How to configure NTP server in Active Directory, Step by step
Updated: Mar 30, 2019
If you want to know how to properly configure your Active Directory environment, including Domain Controllers and domain computers, to have a reliable time service working correctly and synchronizing with an external time server, this post shows how to do that in a very easy way.
Active Directory can't work correctly if the clock is not synchronized around domain controllers and member machines.
Some of the services that rely on the correct time configuration is Kerberos, which by default, computers that are more than 5 minutes out of sync will not authenticate to domain. Another example is replication, Active Directory uses time stamps to resolve replication conflicts, etc.
How Does it Work?
In Active Directory, we use the Windows Time service for clock synchronization: W32Time;
All member machines synchronizes with any domain controller;
In a domain, all domain controllers synchronize from the PDC Emulator of that domain;
The PDC Emulator of a domain should synchronize with any domain controller of the parent domain: using NTP;
The PDC Emulator of the root domain in a forest should synchronize with an external time server, which could be a router, another standalone server, an internet time server, etc.
You can have a better idea about this flow in the following picture:
Said that, let's set up the time service.
From your PDC, open the prompt as administrator and type:
w32tm /config /manualpeerlist:pool.ntp.org /syncfromflags:manual /reliable:yes /update
net stop w32time
net start w32time
Confirm if your server is properly configured:
w32tm /query /status
Note that you can use pool.ntp.org as your external time server, or you can just change that to the server address you want to set up.
Next, run the following command on all other DCs (that are not PDC):
w32tm /config /syncfromflags:domhier /update
Set your internal firewall and your perimeter firewall to allow outgoing and incoming NTP traffic from/to your server on 123 UDP port.
Don't forget, if your PDC is a virtual machine hosted on a Hyper-V server, you have to disable the time synchronization in your VM settings. To do that follow the instruction below:
1 - Open Hyper-V Manager.
2 - Select the Virtual Guest DC
3 - Click Settings.
4 - Click Integration services.
5 - Clear the Time Synchronization option.
6 - Exit Hyper-V Manager.
7 - Restart the server.
I screwed up my configuration, and now?
Don't worry, you can restore time service to its default value:
net stop w32time
If you are facing Event ID errors 47, or if your configuration has the source configuration set as "Local CMOS Clock", try:
1 - Do the above procedures again;
2 - Make sure you can reach your external NTP server, try to ping it;
3 - Restart your server and try again.
4 - Make sure you don't have any other NTP settings on your domain through GPO.
5 - Make sure your current time is not as far as 1000 seconds from the real time.
6 - Make sure your server is set at the right zone time.
7 - You can also check for time advertisement on the PDC by running this command w32tm.exe /resync /rediscover /no_wait, then check for Event ID 139
8 - You can check the registry entries if the domain controller is using NTP (should be on PDC) or NT5DS (on non-PDC):Find the value of Type under:
For any doubts or suggestions, please leave a comment below.