How to Configure an Authoritative Time Server on a Windows Domain

Prepared by Ian Matthews Written April 21, 2010, Last Updated March 27, 2018NOTE: This is MY cookbook for ForeFront 2010 installs and you should use with caution.  As usual my instructions are provided without warrenty or guarentee of any sort.

Since NT4 I have had troubles setting a Windows Domain to sync with an external time source.  I have blown hours trying get this configured and even worked with Microsoft support a few times.  Microsoft has revised a Knowledge Base article on this topic and I was able to get this to function in about 10 minutes.  I have further simplified the process to about 30 seconds.

OK, lets get to it:
How to find PDC Emulator FSMO
1: Find your Domain Contoller with the PDC Emulator FSMO role.  If you need help just look:

2: how-to-set-external-ntp-time-serversDownload and run THIS registry file on the DC which has the PDC FSMO.

3: Replace SERVER1 and SERVER2 with any time server host name you would like.  I suggest you use:  1.ca.pool.ntp.org,0x1 2.ca.pool.ntp.org0x11.ca.pool.ntp.org but any two time servers will work.

4: Stop and Start the Windows Time Service

Your domain time will complete its first sync almost right away.

For more details read THIS KBase article talking about Server 2012, but it will work on Server 2008, Server 2003 and Server 2016.
Disable Hyper V Time Syncronization on Domain PDC's
Note that if you are running a your Domain Contoller with the PDC FSMO inside a Hyper-V Virtual Machine, you NEED to disable the Time Syncing to the Host PC’s clock.  If you don’t your time can vary wildly and you will be in Hell.  See the screen shot if you don’t know how to do this.

In case you did not know, time syncing is a critical part of domain security.  Your PC’s sync to the domain in an effort to stop replay attacks (i.e. someone records your network packets at 1pm and replays them back into the LAN, toward your DC, at 4pm).  If your Domain Controller’s time is wrong, this will be a major problem as all of your PC’s will be wrong, email time stamps will be wrong and you will look like an idiot.  Also, computers which are on your domain but do not sync their clocks with the domain (i.e. Mac’s) will not be able to authenicate if their time is more than 15 minutes out.  It can get ugly

Comments

  1. Avatar
    rado March 24, 2018 at 3:41 am

    The zip file is no longer available

    • Ian Matthews
      Ian Matthews March 27, 2018 at 5:54 pm

      Good Catch! I looked through the site and cannot find it, so I did some checking and found a tool from MS that will make the changes for you, so I updated this post.

      I hope it works well for you 🙂

  2. Avatar
    Poker Spielen September 21, 2010 at 1:53 am

    I should digg your article therefore more folks can see it, really helpful, I had a tough time finding the results searching on the web, thanks.

    – Norman

Questions or Comments?