“It’s Simple!” – Time Configuration in Active Directory

First, let me say that I am really pleased to start this series which I wanted to call “It’s Simple!” aiming to simplify things a little bit and make them easier to assimilate.

Now back to our topic, shall we?

So you said Time Configuration right? Why should we care at the first place?

It’s simple! Active Directory can’t work correctly (or at all) if the clock is not synchronized around domain controllers/member machines.

For example, in Kerberos V5, computers that are more than 5 minutes out of sync will not authenticate (which is configurable by GPO: Maximum tolerance for computer clock synchronization in Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy).

Another example is replication, Active Directory uses time stamps to resolve replication conflicts.

Now, let’s see how time should be configured in Active Directory:

  1. In Active Directory, we use the Windows Time service for clock synchronization: W32Time,
  2. All member machines synchronizes with any domain controller,
  3. In a domain, all domain controllers synchronize from the PDC Emulator of that domain: using NT5DS (which simply means: follow the domain hierarchy and get me my PDC emulator)
  4. The PDC Emulator of a domain should synchronize with any domain controller of the parent domain: using NTP,
  5. The PDC Emulator of the root domain in a forest should synchronize with an external time server (could be clock device, a router, another standalone server, an internet time server…)



But how do I configure time in my Active Directory?

Well, it’s simple! Normally it should be set correctly if we don’t modify it in purpose,

Otherwise, we do provide some tools for that: w32tm.exe command-line utility and GPO

  • Using w32tm.exe


    • Run the following command on the PDC emulator:  

      w32tm /config /manualpeerlist:timeserver /syncfromflags:manual /reliable:yes /update

      (where timeserver is a –space delimited– list of your time source servers)

      Once done, restart W32Time service.


    • Run the following command on all other DCs (that are not PDC):  

      w32tm /config /syncfromflags:domhier /update

      Once done, restart W32Time service.


  • Using GPO with WMI filter


    Using a GPO is always better to automate as much as possible (and of course in case we had to transfer the PDC role to another DC): 

    • Create a GPO and link it to the Domain Controllers container
    • Set a WMI filter to target the PDC emulator, using the following syntax:

       Select * from Win32_ComputerSystem where DomainRole = 5


    • Open the GPO for edition and go to: Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers then Configure Windows NTP Client + Enable Windows NTP Client



      Quick note: NtpServer contains a space-delimited time source servers with the format: Name-or-IP,server-flag


    • All non-PDC domain controllers should be set to NT5DS (domain hierarchy).


  • Creating a global settings GPO


    • Create a GPO and link it to Domain Controllers organizational unit,
    • Edit the settings under: Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers then Global Configuration Settings
    • Depending on the use, you may leave the default values.


  • Checking 
    • You can check the registry entries if the domain controller is using NTP (should be on PDC) or NT5DS (on non-PDC):

      Find the value of Type under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

    • You can also check for time advertisement on the PDC by running this command w32tm.exe /resync /rediscover /no_wait, then check for Event ID 139
    • To check the source time server: w32tm /query /status

Side notes:

  • Please note that we recommend using w32tm command-line utility instead of “net time” command (why?),
  • We recommend using w32tm or GPO tools to configure time services instead of registry tool,
  • The PDC should not synchronize with itself (RFC 1305),
  • More details on the WMI filter here and GPO time settings here.
  • About NtpServer value syntax and server flags here and here.


Hope its simple now!

Imed Boukhaf from NEPA team.

Comments (31)

  1. Anonymous says:

    is there any way to find/ping the pdc emulator’s FQDN ?

  2. Anonymous says:

    Love the blog. one thing missing is the owner of this thread. Got Some comments that I want to share offline 🙂

  3. Anonymous says:

    missprint in w32tm.exe /resync /rediscover /no_wait
    right is w32tm.exe /resync /rediscover /nowait

  4. johnredd says:

    The location of the registry is different when you configure NTP using group policy. For that matter any setting using Group Policy.

    In this case: After applying the Global settings the path should be checked in the below REG path.


  5. Frei says:

    Thanks a lot JR, PDC was ignoring any w32tm configuration changes, policies were "not configured".

    The only assumption i could come to, was that something is overriding all of the changes, and found it in the registry you specified.

