Configuering Time Synchronization in the Domain

I like time to be on time and manually configure the NTP server for my domain. This way I can choose a time source which I have good connectivity to. But Kerberos needs the time to be synced within the domain or authentication will fail.

To configure a manual time source take the following steps:

  1. Choose a NTP Server as Source
  2. Find the PDC emulator
  3. Stop the Time Service
  4. Configure the Time Provider
  5. Open any firewall ports
  6. Start the Time Service
  7. Verify result

Choose NTP Server as Source

For me the Time Servers from xs4all are the best. But one good place to start is

I’ll just stick to and

Find the PDC Emulator

To find the PDC there are multiple options, from old to new:

Stop the Time Service

Well, here again multiple possibilities. But let’s just stick to PowerShell:

Stop-Service W32Time

Configure the Time Provider

w32tm /config /syncfromflags:manual /manualpeerlist:”,,,”

Since the time is configured on the PDC there is no need to set it as a reliable source.

Open Firewall Ports

The NTP protocol uses UDP on port 123. See RCF 1305

Start the Time Service

Start-Service W32Time

Verify the Result

With the following command the configuration can be verified:

w32tm /query /configuration

To perform a sync:

w32tm /resync

This should respond with a message saying: The command completed successfully.

To check on the status:

w32tm /query /status

Leave a Reply

Your email address will not be published. Required fields are marked *