How to Configure Authorative Time Server in Active Directory Domain

How to configure authorative time Server in Domain.

One of the most important configurations required in your Active Directory forest is the configuration of the Windows Time Service. Below is the time synchronization hierarchy.

Time Synchronization in an AD DS Hierarchy

 

time

To configure authorative Time Server role refer below steps.

1. If you have firewall in the network ensure that udp port 123 is not blocked.

2. You need to first identify PDC role holder Server. Open command prompt and run netdom query fsmo to verify the PDC role holder Domain Controller. nedom fsmo

3. Run the following command on PDC Server
net stop w32time
w32tm /unregister
w32tm /register
net start w32time
net stop w32time & net start w32time w32tm /config /manualpeerlist:time.windows.com /syncfromflags:manual /reliable:yes /update w32tm /resync /rediscover
net stop w32time & net start w32time w32tm1

Note: You can change the NTP Server to pool.ntp.org, time.nist.gov, etc. as required.

4. You can run w32tm /query /source to check the time Server on PDC Server.
w32tm2

5. On other Domain Controllers (NON PDC) run following command
net stop w32time
w32tm /unregister
w32tm /register
net start w32time
net stop w32time & net start w32time
w32tm /config /syncfromflags:domhier /update
W32tm /resync /rediscover
net stop w32time & net start w32time
w32tm3

6. You can run w32tm /query /source to check the time Server on non PDC DC.
w32tm4

7. For other domain computers / servers, make sure that they are using NT5DS for time sync. More here: http://support.microsoft.com/kb/223184

8. If the Domain Controller is configured as Virtual server on Hyper-V then you need to disable time synchronization between the host system and guest operating system acting as a domain controller don’t disable the Hyper-V time synchronization service, leave Time synchronization enabled under Integration Services and run the following command from an elevated command prompt on the guest domain controller:
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider /v Enabled /t reg_dword /d 0
w32tm5

8. If the Domain Controller is configured as Virtual server on VMware then follow below link to disable time sync from host server to DC (Virtual Machine). http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1189

9. If there is any group policy configured for Windows time sync then remove the same as this will cause conflict.

10. If there is any third party time sync software installed and configured on DC then remove the same as this will also cause time sync issue.

More on Windows time Services refer below links

How the Windows Time Service Works:
https://technet.microsoft.com/en-us/library/cc773013(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/cc779145(v=ws.10).aspx

AD DS: The PDC emulator master in this forest should be configured to correctly synchronize time from a valid time source:
https://technet.microsoft.com/en-us/library/dd723673(v=ws.10).aspx

How to configure an authoritative time server in Windows Server: https://support.microsoft.com/en-us/kb/816042
https://technet.microsoft.com/en-us/library/cc784800(v=ws.10).aspx

 

Leave a Reply

Your email address will not be published. Required fields are marked *