  6. Martin says:


    i understand the concept of DC’s talking to PDC, talking to external NTP
    but…is there a technical reason, not to sync all DC’s directly with external NTP servers ?
    “All non-PDC domain controllers should be set to NT5DS (domain hierarchy)”

    or, is it better to create a new GPO, and then add the “DomainRole = 5 ” filter ?
    how do i make sure my DC’s sync from my PDC ? i am asking cause i have DC’s out of sync by 2 mins…

  7. David says:

    @Martin, To ensure your other DC’s are configured to point to the DC with the PDC emulator role, you can create another GPO with the default NT5DS settings and apply a WMI filter that will filter for DC without the PDC emulator role “Select * from Win32_ComputerSystem where DomainRole = 4”.

  8. nick says:

    It’s simple? Here are some problems I’ve run into as someone who is not a guru in Active Directory or Group Policy Objects but who can follow along your directions:

    1. “Open the GPO for edition” — what does that mean? What edition?
    2. I’ve assumed this means open the GPO that I created by clicking around since you don’t explain how this gets created, however under Computer Configuration I don’t see “Administrative Templates” available. Oh, wait… it’s actually “Computer ConfigurationPoliciesAdministrative Templates”
    3. I assume by “then Configure Windows NTP Client + Enable Windows NTP Client” that you mean to “Edit the ‘Configure Windows NTP Client’ policy setting, change the radio button to ‘Enabled’ and change the ‘Type’ option to NTP, leaving all other settings at their defaults.” You also mean by “Enable Windows NTP Client” that you should “Edit the ‘Enable Windows NTP Client’ policy and change the radio button to ‘Enabled’.”
    4. You say “we do provide some tools for that: w32tm.exe command-line utility and GPO”. You then go on to list three sub-bullets for “w32tm.exe”, “GPO”, and “Creating a global settings GPO” plus a fourth one for “Checking” which should be a way of verifying the above? Presumably these are meant to be either-or, but why do you mention only two options but list three? Maybe “Creating a global settings GPO” is not optional?
    5. Under “Creating a global settings GPO”, you say “Depending on the use, you may leave the default values”. But depending on what use? How does it depend? I’m going to assume that this was a third alternative which is not necessary since I’ve already setup a GPO. Besides which, the instructions here are also incorrect. The “Global Configuration Settings” policy is not under “…SystemWindows Time ServiceTime Providers” it’s directly under “…SystemWindows Time Service”.

    Next time, it would be quite helpful to explain the steps as if the person you are explaining it to does not already possess the body of knowledge that you have. You make far too many assumptions and you’re also sloppy in your descriptions, giving the incorrect details from faulty memory instead of double-checking so that you provide correct information. All in all, it makes for a very “Not Simple!” guide to try and follow.

  9. Damián Fiorito says:

    It’s very clear for me and works great. Now, we have a policy for both domain controllers primary and secondary (in my case), the question is, how can i synchronize my computers in the domain (windows 7, 8, xp etc) with this dc’s? With a logon script with net time or with another gpo pointing to the dc’s?
    I would appreciate your help.

    PS: obvious that these tasks require a basic knowledge of server administration, this post was the most clear regarding time sincronization,.
    Damián Fiorito

  10. Neer Patel says:

    A little more details.. maybe with examples of what you’d entire in the fields would help a lot!

  11. Cem Onur says:

    This was a very poorly written technical documentation. It reads like it’s been written during a coffee break. No quality control, jumps from topic to topic, no clear path of information flow. It is in severe need of editing and quality control. Even the sentences are incoherent and sound like thought streams, not instructions. We need this information, but we need it in such a way that we can read, and implement, step by step.

    Thank you

  12. Yer Scroogled says:

    This “article” is useless because the person who “wrote” it just copied it from a TechNet article. He probably doesn’t even understand what he’s doing and that’s why it sucks!! If you want to see the actual article and get all the information that is missing then check this link out:

    Come on man, if you’re going to copy someone at least reference their work at the bottom!

    Hey Nick, I doubt that he has any body of knowledge at all.

  13. Mat says:

    Really dodgy article. No background of understanding. Poor communication. "It’s simple"?! What a load of rubbish, the author doesn’t even specify how to configure clients in a domain to look to their domain controller server for time rather than an external
    time source!

    Vastly lacking in detail for the more technical, and sadly very unclear for even basic configuration requirements in an AD domain.

  14. Trix says:

    I have to agree with the concerns about the quality of this article. The layout is non-existent and the general quality is poor. You can have a friendly style, but still make it readable.

    I do think it accurately includes the basics, but it doesn’t make it very clear what you’re doing at a particular step, and why.

    Sure, you probably don’t need to mention all the scenarios, and I actually think the references at the end are fine, but they should have much better descriptive detail.

    As for Mat’s query about how to configure the clients, you shouldn’t need to do so specifically if they are joined to the domain and using the default configuration. But it might help to state that in black and white (and maybe link to some info about how to
    reset to the defaults for domain clients).

