SOLVED: How To Correctly Set The Time Service On A Windows Domain

Time synchronization especially between Domain Controllers often comes into question with our smaller clients, who do not have it setup correctly.

The simplified version of the configuration is that the domain controller which holds the PDC emulator FISMO (lets call is DC01) should be set to sync with some external, highly reliable, net time server. All of the other domain controllers should be set to sync with that server (DC01).

There are dozens of these available from the US military, to the Canadian government to Microsoft. The only thing you really have to make sure of with these large entities is that you are connecting to one that is free or that you have purchased a license to use it because otherwise it just won’t work.

If your time service is screwed up it’s best just to start again and fortunately that’s very easy to do.

1 – Determine Which DC Holds the PDC Emulator Role

You can figure out which server holds the PDC Emulator FISMO role in several ways but the easiest is just to:

1. launch Active Directory Users and Computers
2. right click on your domain name and select OPERATIONS MASTERS
3. Click on the PDC tab

In the screenshot to the right, the PDC Emulator is held on DC04.

2 – Recreate The Time Configuration on the PDC Server

Open a CMD prompt, PowerShell, or Windows Terminal as an Administrator and run:

net stop w32time
w32tm /unregister

Then reboot that domain controller

Open a CMD prompt, PowerShell, or Windows Terminal as an Administrator and run:

w32tm /register
net start w32time
w32tm /config /manualpeerlist:"0.north-america.pool.ntp.org,0x8 1.north-america.pool.ntp.org,0x2" /syncfromflags:manual /update

Those NTP servers are free and very commonly used. Here are the others in the list:

0.north-america.pool.ntp.org
1.north-america.pool.ntp.org
2.north-america.pool.ntp.org
3.north-america.pool.ntp.org

and you can find more details on them https://www.ntppool.org/zone/north-america

3 – Recreate The Time Configuration on the other DC’s

Open a CMD prompt, PowerShell, or Windows Terminal as an Administrator and run:

net stop w32time
w32tm /unregister

Then reboot that domain controller.

Open a CMD prompt, PowerShell, or Windows Terminal as an Administrator and run:

w32tm /register
net start w32time
reg add “HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters” /v NtpServer /t REG_SZ /d {Your PDC DC FQDN} /f

for example if you were on the TCEASS.LOCAL domain and your PDC Emulator was DC04, you would enter:

reg add "HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters" /v NtpServer /t REG_SZ /d DC4.TCEASS.local /f

Do this on each of your remaining DC’s and have a nice day.

Verify Your Time Service Is Configure Correctly

Take a look at the registry entries at HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

On the DC that holds the PDC Emulator role:

• The NTPSERVER should be whatever external NTP server you set it to
• The TYPE should be set to NTP

On the other DC’s:

• The NTPSERVER should be the name of the DC that hold the PDC Emulator role
• The TYPE should be set to NT5DS

What’s the Difference Between NTP and NT5DS?

When it comes to time synchronization in a Windows environment, you have two primary options: NTP (Network Time Protocol) and NT5DS (Net Time 5 Directory Service):

NTP (Network Time Protocol)

• Usage: NTP is a widely-used protocol for time synchronization across different types of systems, including Windows, Linux, and other network devices.
• Accuracy: NTP can achieve high accuracy, often within milliseconds, depending on the configuration and network conditions.
• Configuration: NTP requires specifying external time servers (e.g., pool.ntp.org) from which the system will synchronize its time.
• Flexibility: NTP is flexible and can be used in both domain-joined and non-domain-joined environments.

NT5DS (Net Time 5 Directory Service)

• Usage: NT5DS is specific to Windows environments and is used by domain-joined computers to synchronize time within the Active Directory domain hierarchy
• Accuracy: NT5DS is generally accurate enough for most domain operations, but it may not be as precise as NTP in environments requiring high accuracy
• Configuration: NT5DS automatically synchronizes time from the domain hierarchy, with domain controllers syncing from the Primary Domain Controller (PDC) emulator, which in turn can sync from an external NTP source
• Integration: NT5DS is tightly integrated with Active Directory, making it easier to manage within a Windows domain

Key Considerations

• Environment: If you have a mixed environment with both Windows and non-Windows systems, NTP might be a better choice for consistency across all devices
• Accuracy Needs: For environments requiring high precision time synchronization, NTP is generally preferred
• Simplicity: NT5DS is simpler to manage within a Windows domain as it leverages the existing Active Directory infrastructure

Put simply, NTP offers greater flexibility and accuracy (especially in mixed environments) while NT5DS provides seamless integration within a Windows domain.

---