I like time to be on time and manually configure the NTP server for my domain. This way I can choose a time source which I have good connectivity to. But Kerberos needs the time to be synced within the domain or authentication will fail.
To configure a manual time source take the following steps:
- Choose a NTP Server as Source
- Find the PDC emulator
- Stop the Time Service
- Configure the Time Provider
- Open any firewall ports
- Start the Time Service
- Verify result
Choose NTP Server as Source
For me the Time Servers from xs4all are the best. But one good place to start is pool.ntp.org.
I’ll just stick to ntp.xs4all.nl and ntp2.xs4all.nl
Find the PDC Emulator
To find the PDC there are multiple options, from old to new:
- netdom /query fsmo (Technet Background Info)
- dsquery server -hasfsmo pdc (Technet Background Info)
- Get-ADDomainController -Discover -Service PrimaryDC (Technet Background Info)
Stop the Time Service
Well, here again multiple possibilities. But let’s just stick to PowerShell:
Stop-Service W32Time
Configure the Time Provider
w32tm /config /syncfromflags:manual /manualpeerlist:”0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org”
Since the time is configured on the PDC there is no need to set it as a reliable source.
Open Firewall Ports
The NTP protocol uses UDP on port 123. See RCF 1305
Start the Time Service
Start-Service W32Time
Verify the Result
With the following command the configuration can be verified:
w32tm /query /configuration
To perform a sync:
w32tm /resync
This should respond with a message saying: The command completed successfully.
To check on the status:
w32tm /query /status