  15. Daniel Miranda Ulate says:

    Excelent, It worked flawlessly.

  16. Andy says:

    You may find this article about synchronizing windows using NTP more informative:

  17. Other article references are bad and outdated says:

    Wow, hard to believe all of the foul comments being posted about this FREE article. It is much more up to date and to the point than the other articles, both of which require editing the registry directly, something you would be hard-pressed to get approved
    in change control versus PowerShell commands IMHO. And, no, it isn’t a repeat of someone else’s work unless you mean it summarizes and presents freely available Microsoft documentation in a different format, which pretty much sums up every blog post on the

    Grow up, people.

  18. Josh Dauwalter says:

    This guide was great. Got a client’s servers times all sync’d up from the DC with this.

  19. Name says:

    "Open the GPO for edition and go to:" makes no sense

  20. Arptro says:

    Usually TechNet articles are the gospel. They should have reviewed and removed this one. I think this GPO is going to lead to multiple sources of time if you move the PDC emulator role.

  21. DARIUS says:

    Actually what would have been good is an idea of what you should receive when you run "w32tm /query /Status"
    So that you know if you got it right.

    Cause there is no "check that you set it up correct like this" section of the article

  22. When I applied this WMI Filter in Windows Server 2012 R2 I received an error message about the namespace, however the policy still worked. I would suggest ignoring the error and manually verifying that the policy worked by looking in the registry on your
    DCs. Many other people have also had this problem as indicated in this other post:


  23. w32tm /monitor is another great way of testing settings. The RefID field shows where each DC is pulling time from, everything other than your PDC should show the DNS name of the PDC as it’s source. FYI if you are using pool.ntp.org as your upstream time,
    the PDC RefID entry will show the specific member of the pool you most recently pulled time from instead of the pool.ntp.org DNS names

  24. kjstech says:

    would I also use this same group policy element in a GPO attached to an OU where client computers reside to point the time synchronization to our domain controller?
    For example I had a pc yesterday where the time was 2 minutes ahead. Ran net time \dc1 and saw the proper domain time. Ran net time \computername and I saw time that was 2 minutes ahead. I tried the command w32tm /config /syncfromflags:domhier /update and
    it said that Windows Time Service was not running. I tried net time \dc1 /set /y and it was access denied. I think I was able to remotely start the w32tm service via an MMC snap in, and remotely execute that w32tm sync command via psexec as an admin and I
    believe that worked.

    But instead of doing this per pc as people call, I’d rather have it automated. The only change we made recently was a GPO to remove "Domain Users" from the local administrators group on the machines. We used to run as local admins for application compatibility,
    but we recently worked hard on getting the right permissions changes to certain files and folders that were required for our apps to run properly, so we took local admin away so people can run things like mimikatz out of the metasploit package in order to
    get cleartext passwords and use that account to spread malware to every other pc under that local admin context.

  25. dsabbott says:

    This article is GREAT! It gave me, an experienced admin, everything I needed to know quickly and simply so I didn’t have to spend a lot of time researching the basics. I can now go forward ON MY OWN. Thanks and love the diagram!

  26. anonymouscommenter says:

    A host of reference material for AD and Group Policy

  27. R.Serg says:

    If you guys need great time accuracy (1-5ms) on your network I would like you to take a look at NTS software (includes NTP server/client apps for Windows)

  28. Bryan Heath says:

    FYI – If time synchronization enabled on Virtual Domain Controllers they will default to the VM IC Time provider. I referred to the following to resolve the issue in Hyper-V.


    "For virtual machines that are configured as domain controllers, it is recommended that you disable time synchronization between the host system and guest operating system acting as a domain controller. This enables your guest domain controller to synchronize
    time from the domain hierarchy.

    To disable the Hyper-V time synchronization provider, shut down the VM and clear the Time synchronization check box under Integration Services."

    P.S. thanks for the tidbits on the WMI filter queries for PDCE and non PDCE systems. It may help to update the Wiki so we don’t have to peruse the comments.

  29. ajhstn says:

    I would like to do this with GP’s. I see you have configured a GP for the PDC emulator, using the filter and configuring the external time provider using "NTP".

    For my other DC’s, do I need a 2nd GP, to configure them to use "w32tm /config /syncfromflags:domhier /update "

    rather then manually going to every DC and running this?

  30. TimeMaster says:

    Thank you for writing this arcticle. Very helpful.

  31. SprintGeek says:

    I found this article helpful. Thank you!