Domain-wide Time Synchronization: Part 2

Categories: Active Directory, Networking, Windows Server

TimeOk, sorry for the delay, but I want to dive right in. Let’s break down the steps from part 1:

1 – Configure NTP time source for PDC domain contoller

For this step, you want to configure the PDC to check in with a reliable Internet time server. A couple of ones that I prefer to use are hosted by the US Naval Observatory (tock.usno.navy.mil) and NIST (time.nist.gov).

UPDATE:  Only use OPEN ACCESS public pooled NTP servers; anything else may not be reliable and will only make you part of the problem.

I recommend using the following open access public pooled servers when configuring your primary NTP time source:

  • pool.ntp.org (use ALL of the nodes listed below)
    • 0.pool.ntp.org
    • 1.pool.ntp.org
    • 2.pool.ntp.org
    • 3.pool.ntp.org
  • time.nist.gov (use ONLY this node)

Both are load balanced and will direct to NTP servers in your local region.

To configure the necessary settings, you’ll need to make a bunch of registry changes, which you can find here or here. But, since I’m always looking for an easier way, I found this handy utility that will make the necessary changes for you, after entering a few settings. There is also a Microsoft “Easy Fix” app you can download to make the changes on this site (scroll down to “Configuring the Windows Time service to use an external time source“). Check the event logs afterward to verify that everything worked ok.

2 – OPTIONAL Configure poll interval on member servers (15 minutes; my preference)

On each member server, I change the “poll interval” on domain controllers and member servers to 15 minutes (900 seconds)

Edit the following registry value:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollInterval = "900" (DWORD)

3 – Ensure that all member servers and workstations are configured for the NTP time source type of “NT5DS”

Note:  If the computer is a member server or workstation within a domain, by default, it follows the AD DS hierarchy and synchronizes its time with a domain controller in its local domain that is currently running the Windows Time service.

From command prompt:

w32tm /dumpreg /subkey:Parameters

4 – Test and verify time sync

Verify NTP servers:

Net time /querysntp

Compare time difference on PDC to other machines:

w32tm /stripchart /computer:[computer name] /samples:1

 

For more info, check out the following:

Windows Time Service Tools and Settings
How the Windows Time Service Works

How to configure an authoritative time server in Windows Server

Network Time Foundation’s NTP Support Wiki

NIST Internet time service

NTP Pool Project

«
»