Menu

Subscribe

Configure Domain NTP Sync

on AD, NTP

As we all know, time sync on domain joined computers is essential.
The following details configuration of the Domain Controllers to sync with a trusted time source via NTP.

I always recommend configuring the PDC Emulator to sync with a known good NTP source, then all other DCs be configured as Domain Heirs.
This configuration ensures that all of the DCs have the same time source, which in turn flows to all client PCs.

If the DC is configured with the Hyper-V time provider (as is the case with Azure VMs), this should be disabled before configuring NTP sync.
To disable the Hyper-V time provider, enter the following from an administrative command prompt:
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider /v Enabled /t reg_dword /d 0

Configuration of NTP on the Domain Controllers:

  1. Locate the PDC Emulator:
    netdom query pdc
  2. Open an administrative command prompt on the PDC Emulator.
  3. Configure the peers for the PDC Emulator to sync with (in my case au.pool.ntp.org):
    w32tm /config /manualpeerlist:"au.pool.ntp.org,0x1;1.au.pool.ntp.org,0x1" /syncfromflags:MANUAL
  4. Flag this DC as a reliable time source:
    w32tm /config /reliable:yes
  5. Restart the w32time service, this should start the sync with the configured peers:
    net stop w32time && net start w32time
  6. Check the event logs for time sync events. Note that event ID 47 in the System log could represent a firewall blocking the connection on port 123.
  7. On all other DCs, run the following commands:
    w32tm /config /syncfromflags:domhier /update
    net stop w32time && net start w32time
If required, here are some other helpful commands:
  • Force a full sync: w32tm /resync /nowait
  • List the NTP service status: w32tm /query /status
  • List the configured NTP peers: w32tm /query /peers
  • List the configured time Source: w32tm /query /source
  • Check the NTP configuration: w32tm /query /configuration
At any time you can reset the w32time service configuration as follows:
  1. Stop the w32time service:
    net stop w32time
  2. Unregister the w32time service:
    w32tm /unregister
  3. Re-register the w32time service:
    w32tm /register
  4. Start the w32time service:
    net start w32time