How to Configure Active Directory PDC to Sync with an External Time Server (NTP).
If you want to learn how to configure your Active Directory Primary Domain Controller to synchronize time with an external time server (NTP), then this guide is for you.
if your machines on your network are domain-joined, the PDC Emulator in your forest root domain is the time provider and all other domain controllers and member machines sync their time from it. This means, however, that if the PDC emulator has the wrong time, a variety of problems can occur, such as authentication failures, because Active Directory, Kerberos, and certificates all depend on accurate time.
For this reason, and because commonly the PDC emulator gets its time from its local BIOS clock (also known as CMOS Clock), it is good practice to configure it to get its time from an external time source, i.e. from an authorized time server (aka "NTP Server").
Therefore, if your PDC server is displaying the wrong date/time, go ahead and configure the Windows Time Service (W32Time) on it to get the correct time from a trusted external NTP server and avoid problems on your network.
How to Configure the PDC emulator to receive time from an NTP server.
Step 1. Find your PDC Emulator on your Network.
1. If you have more than one domain controllers on your network, login to any of them and run the below command in PowerShell to find out which is the PDC Emulator:
- netdom query fsmo
2. After finding the PDC Emulator, login to that domain controller and follow one of the methods below to configure NTP Servers.
Method 1. Configure NTP Server on PDC through Registry.
The first method to specify an NTP server on the PDC Emulator for time synchronization is by using the registry.
1. Press the Windows + R keys, type "regedit" in the 'Run' box and press Enter to open the registry editor.
2. In Registry Editor navigate to this path from the left:
- HKLM\System\CurrentControlSet\Services\W32Time\Parameters.
3. In the right pane, do the following:
a. Open the Type REG_SZ value and change the value data from "NT5DS" to "NTP". Then click OK.*
* Info:
- NT5DS: This value forces the PDC to sync time from its Local (internal) CMOS clock (aka "BIOS Clock").
- NTP: This value forces the PDC to synchronize the time from an external time source that you specify (see below).
b. Now open NtpServer REG_SZ value and in the value data, specify the NTP server to sync time followed by ",0x8". For example, "time.windows.com,0x8" or "0.pool.ntp.org,0x8". When done, click OK. *
* Note: Multiple NTP servers must be space-delimited, for example "time.windows.com,0x8 0.pool.ntp.org,0x8".
4. Close the Registry Editor and then open an administrative Command prompt or PowerShell and run the following command to update the configuration of the Windows Time service.*
- w32tm /config /update
* Info: The "w32tm /config /update" command forces the Windows Time service (W32Time) to immediately apply configuration changes made to the registry without having to restart the service.
5. Finally, give the following command to resync time from the specified NTP Server immediately:*
-
w32tm /resync /force
* Info: After executing the "w32tm /resync /force" command, the time on the PDC should be synchronized from the specified NTP Server. If this does not happen or you receive the error "The computer did not resync because no time data was available", follow the troubleshooting steps at the end of this tutorial.
Method 2. Specify NTP Servers though PowerShell or Command Prompt.
The next method to configure a PDC emulator to get the time from an external time source, instead of its local BIOS clock, is by using PowerShell.
1. Open PowerShell or Command Prompt as Administrator.
2. Then, issue the following command to specify the NTP server from which you want the PDC to synchronize time, followed by ",0x8":*
- w32tm.exe /config /syncfromflags:manual /manualpeerlist:"NTPserverAddress,0x8" /reliable:yes /update
* Note: Replace "NTPserverAddress" with the name or IP address of the NTP Server.
Example1: To synchronize the PDC from the NTP server "0.pool.ntp.org", issue this command:
- w32tm.exe /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org,0x8" /reliable:yes /update
Example2: To synchronize the PDC from multiple NTP servers, e.g. from the "0.pool.ntp.org" & the "time.windows.com", issue this command:
- w32tm.exe /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org,0x8 time.windows.com,0x8" /reliable:yes /update
3. Next, issue the below command to apply the configuration changes.
- w32tm /config /update
4. Finally, give the following command to resync time immediately:
-
w32tm /resync /force
5. After executing the last command, the time on the PDC should be synchronized with the external time source (NTP Server) and the message "Command completed successfully" should appear. If this does not happen or you receive the error "The computer did not resync because no time data was available", follow the troubleshooting steps at the end of this tutorial.
Method 3. Set the NTP Server via Group Policy.
1. Open Group Policy Management and create a new GPO or edit the "Default Domain Controllers Policy"
2. Navigate to Computer Settings -> Administrative Templates -> System -> Windows Time Service -> Time Providers.
3a. In the right pane, open the Configure Windows NTP Client.
3b. In Configure Windows NTP Client policy, do the following and then click OK.:
-
Set the state to Enabled
-
Specify your own NTP Server or leave the default (time.windows.com,0x9)
-
Change the type to NTP
4a. Then open the Enable Windows NTP Client policy, set it to Enabled and click OK.
5. Close Group Policy Management and run "gpupdate /force" to update the configuration.
6. Then give the following command to verify that the NTP server you specified is the time source of your PDC emulator.
- w32tm /query /source
7. Finally, give the following command to check if the time is successfully synced from the specified NTP Server and you're done!
-
w32tm /resync /force
Troubleshooting Steps.
If after following the above instructions, your PDC emulator is not synchronize its time from the external NTP server, do the following:
1. Open Windows Services (services.msc) and make sure that the Windows Time service is running and that the startup type is set to "Automatic".
2. Check that the Name/IP address of the specified NTP Server is correct, by issuing this command:*
- w32tm /query /source
* Note: The above command It should show one of your NTP servers. If the result says "Local CMOS Clock", that means that the NTP Server's name is wrong (e.g. misspelled), or that the specified server is not acting as an NTP Server. At this case, re-check your configuration or specify another NTP Server and then try to sync the time again.
4. Verify that the UDP port 123 is not blocked in the Firewall.
5. Verify the Time Service configuration, by executing the command below:
- w32tm /query /configuration
6. Clear all the Time Service settings with the specified external NTP servers by running the following commands, and then reconfigure the NTP servers on the PDC emulator.
- w32tm /unregister
- net stop w32time
- w32tm /register
- net start w32time
That's it! Which method worked for you?
Let me know if this guide has helped you by leaving your comment about your experience. Please like and share this guide to help others.
Frequently Asked Questions
What is the role of the PDC Emulator in time synchronization?
The PDC Emulator in your forest root domain serves as the primary time provider for all domain controllers and member machines in the network. If the PDC Emulator's time is incorrect, authentication failures and other issues can occur since Active Directory and related services rely on accurate time.
Why should the PDC Emulator synchronize with an external time server?
Synchronizing the PDC Emulator with an external time server is recommended to ensure accurate time across your network. The PDC Emulator typically derives its time from the local BIOS clock, which might not always be accurate. Using an NTP server helps prevent issues related to time discrepancies.
How do I find out which domain controller is the PDC Emulator?
To find the PDC Emulator, log in to any domain controller on your network and run the command `netdom query fsmo` in PowerShell. This command will display the Flexible Single Master Operations (FSMO) roles, including the PDC Emulator role.
What command should I use to update the Windows Time service configuration after changing the registry?
After making changes in the registry to define an NTP server, run the command `w32tm /config /update` in an administrative Command Prompt or PowerShell to apply the configuration changes made to the Windows Time service.
