How to Configure Time in a Windows Active Directory Environment

Purpose

This article is meant to be used to configure time properly in a Windows Active Directory (AD) environment.
It is divided up by the roles of the Domain Controllers in a Windows AD environment

PDC Emulator

Run the following commands from an admin command prompt to set the PDC emulator to sync its time with an external time source.

w32tm /config /manualpeerlist:"pool.ntp.org,0x1" /syncfromflags:MANUAL
w32tm /config /update
w32tm /resync
w32tm /resync /rediscover
w32tm /query /source

VM PDC Emulator

Run these additional commands if your PDC emulator is running on a virtual machine. These commands allow the VM PDC to check for time more frequently. This is because hyper visors adjust the length of between “time ticks” which windows uses determine when it needs to check for time which causes the time to jump ahead in time.

reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config /v MaxAllowedPhaseOffset /t reg_dword /d 1 /f
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider /v Enabled /t reg_dword /d 0 /f
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient /v SpecialPollInterval /t reg_dword /d 120 /f
net stop w32time && net start w32time
Uncheck Time synchronization in Hyper-V, Settings, Integration Services
Uncheck Time synchronization

All Other DCs

Run the following commands from an admin command prompt.
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters /v Type /t reg_sz /d NT5DS
w32tm /config /syncfromflags:DOMHIER /update
net stop w32time && net start w32time
w32tm /resync /rediscover /nowait
w32tm /query /source
GPO to Keep PDC Syncing with an externally time source

Create a WMI filtered GPO for the PDC to make sure the PDC always gets its time from an external time server per Microsoft Best Practice if the role should move to a new DC.

WMI Filter = Select * from Win32_ComputerSystem where DomainRole = 5
PDC WMI Filter
Create a new GPO with the following Settings linked to the Domain Controllers OU.
Computer Configuration\Policies\Administrative Templates\System\Windows Time Service\Time Providers
Configure Windows NTP Client = Enabled
NtpServer = pool.ntp.org,0x1
Type = NTP
Configure Windows NTP Client

Enable Windows NTP Client  = Enabled

Enable Windows NTP Client

Categories: Uncategorized

Leave a Reply

%d bloggers like this: