Tech Info's

Microsoft Windows, RedHat and VMware Virtualization Platform

Posts Tagged ‘Configuring Time Source on Active Directory’

Configuring Time Source on Active Directory

Posted by Prashanth P on November 16, 2011


Time Source configuration is very important and Critical for Active Directory. It has to be as close as possible for all domain machines, which is realized with the setup of the hierarchy how the domain time is prepared.

Important to know is, that Domain Controllers use with NTP the UTC (Coordinated Universal Time), as this is the universal standard for current time. UTC is independent of time zones and enables NTP to be used anywhere in the world regardless of time zone settings. You will not realize the UTC time itself, as the time zone information which is stored in the computer’s registry, is added to the system time just before it is displayed to the user.

One Domain Controller, the DC with the PDC Emulator FSMO (Flexible Single Master Operations) role, is the time master in the domain. It uses its own BIOS time but should be changed to another time source like a NTP hardware device, routers, layer3 switches or external time servers, which are able to act as a time provider.

All other Domain Controllers synchronize with this machine and all domain member servers and domain workstations synchronize with one available DC. Therefore it is needed to open the UDP port 123 for NTP on all machines. In a domain, time synchronization takes place when Windows Time Service turns on during system startup and periodically while the system is running. In the default configuration, the Net Logon service looks for a Domain Controller that can authenticate and synchronize time with the client. When a Domain Controller is found, the client sends a request for time and waits for a reply from the Domain Controller. This communication is an exchange of Network Time Protocol (NTP) packets intended to calculate the time offset and round-trip delay between the two computers.

The correct time is needed from Kerberos V5 authentication to prevent “replay attacks,” Kerberos V5 uses time stamps as part of its protocol definition. For time stamps to work properly, the clocks of the client and the Domain Controller need to be in sync as much as possible. The default maximum time tolerance is 5 minutes and defined with a Group Policy setting and should not be changed.

If you have the need for changing the default tolerance, you have to choose the following GPO setting

Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Kerberos Policy -> “Maximum tolerance for computer clock synchronization”

Configurations on Windows Server 2003 or higher OS

To check the Time Source Configuration execute the below mentioned command

c:\>w32tm /dumpreg /subkey:parameters /computer:DC_Name

Note: Where DC_Name is the Name of the Domain Contoller

  1. To configure the Domain Controller with the PDC Emulator FSMO to another time source, run

C:\>w32tm /config /manualpeerlist:DC_Name /syncfromflags:manual /reliable:yes /update

Please set for “DC_Name” the time source as listed above, either with its IP address or DNS name. If more than one is needed separate them with a space in between and don’t forget the quotes: “time.domain.com time1.domain.com”

2.   To configure a domain computer for automatic domain time synchronization, run

C:\>w32tm /config /syncfromflags:domhier /update

After that you have to run

C:\>net stop w32time

C:\>net start w32time

3.  To reconfigure the previous PDC Emulator, in case of transferring/seizing the FSMO to another Domain Controller, run

C:\>w32tm /config /syncfromflags:domhier /reliable:no /update

After that you have to run

C:\>net stop w32time

C:\>net start w32time

4. If you have to reconfigure a Windows 2000 Server Domain Controller, the steps are different after transferring/seizing the PDC Emulator role to another Domain Controller

You have to modify the “Type” value to “Nt5Ds” without the quotes under this registry key

HKLM\ SYSTEM\ CurrentControlSet\ Services\ W32Time\ Parameters\

Note: If you have problems with the time service configuration, because too many changes where done in the registry or you like start fresh on a computer, then you can reset the time service to a default state the following way. Make sure to use an elevated command prompt, to have full administrative permissions.

Then Execute the following commands

C:\>net stop w32time

C:\>w32tm /unregister

C:\>w32tm /register

C:\>net start w32time

Repeat the Steps mentioned in “Configurations on Windows Server 2003 or higher OS” as per the requirement.

Posted in Active Directory | Tagged: | 5 Comments »