Since NT4 I have had troubles setting a Windows Domain to sync with an external time source. I have blown hours trying get this configured and even worked with Microsoft support a few times. Microsoft has revised a Knowledge Base article on this topic and I was able to get this to function in about 10 minutes. I have further simplified the process to about 30 seconds.
2: Download and run THIS registry file on the DC which has the PDC FSMO.
3: Replace SERVER1 and SERVER2 with any time server host name you would like. I suggest you use:
1.ca.pool.ntp.org,0x1 2.ca.pool.ntp.org0x11.ca.pool.ntp.org but any two time servers will work.
4: Stop and Start the Windows Time Service
Your domain time will complete its first sync almost right away.
For more details read THIS KBase article talking about Server 2012, but it will work on Server 2008, Server 2003 and Server 2016.
Note that if you are running a your Domain Contoller with the PDC FSMO inside a Hyper-V Virtual Machine, you NEED to disable the Time Syncing to the Host PC’s clock. If you don’t your time can vary wildly and you will be in Hell. See the screen shot if you don’t know how to do this.
In case you did not know, time syncing is a critical part of domain security. Your PC’s sync to the domain in an effort to stop replay attacks (i.e. someone records your network packets at 1pm and replays them back into the LAN, toward your DC, at 4pm). If your Domain Controller’s time is wrong, this will be a major problem as all of your PC’s will be wrong, email time stamps will be wrong and you will look like an idiot. Also, computers which are on your domain but do not sync their clocks with the domain (i.e. Mac’s) will not be able to authenicate if their time is more than 15 minutes out. It can get ugly