC. And respecting your work, I will leave the .ro NTP servers in the config. 😉 Cheers!

    Reply
  • 05/11/2018 at 11:11
    Permalink

    Does not function on my PDC, This is what I did:
    C:\Windows\system32>w32tm.exe /config /manualpeerlist:”0.nl.pool.ntp.org 1.nl.po
    ol.ntp.org 2.nl.pool.ntp.org” /syncfromflags:manual /reliable:YES /update
    The command completed successfully.

    C:\Windows\system32>net stop w32time && net start w32time
    The Windows Time service is stopping.
    The Windows Time service was stopped successfully.

    The Windows Time service is starting.
    The Windows Time service was started successfully.

    C:\Windows\system32>w32tm /query /status
    Leap Indicator: 0(no warning)
    Stratum: 1 (primary reference – syncd by radio clock)
    Precision: -6 (15.625ms per tick)
    Root Delay: 0.0000000s
    Root Dispersion: 10.0000000s
    ReferenceId: 0x4C4F434C (source name: “LOCL”)
    Last Successful Sync Time: 5-11-2018 10:08:20
    Source: Local CMOS Clock
    Poll Interval: 6 (64s)

    C:\Windows\system32>

    Reply
    • 05/12/2018 at 09:17
      Permalink

      Hi,
      Do you have an active internet connection?
      Is the Domain Controller a VM? If it is a VM make sure you stop the time synchronization service.

      Reply
  • 12/10/2018 at 10:40
    Permalink

    thanks for the guide, excellent.

    Reply
      • 08/10/2020 at 14:17
        Permalink

        Dear Team,

        I am very fed up with this issue. I did all the recommended steps.Still i am getting Local cmos clock time

        Reply
        • 08/10/2020 at 14:29
          Permalink

          Hi Shihas,
          If your are running your machines as virtual ones make sure you disable time synchronization with the host.
          Hyper-V has a built-in option and for VMware you will have to edit the .VMX file of the VM(s).

          Reply
          • 30/12/2020 at 20:33
            Permalink

            Running the VM’s virtual (hyper-V), have followed your steps to the letter, even checked if that option to sync from Hyper-V was (or was not) set, its unchecked, still getting that sync from LOCAL.

          • 08/01/2021 at 18:27
            Permalink

            Hi Michael,
            Try stopping the Hyper-V Service inside the guest OS see if that will do the trick. The guest OS is still getting it’s time from the host somehow.

Leave a Reply to Adrian Costea Cancel reply

Your email address will not be published. Required fields are marked *

*

css.php