Scribd
Upload
29 views

WindowsTime

Uploaded by

rock.s.fernandes
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
29 views

WindowsTime

Uploaded by

rock.s.fernandes
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 7

How to Sync Client Time with

Domain Controller on Windows?


SEPTEMBER 15, 2022 CYRIL KARDASHEVSKYACTIVE DIRECTORY, WINDOWS

For properly functioning in a domain, a Windows computer’s time must be synchronized


with the domain. This is primarily important for Kerberos authentication to work.
Windows constantly synchronizes the time with the NTP servers. Domain controllers act
as NTP servers for computers joining to Active Directory domain.

On a Windows computer that is not a part of an Active Directory domain. By default,


computer time is synchronized with one of two Internet Time sources:

 time.windows.com
 time.nist.gov

You can find the list of internet servers that your computer synchronizes time with using
the Control Panel > Date and Time > Internet time tab > Change Settings. As you can
see this computer is set to automatically synchronize with ‘time.windows.com’ and
the Synchronize with an Internet time server option is enabled.
The list of these Internet time servers is stored in the Windows registry under
the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\Servers key.

On computers joined to an Active Directory domain, time synchronization works


differently.

Features of time synchronization in Active Directory domains:


 All domain computers and servers must use NT5DS domain time;
 Domain workstations and Windows member servers synchronize time with the
nearest domain controller;
 Domain controllers synchronize their time with the domain controller that owns
the PDC emulator FSMO role;
 The PDC emulator in the child domain must synchronize time with any domain
controller in the parent AD domain;
 The PDC emulator in the parent domain must synchronize time with an external
NTP source.

Hint. Learn more about time syncing in an Active Directory domain using GPO.

The Windows Time Service (W32Time) is responsible for time synchronization. First of
all, make sure this service is running on a Windows client computer using Get-
Service cmdlet:

Get-Service W32Time | Select-Object name,status

You can check with which NTP server (NTP source) your computer is currently
synchronizing the time by using the command:

w32tm /query /source

More information on the status of time synchronization on the client device:

w32tm /query /status

In an AD domain, you can list the domain controllers with which time synchronization
can be performed:

w32tm /monitor

For computers in an Active Directory domain, you can use the following commands to
enable time synchronization with a DC:
w32tm /config /syncfromflags:domhier /update

net stop w32time && net start w32time

The Windows Time service parameters are stored under the HKEY_LOCAL_MACHINE\
SYSTEM\CurrentControlSet\Services\W32Time\Parameters registry key. The
synchronization mode is set using the Type parameter. If you change the Type value
to NoSync, you completely disable time synchronization in Windows.

Windows Time Synchronization in an Active Directory


Domain
On all computers joined to the Active Directory domain the closest domain controller is
used as the default time source. In this case, the Type parameter must be set
to NT5DS. If NTP is specified here, then your computer synchronizes time with an
external source time (possibly on the Internet). In this case, the time source for your
computer (NTP server) will be specified in the NtpServer registry parameter.

To enable automatic time synchronization of a Windows client with a domain controller,


you must set the Type parameter to NT5DS.

If the NT5DS time synchronization type is used, the time source specified in the
NtpServer parameter is ignored and Windows synchronizes the time with the nearest
domain controller (in accordance with the Active Directory sites).

You can manually change this parameter by using the Registry Editor (regedit.exe) or
with PowerShell:

Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\services\W32Time\Parameters -
Name "Type" -Value "NT5DS"
Restart Windows Times Service:

Restart-Service -Name w32time

In some cases, for the Windows client to synchronize the time with the AD domain
controller, you need to reset the Windows Time service configuration. To do this, open a
command prompt as an administrator and run the following commands:

 The first command unregisters the w32time service and removes the settings
from the registry:

w32tm /unregister

 The following command registers the service and restores the default time
settings:

w32tm /register

 Restart the service:

net stop w32time && net start w32time

 Update settings:

w32tm /config /update

 Synchronize the time:

w32tm /resync

 Check your current sync settings:

w32tm /query /status

The screenshot below shows that Windows is now synchronizing with DC (Source).
Configuring NTP Client on Windows Using GPO
In most cases, time sync with a domain in Windows client doesn’t require any
administrator intervention. However, if you find that time synchronization on clients in
your domain is not working properly, you can centrally configure client NTP settings on
Windows devices using Group Policy.

1. Use the gpedit.msc console if you want to change group policy settings on a
single computer (this is the best solution if you need to solve synchronization
problems on a single computer or test new NTP client settings). If you are setting
up a GPO for multiple computers in a domain, use the Group Policy Management
Console (gpmc.msc);
2. Expand the following node in the left pane of the GPO editor Computer
Configuration > Administrative Templates > System > Windows Time
Service;
3. Open the Enable Windows NTP Client policy in the right pane and enable it;

4. Then select the Configure NTP Client option. Change its state to Enabled;
5. You need to set the following settings in the Options panel:
NTPServer: your domain name (preferred) or FQDN name of the
domain controller with the PDC Emulator role (you can find it with the
command: netdom.exe query fsmo)
Type: NT5DS
CrossSiteSyncFlags: 2
ResolvePeerBackoffMinutes: 15
ResolvePeerBackoffMaxTimes: 7
SpecialPollInterval: 64
EventLogFlags: 0

6. Restart your computer to apply the new GPO client time settings.

You might also like