System Administration

Fix Domain Controller Time: Configure NTP Server Properly

8 min read
Domain Controller Time Sync

Time synchronization is critical for domain controllers. When domain controller time is incorrect, it can cause authentication failures, Kerberos errors, and trust relationship issues. This guide shows you how to properly configure your domain controller to sync with a public NTP server using a simple one-liner command.

TL;DR

  • One-liner fix: w32tm /config /manualpeerlist:"time.windows.com,0x1" /syncfromflags:manual /reliable:yes /update && net stop w32time && net start w32time
  • Why it matters: Incorrect time causes authentication failures and Kerberos errors
  • Best practice: Configure the PDC emulator to sync with external time source, other DCs sync from it
  • Verify: Use w32tm /query /status to check time source
  • Test: Use w32tm /resync to force immediate sync

Why Domain Controller Time Matters

Active Directory relies heavily on accurate time synchronization. Here's why:

  • Kerberos authentication: Kerberos has a 5-minute clock skew tolerance. If time is off by more than 5 minutes, authentication fails
  • Trust relationships: Domain trusts require accurate time to function properly
  • Event logs: Incorrect time makes troubleshooting difficult when events are out of order
  • Replication: Active Directory replication uses timestamps that require accurate time
  • Certificate validation: SSL/TLS certificates check validity based on system time

The One-Liner Fix

Run this command on your domain controller (preferably the PDC emulator) to configure it to sync with a public NTP server and restart the service: 

w32tm /config /manualpeerlist:"time.windows.com,0x1" /syncfromflags:manual /reliable:yes /update && net stop w32time && net start w32time

What This Command Does

Let's break down each part of the command:

  • /config: Configures the Windows Time service
  • /manualpeerlist:"time.windows.com,0x1": Sets the NTP server to time.windows.com. The 0x1 flag means "use NTP mode"
  • /syncfromflags:manual: Tells the service to sync from the manually configured peer list
  • /reliable:yes: Marks this DC as a reliable time source for other domain controllers
  • /update: Applies the configuration immediately

Alternative Public NTP Servers

You can use other public NTP servers if needed:

  • time.windows.com (Microsoft's time server)
  • pool.ntp.org (NTP Pool Project)
  • time.nist.gov (NIST time server)
  • time.google.com (Google's time server)

To use multiple servers for redundancy, separate them with spaces: 

w32tm /config /manualpeerlist:"time.windows.com,0x1 time.nist.gov,0x1" /syncfromflags:manual /reliable:yes /update

Verifying the Configuration

After running the command, verify it's working:

Check Time Source

w32tm /query /status

Look for the "Source" line. It should show your configured NTP server (e.g., "time.windows.com").

Check Time Configuration

w32tm /query /configuration

This shows all Windows Time service configuration settings.

Force Immediate Sync

w32tm /resync

This forces an immediate time synchronization. You may need to run it with administrator privileges.

Best Practices for Domain Controller Time

  • PDC Emulator role: Configure the PDC emulator (the DC holding the PDC emulator FSMO role) to sync with an external time source
  • Other domain controllers: Other DCs should sync from the PDC emulator, not directly from external sources
  • Domain-joined computers: Client computers sync from their authenticating domain controller
  • Firewall rules: Ensure UDP port 123 is open for NTP traffic if syncing from external sources
  • Regular monitoring: Monitor time drift and set up alerts if time gets out of sync

Configuring Other Domain Controllers

For domain controllers that are NOT the PDC emulator, configure them to sync from the PDC emulator: 

w32tm /config /syncfromflags:domhier /update

Then restart the service: 

net stop w32time && net start w32time

This tells the DC to sync from the domain hierarchy (the PDC emulator).

Troubleshooting Time Sync Issues

Time is Still Wrong

  • Check if the Windows Time service is running: sc query w32time
  • Verify firewall allows UDP port 123
  • Check event logs for time service errors
  • Ensure the DC has internet access to reach the NTP server

Authentication Still Failing

  • Wait a few minutes after fixing time for Kerberos to recover
  • Check time on both the DC and the client computer
  • Verify time difference is less than 5 minutes
  • Restart the Kerberos Key Distribution Center service if needed

Check Time Difference

w32tm /stripchart /computer:time.windows.com /dataonly /samples:5

This shows the time difference between your server and the NTP server.

Conclusion

Proper time synchronization is essential for Active Directory to function correctly. Using the one-liner command to configure your PDC emulator to sync with a public NTP server ensures accurate time across your domain. Remember to configure other domain controllers to sync from the PDC emulator, not directly from external sources.

Need Help with This Process?

If you need help configuring time synchronization on your domain controllers, or if this is out of your scope to complete, we're here to help. Contact us through our contact page at nhmohio.com and we'll be happy to assist with domain controller time configuration, Active Directory maintenance, and other infrastructure projects.