Sync Domain Clock with Internet NTP Sources

Author by Shannon Fritz

When deploying a new Active Directory Domain Controller, it can be important to consider where your domain will get its official time from.  By default, the Domain Controller will be its own time authority, but that means it simply says what time it is and all domain members blindly obey it's decree.  Chances are that self clocked time will drift away from the "real" time that the rest of the world uses which can lead to troubles ranging from mild irritation to total failures.  To overcome this, you configure the Domain Controller to get it's time from a source that the rest of the world also trusts to keep track of the accurate and actual time, and this way everyone agrees what time it is, and life is good. Microsoft has a pretty detailed KB Article on this topic which even includes a very handy "Fixit for me" utility, however that tool doesn't run on Windows Server 2012 for some reason, so let me just cut right to chase on how to quickly configure your domain to sync with an external NTP time server. Copy the text below into a .reg file and double click it.  Details on these settings can be found in KB816042.  Many below are the default values and are included just to ensure they are configured as expected.
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeParameters]
"Type"="NTP"
"NtpServer"="pool.ntp.org,0x1 time.nist.org,0x1 time.windows.com,0x1"

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeConfig]
"AnnounceFlags"=dword:0000000a
"MaxPosPhaseCorrection"=dword:0002a300
"MaxNegPhaseCorrection"=dword:0002a300

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeTimeProvidersNtpServer]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeTimeProvidersNtpClient]
"SpecialPollInterval"=dword:00000dd4
Then stop and restart the w32time service by running this from an elevated command prompt. net stop w32time && net start w32time As long as the clock is within 5 minutes of the actual time, your clock will automatically be updated to the current time as reported by one of the popular internet time servers.  It will also check back in every 59 minutes to make any adjustments necessary in order to keep the clock in sync.  Mirosoft recommends every 15 minutes, but that seems quite excessive to me in this case. You can now use the w32tm utility to check the status of the time sync and determine where the clock is getting it's time from. w32tm /query /status In the example below, you can see the time is being pulled from "LOCL" which means it is using its own Machine Clock (BIOS or CMOS if you like). w32tm-cmos After making the above Registry edits and restarting the w32time service, you should see that the time is being syncd from an NTP source. w32tm-ntp At this point the rest of your domain members will begin to gradually drift their time back in sync with the domain controller over the next couple minutes to get back in line with the rest of the world. Side note: The Clients and other Member Servers are already using NTP, but their source will be your domain controller, not an internet time server. Once the DC is fetching time from the outside, there is nothing else you need to change, but if you wanted to force a computer to sync right away rather than drift gradually you can use w32tm /resync /force. For some more information on Time Sync as it realtes to Virtual Machines, check out this oldie but goodie from Ben Armstrong titled Time Synchronization in Hyper-V.  I think a key take away point from that article is that you should disable the "Time Sync" feature of the Integration Components on any Vitual Machine that happens to be a Domain Controller.  That advice still holds true with Windows Server 2012. N'joy!
Author

Shannon Fritz

Infrastructure Architect & Server Team Lead