Tips and Resources

Sync clocks on domain joined computers

Guide for syncing windows domain servers, member servers and client workstations clocks.

Ensuring system clocks are in sync is critical for Windows based networks, follow this guide below to setup the sync hierarchy for your network.

Domain Controllers

The first step in syncing clocks across your domain is to sync the domain controller with the Primary Domain Controller (PDC) emulation role with an external NTP provider. NTP providers are servers on the Internet that provide accurate time data. You can use https://www.ntppool.org/zone/@ to find an NTP server near you. For example in Australia, I'm using:

0.au.pool.ntp.org, 1.au.pool.ntp.org, 2.au.pool.ntp.org, 3.au.pool.ntp.org

Once you've got the hostname(s) of the NTP servers you'd like to use, you can set your PDC to sync to the external time provider using either Group Policy or manually from the command line.

PDC External time sync - Group Policy

Open Group Policy Management and navigate to the Domain Controllers organisational unit (OU). Right Click this OU and choose Create a GPO in this domain, and Link it here... Enter gpPDC NTP Time Sync as the GPO name and click OK.

Right click the gpPDC NTP Time Sync GPO and choose Edit... Navigate to Computer Configuration > Administrative Templates > System > Windows Time Service > Time Providers

Double click Configure Windows NTP Client. Click Enabled. Enter your desired NTP server hostnames into the NtpServer field. This list is space separated, include ,0x8 after each hostname. Change the Type to NTP. Leave the other fields default values and click OK.

Double click Enable Windows NTP Client. Click Enabled, Click OK.

Double click Enable Windows NTP Server. Click Enabled, Click OK.

The next set is to create a WMI filter to only apply this group policy to the PDC. In Group Policy Management scroll the left pane to the bottom and right click WMI Filters. Click New...

Name this filter PDC Emulator. Enter Filter to select only domain controller with PDC Emulator Role in the Description field. Click Add. Leave the Namespace field at its default value. In the Query field, enter Select * from Win32_ComputerSystem where DomainRole = 5 Click OK. Click Save.

Click on the gpPDC NTP Time Sync group policy, Click the Scope tab and change the WMI Filtering drop down box to PDC Emulator. Close Group Policy Management. 

PDC External time sync - Command Line

To configure the PDC via the command line instead of using group policy, open a command prompt on the PDC and enter the following commands: Note you need to swap out the hostname(s) in the second command with the NTP servers you are using, but leave ,0x8 after each hostname. This forces the server to request the time from the NTP server in client mode.

net stop w32time
w32tm /config /syncfromflags:manual /manualpeerlist:"0.au.pool.ntp.org,0x8 1.au.pool.ntp.org,0x8 2.au.pool.ntp.org,0x8 3.au.pool.ntp.org,0x8"
w32tm /config /reliable:yes
net start w32time
w32tm /config /update
w32tm /resync

Other Domain Controllers, Member servers & Client PCs - Group Policy

Usually, other servers and client computers will automatically use the PDC as their time source. You can force devices to use the PDC as their time source by configuring the NTP client using Group Policy.

Open Group Policy Management and navigate to the organisational unit (OU) that contains the devices you wish to configure. Right Click this OU and choose Create a GPO in this domain, and Link it here... Enter gpClient NTP Time Sync as the GPO name and click OK.

Right click the gpClient NTP Time Sync GPO and choose Edit... Navigate to Computer Configuration > Administrative Templates > System > Windows Time Service > Time Providers.

Double click Configure Windows NTP Client. Click Enabled. Enter the hostname of the PDC into the NtpServer field. Include ,0x9 after the hostname. For example enter adserver.network,0x9 Ensure Type is set to NT5DS. Leave the other fields default values and click OK.

Other Domain Controllers, Member servers & Client PCs  - Command Line

You can also force particular computers to use the PDC as the NTP source using the command line. On the client PC log in, open a command prompt as admin and enter the following:

w32tm /config /syncfromflags:domhier /update

Troubleshooting

Verify applied W32tm service settings

You can check that the time service has the settings you wish applied by running the following command from the command prompt on the computer in question:

w32tm /query /configuration

The output of the command will show among other things, the configured NtpServer address, and the Type. The server with the PDC emulation role should show the external NTP server for NtpServer and Type as NTP. The member servers and client workstations should not show NtpServer in the command output, but should show Type as NT5DS.

A simpler command to check the configured source for time sync is:

w32tm /query /source

This code will output a single line of text showing the configured NTP server - the PCD emulator should show the external NTP server; other computer will show the hostname of the server with the PDC emulation role. 

Verify NtpServer reachability & sync

Run this command on a computer to check it's able to sync it's clock with the configured server:

w32tm /resync

This will force the computer to re-sync with the NTP server and will either show a completed successfully message, or an error depending on the result.

References

https://theitbros.com/configure-ntp-time-sync-group-policy/

https://community.spiceworks.com/how_to/138831-use-gpo-to-maintain-pdc-emulator-s-time-service

https://www.ntppool.org/zone/@

https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/configuring-an-authoritative-time-server-with-group-policy-using/ba-p/395806

https://www.msnoob.com/configure-ntp-server-setting-on-windows-server.html