System time synchronization in the Active Directory domain is important for the correct operation of many functions on user workstations under Windows. A lost system clock can affect a user's ability to log in, disrupt mail traffic in Exchange, and create a host of other problems that are difficult to detect.
In complex cases, standard methods for synchronizing time on the network are not one hundred percent reliable or even predictable. For example, if the clock of a physical Hyper-V host stops synchronizing, this usually affects all virtual machines, sometimes catastrophically. Fortunately, it does not take much effort to fix time synchronization errors.
Choosing a computer as a time source
The first thing to do before setting up time synchronization is to choose a computer that will become the main source of system time in your domain.
As a rule, a computer is selected as such a source, which in Active Directory has the role of a primary domain controller (PDC) emulator. According to official Microsoft documentation, it should be the main resource from which the network receives time data. However, in practice this is not always possible.
The machine you choose will regularly consult with Internet sources, so if you are in a strictly guarded facility with high information security requirements, you should consider delegating this role to another computer.
For example, you can create a dedicated server that will receive time information from the Internet and transmit it to the PDC emulator. In this case, you will have several computers serving as time sources for the machines connected to the network.
Firewall setup
When synchronizing time with a domain controller, traffic is sent to UDP port 123. On the computer that serves as the time source, this port must be opened for incoming connections. On all machines on the network, port 123 must be open for outgoing connections, at least with a domain controller.
Domain Controller Setup
To synchronize time with a domain controller on a server acting as a PDC emulator, using the command line, the following actions must be performed:
1. Verify that the domain controller you are working on is a PDC emulator by running the command
netdom query fsmo
2. On the PDC emulator server, run the following time synchronization commands in the specified order:
net stop w32time
w32tm / configure / syncfromflags: manual /manualpeerlist:"0.us.pool.ntp.org,0x1 1.us.pool.ntp.org, 0x1 2.us.pool.ntp.org, 0x1 3.us.pool. ntp.org, 0x1 "
The default external time source for Windows Server is time.windows.com. The best option is to synchronize with multiple time servers. In the above command, we use time servers supported by the NTP Pool Project.
net start w32time
w32tm / configure / reliable: yes / update
w32tm / resync
3. If there are multiple domain controllers in Active Directory, run the following command at a command prompt:
w32tm / config / syncfromflags: domhier / update
4. Verify that the time settings on the PDC emulator server are correct:
w32tm / query / status:
5. Verify that the time settings on all other domain controllers are correct:
w32tm / query / status:
DHCP setup
In order to ensure time synchronization with the domain controller on devices responsible for DHCP, set the parameters 004 and 042 in the DHCP server settings.
For DHCP entries, you can only use IP addresses. You can enter the server name and click Resolve to get the IP address of the server.
If you use DHCP using a Cisco device, in the DHCP settings, enter the following commands:
option 4 ip [IP address]
option 42 ip [IP address]
The IP address should be replaced with the actual IP server that serves as the time source.
Now all DHCP devices will receive the time settings from the server during the next update.
Configuring static devices and computers under other OS
Most NAS and SAN devices have the ability to enter information about the time provider provider server.
To configure time synchronization with a domain controller on Cisco IOS devices, at a command prompt, type:
ntp server 192.168.25.5
The IP address should be replaced with the actual IP server that serves as the time source.
To set up time synchronization on a computer running a non-Windows operating system, refer to the operating system documentation. However, for other OSs, the correct time settings are not as important as for Windows, so you can even refuse to synchronize.
Configure guest virtual machines
All modern hypervisors have the ability to synchronize system time for guest machines using built-in tools. If domain time synchronization is enabled, guest machines will receive time from the physical host on which they are running.
In most cases, you need to disable this feature for Windows Server guest machines that serve as virtualized domain controllers. For all other guests, it should be included.
To configure time synchronization with a domain controller in the Hyper-V hypervisor, open the Settings dialog box and select the Integration Services tab . Clear or check the Time Synchronization check box . For other hypervisors, refer to the manufacturer's documentation.
Group Policy Setting
In order to really convince your Windows computers to use the time settings received from the domain controller, you need to configure group policies.
To install a new group policy, open the policy management tool on the domain controller or on the computer on which the remote server administration tools are installed . Expand your domain. Right-click on Group Policy Objects and click New. Give the new policy a name and click OK.
Right-click on the new policy and click Edit. This will launch the group policy editor window.
Go to Computer Configuration> Policies> Administrative Templates> System -> Windows Time Service> Time Providers. In the right pane, double-click Enable Windows NTP Client. Set the option to Enabled and click OK.
Then double-click Configure Windows NTP Client. Set the parameters as in the figure below, adding 0x1 to the NtpServer field to get yourdc.yourdomain.tld, 0x1.
After saving Group Policy, close the editor. You will return to the console window for managing the groupβs main policy.
If your domain has a large number of policies, right-click on the new policy and go to GPO Status> User Configuration Settings Disabled. This will speed up the processing of each policy.
Now right-click the Active Directory object to which you want to apply this policy and click Link an Existing GPO. Highlight the new policy and click OK. Repeat for other objects as necessary.
Remember that nested objects inherit Group Policy from their parent, if inheritance is not blocked or the child does not have its own associated Group Policy with conflicting settings.
Configure other domain controllers
If you follow the steps above to ensure time synchronization in the domain, then it is almost guaranteed to configure the receipt of the correct time by all computers on the network. Therefore, other domain controllers (if you have several of them) can not be touched.
However, if you want to be sure that they are using the correct time, you can edit the local group policy. Go to Start > Run and enter gpedit.msc. Click OK.
Then use the same settings as in the previous section. If the domain controller on which you want to work is controlled by Windows Server Core, you can do it remotely, provided that this feature is allowed by the firewall. Just run mmc.exe on the GUI computer, go to File> Add / Remove Snap-In, double-click Group Policy Object Editor and go to the computer on which you want to edit the group policy.
Check result
Run the command prompt with administrator rights on any Windows-based computer on the network and enter:
gpupdate
w32tm / query / source
As a result of executing the command on the domain controller, the address of one of the NTP servers that were set as external time sources from the Internet will be returned.
On the user workstation, the command will return the address of the domain controller.
On a Hyper-V virtual machine with time synchronization turned on, you should see a message: VM IC Time Synchronization Provider.
If the command signals that the time is determined by the local CMOS clock, time synchronization in the domain does not work.