NTP ServerWindows Server

How to sync your Active Directory (AD) time with a reliable time source

by antoniorennvick
Spread the love


1. Choose a Reliable Time Source

You can use NTP (Network Time Protocol) servers from a reliable provider such as:

  • Microsoft NTP servers: time.windows.com
  • NIST (U.S. Government): time.nist.gov
  • Singapore NTP servers: sg.pool.ntp.org 

2. Configure the PDC Emulator to Sync with an External NTP Server

The PDC Emulator (Primary Domain Controller Emulator) is responsible for time synchronization in an AD domain.

Step 1: Identify Your PDC Emulator

Run this command on any Domain Controller (DC) to check which DC holds the PDC Emulator role:

powershell
netdom query fsmo

The PDC Emulator should be listed under PDC Role.

Step 2: Configure the PDC Emulator to Use an External NTP Server

Run the following command on the PDC Emulator:

powershell
w32tm /config /manualpeerlist:"sg.pool.ntp.org time.windows.com time.nist.gov" /syncfromflags:manual /reliable:yes /update

Then, restart the time service:

powershell
net stop w32time && net start w32time

Step 3: Force Sync and Verify

Force the sync:

powershell
w32tm /resync

Check the status:

powershell
w32tm /query /status

3. Ensure Other Domain Members Sync with the PDC

By default, all DCs and clients sync their time from the PDC Emulator. If necessary, you can manually configure them using:

powershell
w32tm /config /syncfromflags:domhier /update
w32tm /resync

4. Verify Time Synchronization Across Domain

Run this on any domain-joined machine to check its time source:

powershell
w32tm /query /source

On the PDC Emulator, verify peers:

powershell
w32tm /query /peers

5. Monitor

  • Use Event Viewer > System Logs to check for time sync errors (w32time logs).
  • If clients have time drift issues, run: 
    powershell
    net stop w32time
w32tm /unregister
w32tm /register
net start w32time
w32tm /resync

6. Troubleshooting

1️⃣ Reconfigure NTP Settings Again

Run the following command on the PDC Emulator to force it to use external NTP servers:

powershell
w32tm /config /manualpeerlist:"sg.pool.ntp.org time.windows.com time.nist.gov" /syncfromflags:manual /reliable:yes /update

Restart the Windows Time Service:

powershell
net stop w32time
net start w32time

2️⃣ Force Synchronization

Manually force a sync with the NTP servers:

powershell
w32tm /resync /force

Check the status again:

powershell
w32tm /query /status

If it still says “Local CMOS Clock”, proceed to the next step.

3️⃣ Reset the Windows Time Configuration

If the above doesn’t work, reset the time service to default settings and reconfigure NTP:

powershell
net stop w32time
w32tm /unregister
w32tm /register
net start w32time

Then, reapply the NTP settings:

powershell
w32tm /config /manualpeerlist:"sg.pool.ntp.org time.windows.com time.nist.gov" /syncfromflags:manual /reliable:yes /update

Restart the service again:

powershell
net stop w32time && net start w32time

Check if the time source is now correct:

powershell
w32tm /query /status

4️⃣ Check Firewall & Connectivity

Ensure that your PDC Emulator can reach the NTP servers by testing network connectivity:

powershell
ping sg.pool.ntp.org

or

powershell
Test-NetConnection -ComputerName sg.pool.ntp.org -Port 123
  • If the ping or port test fails, your firewall may be blocking UDP port 123. Allow it in your firewall: 
    powershell
    New-NetFirewallRule -DisplayName "Allow NTP" -Direction Inbound -Protocol UDP -LocalPort 123 -Action Allow

5️⃣ Check Current Time Server Configuration

Run:

powershell
w32tm /query /configuration

Look for:

  • NtpServer → Should list sg.pool.ntp.org, time.windows.com, etc.
  • Type → Should be NTP

If it still shows CMOS Clock, try restarting the server.

6️⃣ Restart the PDC Emulator

If none of the above steps work, restart the PDC Emulator server and check the status again.

powershell
w32tm /query /status

This should now show the correct external time source.


Leave a Reply

Your email address will not be published. Required fields are marked *