How to configure “Authorative Time server” in a AD domain.

If you want to ensure that the clocks on your machines are more accurate in terms of absolute (and not just relative) time, you need to sync the PDC Emulator role owner DC in your forest root domain to one of the reliable time servers available on the Internet. This is a good idea if your company is a large enterprise with sites spanning several countries, or if your organization has two or more forests linked by forest trusts.

Verify PDC role holder DC name by running command “netdom query fsmo“.

IMPORTANT UPDATE:
If  PDC role owner is on Hyper-V, then its recommended to partially Disable the HyperV Time Service on PDC role owner DC only.

To partially disable the Hyper-V time synchronization provider, leave Time synchronization enabled under Integration Services and run the following command from an elevated command prompt on the guest domain controller:”
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider /v Enabled /t reg_dword /d 0

CONFIGURATION SECTION:
Run following commands on PDC role holder DC in the forest root domain:
W32tm /config /manualpeerlist:time.windows.com,0x1 /syncfromflags:manual /reliable:yes /update

net stop w32time & net start w32time & W32tm /resync /rediscover

Run following commands on former PDC and/or NON-PDC role holder DC:
w32tm /config /syncfromflags:domhier /update

net stop w32time & net start w32time & W32tm /resync /rediscover

You can use any of reliable external time server in below link: http://support.microsoft.com/kb/262680

Commonly used external time servers  : “time.windows.com,0x1” “pool.ntp.org,0x1″ etc.

It may take an hour or so for the PDC Emulator to fully synchronize with the external time server because of the nature of the polling method W32Time uses. Depending on the latency of your Internet connection, the accuracy of the CMOS clock on your forest root PDC Emulator may be within a second or two of UTC. If you need more accurate time however, you can purchase a hardware time source like an atomic clock and connect it to your PDC emulator.

Alternatively, if you don’t want to wait for time convergence to occur between your stratum 2 time server (your forest root PDC Emulator) and the external stratum 1 time server, you can run the following command on your PDC Emulator:  w32tm /resync /rediscover

Quick note and parameter explanation:
Domain Controllers (except PDC) and Domain members  TYPE entry in registry should be NT5DS :http://support.microsoft.com/kb/223184

both the server and the client are communicating with each other using the SNTP protocol which normally uses User Datagram Protocol (UDP) port 123. so make sure that UDP port 123 is open on firewall.

/manualpeerlist:peers
Set the manual peer list to <peers>, which is a space-delimited list of DNS or IP address of the reliable external time server.

/syncfromflags:manual
Set what sources the NTP client should sync from.

/update:
Set the time service configuration update.

Time Configuration using Group Policy:
To alter the Windows Time Service on the PDC emulator role holder DC, authoritative Windows Time server cannot be changed with GPO even that is not recommended. However, you may use Group Policy to make all the domain clients to sync time with the authoritative time server in the domain.

You can find the Group Policy settings used to configure W32Time in the Group Policy Object Editor snap-in in the following locations:

Configure Global Configuration Settings at following path:
Computer Configuration\Administrative Templates\System\Windows Time Service

Configure Windows NTP Client settings  at following path:
Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers

Advertisements

5 thoughts on “How to configure “Authorative Time server” in a AD domain.

  1. buy website traffic reviews

    I blog quite often and I seriously appreciate your content.
    The article has really peaked my interest. I am going to
    book mark your site and keep checking for new details about once a week.
    I subscribed to your RSS feed as well.

    Reply
  2. short urls

    Its like you read my mind! You seem to know a lot about
    this, like you wrote the book in it or something. I think that you could do with a few pics to drive the message
    home a little bit, but other than that, this is great blog.
    A fantastic read. I will certainly be back.

    Reply
  3. Silent Hunter

    i have only 2 DCs in same location; DC time is 9 min. ahead than original time. How do i change the DC time to get automatically effective on client PCs

    Reply
  4. Stevie

    Hi! I’ve been reading your blog for some time now and finally got the courage to go ahead and give you a shout out from Kingwood Tx! Just wanted to mention keep up the fantastic work!

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s