Active directory is highly dependent on all the domain controllers and computers having synchronized clocks. Kerberos which is the authentication protocol in Active Directory uses system clocks to verify the authenticity of Kerberos packets. Supported tolerance is plus or minus 5 minutes. If the time variance exceeds this settings, clients may be unable to authenticate and the domain controllers unable to replicate.
Windows time service is based on the use of NTP (Network Time Protocol) for time synchronization.
Time synchronization in an Active Directory Domain services Hierarchy
- The forest root domain’s PDC emulator synchronizes its clock with a reliable outside time source (outside NTP servers).
- Each child domain’s PDC emulator synchronizes its clock with a reliable time source in its domain or the parent domain.
- Each domain controller synchronizes its clock with the PDC emulator of its domain or the parent domain.
- Each client computer synchronizes its clock with the domain controller to which it authenticate.
You should not need to configure the w32time service on any server or computer other than your root domain’s PDC emulator.
Get NTP server configuration using PowerShell
Use the W32TM cmdlet.
W32tm /query /configuration
As you can see the NTP servers are not configured yet.
Now configure them using w32tm.
W32tm /config /update /manualpeerlist:”0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org” /syncfromflags:manual /reliable:yes
Now you can force synchronization
W32tm /resync /rediscover /nowait
Use w32tm /monitor to troubleshoot sync issues.
You can also stop and start the time service.
Net stop w32time
Net start w32time
Cheers
Don’t use pool.ntp.org as the time source for a Windows domain. The Windows time service is picky about the stratum of your external sources, and the servers in the NTP pool can have varying stratums. Instead you should pick 3-5 stratum 2 NTP servers from the public list at NTP.org and use them.
Good point. Thx.