Syncing Time within An Active Directory Domain Checklist

Kent Chen — Mon, 24 Jun 2019 23:37:10 +0000

A computer that had 30 seconds ahead of the domain controller got me to do this sanity check to see if the time is synchronized across the whole network. Why? Because having time off all over the place will cause all sorts of weird issues. It’s just that important.

Here is a checklist of things you need to know when it comes to syncing time in a Windows domain based network.

Firs of all, where to check to know what the exact time is right now?

Time.is is that place that tells you not only what the time is now but checks if your computer clock is off.

How to sync time for Domain Controller

Since my domain controller is virtualized, I don’t actually need to do anything on AD level. All I need is to make sure the host that all VMs rely on has an accurate time all the time. Basically, I can enable the NTP Client on the host and have it sync to specified NTP servers.

If setting up NTP on the host level isn’t an option, maybe because the host doesn’t have the access to the internet, here is what you can also do.

Open an elevated Command Prompted window on the domain controller and run the following command:

net stop w32time
w32tm /config /manualpeerlist:"0.uk.pool.ntp.org,0x1 1.uk.pool.ntp.org,0x1 2.uk.pool.ntp.org,0x1 3.uk.pool.ntp.org,0x1"
w32tm /config /reliable:yes
net start w32time

Now, running w32tm /resync should be completed successfully.

How to sync time on domain workstations

The quickest way to sync your computer with the domain time is to run the following command in an elevated Command Prompt window.

net time /domain

You can schedule it or put it as part of your login script so it runs frequently enough to keep the time synced with AD all the time. But obviously, it’s not ideal because it’s better done in Group Policy level if you are in an AD environment.

Open the Group Policy assigned to an OU that includes all the workstations on your network and then navigate to the following location:

Computer Configuration > Policies > Administrative Templates > System > Windows Time Service > Time Providers

Enable the Configure Windows NTP Client policy and set yourdc.yourdomain,0x1 as the NtpServer.

And enable the “Enable Windows NTP Client” policy afterwards.

To test it out, you can either reboot a workstation or run GPUpdate /Force to update the policy on the local computer and run the following to display the status of the time service.

w32tm /query /status

That’s about it. Here are a few w32tm command options that you use to find more information:

w32tm /query /configuration – check NTP configuration

w32tm /query /source – display time source

w32tm /query /peers – display the list of all configured NTP servers and their status

The post Syncing Time within An Active Directory Domain Checklist first appeared on KC's Blog.

Configuring AD Server to Sync Time with External NTP Server

Kent Chen — Tue, 22 Mar 2016 00:38:55 +0000

If you got this message regarding your AD server that has PDC emulator role doesn’t have a proper NtpClient set up, like below:

Here is how you can get this sorted out:

Log on to the AD server (with PDC role) with administrator account and open elevated command prompt, and run the following commands:

net stop w32time
w32tm /config /manualpeerlist:"0.uk.pool.ntp.org,0x1 1.uk.pool.ntp.org,0x1 2.uk.pool.ntp.org,0x1 3.uk.pool.ntp.org,0x1"
w32tm /config /reliable:yes
net start w32time

If all went well, running w32tm /resync should get a successful message.

If not, go to Event Viewer to find out more details why it failed.

To force all domain computers to sync the time with the DC you just set up, run the following commands in the elevated command prompt window.

net stop w32time
w32tm /config /syncfromflags:domhier /update
net start w32time

That’s probably all you need to get your AD server to act as the NTP server in your domain.

Here are a few more useful w32tm commands that come handy: