Time synchronization in Active Directory domain

Spread the words

Active directory is highly dependent on all the domain controllers and computers having synchronized clocks. Kerberos which is the authentication protocol in Active Directory uses system clocks to verify the authenticity of Kerberos packets. Supported tolerance is plus or minus 5 minutes. If the time variance exceeds this settings, clients may be unable to authenticate and the domain controllers unable to replicate.

Windows time service is based on the use of NTP (Network Time Protocol) for time synchronization.

Time synchronization in an Active Directory Domain services Hierarchy

  • The forest root domain’s PDC emulator synchronizes its clock with a reliable outside time source (outside NTP servers).
  • Each child domain’s PDC emulator synchronizes its clock with a reliable time source in its domain or the parent domain.
  • Each domain controller synchronizes its clock with the PDC emulator of its domain or the parent domain.
  • Each client computer synchronizes its clock with the domain controller to which it authenticate.

ntpdom

You should not need to configure the w32time service on any server or computer other than your root domain’s PDC emulator.

Get NTP server configuration using PowerShell

Use the W32TM cmdlet.

W32tm /query /configuration

ntpconfig

As you can see the NTP servers are not configured yet.

Now configure them using w32tm.

W32tm /config /update /manualpeerlist:”0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org” /syncfromflags:manual /reliable:yes

 configntp

Now you can force synchronization

W32tm /resync /rediscover /nowait

sync

Use w32tm /monitor to troubleshoot sync issues.

You can also stop and start the time service.

Net stop w32time

Net start w32time

Cheers

2 Comments on "Time synchronization in Active Directory domain"

  1. Myron A. Semack | 17/06/2016 at 1:15 pm | Reply

    Don’t use pool.ntp.org as the time source for a Windows domain. The Windows time service is picky about the stratum of your external sources, and the servers in the NTP pool can have varying stratums. Instead you should pick 3-5 stratum 2 NTP servers from the public list at NTP.org and use them.

Leave a comment

Your email address will not be published.


*