1

I have 5 Windows Server 2012 servers and around 100 computers in our domain.

Recently I noticed that the time on the servers and computers is around 30 seconds fast.

Where do servers and computers on the domain get their time settings from? Is that set on a domain controller or elsewhere (I have 2 domain controllers).

On a Linux server I would use

server 0.pool.ntp.org
server 1.pool.ntp.org
server 2.pool.ntp.org
server 3.pool.ntp.org

to keep the time in sync but to be honest I've never ever had a problem with time on a Windows domain so I've never had to look at it.

Where would I set it so that all servers and computers automatically use {0-3}.pool.ntp.org (or whatever the recommended would be)?

SMW
  • 129
  • 2
  • 4
  • 10

3 Answers3

2

Also consider that sometimes, virtualized systems that run Windows OS joined to a domain have the wrong setting to synchronize time with the host. This is not a best practice because the VM continue to change its time setting first synchronizing from the PDC Emulator as Daniel said on Windows side, then from the host on Hypervisor side. This could generate a lot of kind of problems.

John
  • 21
  • 3
  • Hi. Yes the servers are visualized? 1 physical host... – SMW Mar 17 '15 at 09:58
  • Good hint! Time synchronisation between host and guest in Hyper-V or VMWare should be deactivated for domain controllers in every case (https://technet.microsoft.com/en-gb/library/virtual_active_directory_domain_controller_virtualization_hyperv%28v=ws.10%29.aspx) – Daniel Mar 17 '15 at 10:10
1

This article explains it very well: “It’s Simple!” – Time Configuration in Active Directory

Summarized, clients get their time from the PDC emulator. And the PDC emulator gets its time from the BIOS clock, unless you configure an external time server, which is strongly advised.

You can set the clock on the PDC with this command:

w32tm /config /manualpeerlist:0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org /syncfromflags:manual /reliable:yes /update

Once done, restart W32Time service.

(Alternatively there are hardware devices that sync your BIOS clock, but I cannot remember how they are called.)

Daniel
  • 6,940
  • 6
  • 33
  • 64
  • Thanks for the answer. What's the PDC emulator? I've never heard that term before. Is it a domain controller? – SMW Mar 17 '15 at 09:21
  • "What's the PDC emulator?" Please research that yourself. – Daniel Mar 17 '15 at 09:22
  • [Identify the PDC emulator](https://technet.microsoft.com/en-us/library/cc782961%28v=ws.10%29.aspx) or "dsquery server -hasfsmo pdc" – Daniel Mar 17 '15 at 09:25
  • I run that command (command was wrong, needed "" not ,) and restarted time service. Time on that server is now right but I rebooted a computer and time is still wrong. What else I need to do? – SMW Mar 17 '15 at 10:10
  • 1
    Domain members sync their time with their authenticating DC, which is not necessarily the PDCe. The PDCe always get's it's time from it's RTC. It syncs it's time with an external time source, if configured to do so. It does not `get` it's time from the external time source. – joeqwerty Mar 17 '15 at 15:35
  • In other words, you have **either** other domain controllers that are configured to get their time from NOT the PDC, **or** the clients are configured to get their time NOT from the PDC. Run `w32tm /query /source` on all DCs. They all should show you the PDC as a source, except for the PDC of course. Run that command on any client and check if it's the PDC and not an external time server. – Daniel Mar 17 '15 at 15:49
1

To clarify: All computers get their time from their RTC (real time clock), unless they're virtual machines, in which case the host hypervisor injects it's time into the VM at startup (because virtual machines don't have an RTC). Thereafter they sync their time either with the host hypervisor (if configured to do so), or in the case of a domain member, with the domain hierarchy. They don't get their time from the domain hierarchy, they sync their time with the domain hierarchy. Domain controllers that don't hold the PDCe role sync their time with the PDCe. All other domain members sync their time with their authenticating domain controller, which is not necessarily the PDCe. Host hypervisor time synchronization should be disabled for all domain joined virtual machines. At no time should any domain member be configured to sync with an external time source. Only the domain controller that holds the PDCe role should be configured to sync with a reliable external time source, if desired. Time is relative. There's no requirement that the domain time be synchronized with a reliable external time source, although it's considered best practice to do so.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172