I have seen various queries related with the windows time service configuration in Active Directory forest and domain architecture, so I decided to pen down an article which might be helpful to answer the queries. Foremost, let’s try to understand what is the time server role, how it works and why it is important to configured it right in the Active Directory forest/domain and issues faced if it is not configured or assigned to the right DC.
Time server’s role is assigned to the DC holding PDC role in the domain. Considering a different scenario where multiple domains exists in the same forest, how would you assign the time server role and which domain DC should be synchronizing the time server role either from the external or reliable source?
To answer the above: By default, there is only one PDC Emulator in each and every domain. The reason to assign time server role to only DC holding PDC role is DC with FSMO role acts like king of the kingdom which has ability to authorize the changes for resolving or avoiding conflicts. When new objects are created or existing objects are modified in AD (Active Directory), it is first being validated by the PDC FSMO role holder DC and post authorization it is allowed to replicate to all other DC’s in the forest/domain. User login to the domain, Kerberos ticket assignment, AD/DNS replication, Creation/Change/modification in AD etc. are all dependent on time service sync with the PDC. If, there is any time mismatch of time between the DC’s in the domain, then authentication will fail, changes will not be replicated to other DC’s, resource access will fail and you could face several other issues. By default, domain allows time skew of 5 min, which means systems in the domain including DC can have time difference of 5 min but not more or less. In that case, users will not be able to login to the domain joined systems and will get authentication fail error messages.
If there is single domain in the forest, then its easy to configure the time server role on the PDCEmulator. Considering the different scenarios, where multiple domain environments like Parent-Child or Tree-Root domains architecture are involved, in that case configure a DC with PDC FSMO role in the Parent/Root domain to be the time server role which is syncing its time from the external or reliable source and let all other domain to follow the Parent/Root DC time hierarchy. By default, DC holding the PDC role syncs its time from the reliable/external source and all other domain joined clients follow the PDC FSMO role holder DC to sync their time. The protocol used by the time server is NTP/SNTP.
In some cases, you might have to completely reset the time service, due to messed up time service registry keys settings which can be on the DC or member machine. The simplest fix is to un-register the time service on the problem domain joined machine(can be dc or member machine) and re-register it using below cmd. It worked for me most of the time and it might work for you too.
- Type CMD in the run windows
- Type Net stop w32time to stop the time service
- Type W32tm /unregister to unregister the time service registry
- Type W32tm /register to register the time service registry back
- Type Net start w32time
Port Assignments for the Windows Time Service
August 2011 cumulative time zone update for Windows operating systems
Configure the Windows Time service on the PDC emulator in the Forest Root Domain
You are required to run cmd given below on the DC holding the PDCEmulator role in the forest to sync the time from the external or reliable source. If its Tree-Root or Parent-Child domain then allow only the Root/Parent DC to sync its time from the external or reliable source and other domain(tree or child domain) should follow the time from the Root/Parent PDC hierarchy. External source can be internet and reliable source can be router or hardware clock.
w32tm /config /manualpeerlist: peers /syncfromflags:manual /reliable:yes /update
Change the Windows Time service configuration on the previous PDC emulator or the domain client machines
Run the below cmd to reconfigure the DC previously holding the PDC role to sync the time from the new DC holding the PDC Emulator role, post moving the PDC role to the new DC. The below command can be used on any domain member client/server machine to reconfigure the time services to follow domain hierarchy.
w32tm /config /syncfromflags:domhier /reliable:no /update
You need to stop and start the time service using services.msc console or simply run this net stop w32time && netstart w32time on the cmd prompt.
How to configure authoritative time server
Configuring a time source for the forest
Keeping the Domain On Time
Windows Time Service Tools and Settings
How to turn on debug logging in the Windows Time Service
A list of the Simple Network Time Protocol (SNTP) time servers that are available on the Internet
Windows Time Service Technical Reference
Windows Time and the W32TM service
High Accuracy W32time Requirements
NET TIME and w32time
Windows Time Service