It’s important that Windows time is set correctly – but how Windows time works seems to be a poorly understood area.
In this article, I’ll try to clear up the concepts and explain what is, in my opinion, the best way to implement time services throughout your domain(s).
Background
- Windows, by default, will automatically set its time from the domain controller which holds the FSMO role “PDC emulator”
- In a multi-domain environment, the PDCe in the forest root domain is the overall master
- Port 123 (NTP) is used for all communications
- All other DC’s will, by default, look for the PDCe as their time source. There is no need to set anything here unless something has gone wrong.
- All workstations will, by default, look for the PDCe as their time source. There is no need to set anything here unless something has gone wrong.
- Windows 2016 time service offers (optionally) more accurate time services than previous versions – https://docs.microsoft.com/en-us/windows-server/networking/windows-time-service/accurate-time
Setting up NTP on the PDCe
I strongly recommend utilising group policy to set up NTP on your PDC emulator, not the command line. Using a group policy makes the settings a) obvious and b) easily transportable to new DC’s as your migrate upgrade in the future
- Create a new GPO, I name mine “Domain Controller – Set NTP on PDCe”
- Narrow it down to your PDCe by either
- Removing “authenticated users” and adding your current PDCe (This will need to be manually updated if/when the PDCe role moves)
- Utilising the WMI query “Select * from Win32_ComputerSystem where DomainRole = 5” (This will auto-update when the PDCe moves)
- Set the following within the group policy
- Computer Configuration > Administrative Templates > System > Windows Time Service > Time Providers
- Enable Windows NTP Client: Enabled
- Enable Windows NTP Server: Enabled
- Configure Windows NTP Client: Enabled
- NtpServer: <YourExternalNTPServer1>,0x1 <YourExternalNTPServer2>,0x1 (for Adelaide based clients, i used ntp.internode.on.net and ntp.adelaide.edu.au – a local ISP and a local University – but these could be any publicly available NTP server)
- Type: NTP
- CrossSiteSyncFlags: 2
- ResolvePeerBackoffMinutes: 15
- Resolve Peer BAckoffMaxTimes: 7
- SpecilalPoolInterval: 3600
- EventLogFlags: 0
- Narrow it down to your PDCe by either
Commands to check status and troubleshoot
- w32tm /monitor – this exceedingly useful command will show you the status of all DC’s in the domain, where they are configured to get their time source from and their offset from the authoritative time source
- if a domain controller is having issues
- w32tm /config /syncfromflags:domhier /update
- net stop w32time
- net start w32time
- w32tm /query /status
Using policy to set clients to look at AD for time
This is the default behaviour of windows – and you should not need to set this, however, for some places I’ve found we have had to
- Computer Configuration -> Administrative Templates -> System -> Windows Time Service -> Time Providers
- Configure Windows NTP Client: Enabled
- NtpServer: <YourDC1>,0x1 <YourDC2>,0x1
- Type: NTDS5
- CrossSiteSyncFlags: 2
- ResolvePeerBackoffMinutes: 15
- ResolvePeerBackoffMaxTimes: 7
- SpecilalPoolInterval: 3600
- EventLogFlags: 0
- Configure Windows NTP Client: Enabled
References
https://docs.microsoft.com/en-us/windows-server/networking/windows-time-service/accurate-time
https://theitbros.com/configure-ntp-time-sync-group-policy/