Different time on member server than Domain controller

Hello Daisy

I hope you are doing well.

We have domain controllers in Egypt country with time zone +2

And we have machines in Jordan country in time zone +3.

Can we join these machines in Jordan country to domain in Egypt with this 1 hour time difference or have we set the time as is the domain is?

Thanks.

Hello Daisy,

do you know why can't I see any errors on member server neither on domain controller?

I don't see any signs what you described in point 1 - 2.

Thanks.

R,

Mirek

Hello MirekZeman,

Good day! I am sorry for my misunderstanding.

If the member server has different "Time Zone" set, then DC = -1 hour on the member server may result in the following:

1. Kerberos authentication fails. In a Windows domain, if the clock of a member server differs more than 5 minutes from the clock of its domain controller, logon and authentication may fail.
2. It will cause DC replication problems. The time on the primary domain controller is too different from the time on the backup domain controller or member server to cause Active Directory replication errors. Reference link: Troubleshoot AD Replication Error 5 Access Denied - Windows Server |Microsoft Learn
3. Security risks: For some systems and applications that require strict timestamps (e.g., auditing, logging, etc.), time differences may lead to security incidents, such as incorrectly recording the wrong time after the time has occurred, which may affect subsequent investigations.
4. License Management Issues: Some software license agreements rely on precise timestamps, which can cause problems with license management if the time is not accurate.

Therefore, make sure that the domain controllers and member servers are at the same time to ensure proper synchronization and authentication in the Active Directory environment.

I hope you the information above is helpful.

If you have any questions or concerns, please do not hesitate to let us know.

Best Regards,
Daisy Zhou

Hi,

I think that you did not understand my question.

I did not ask how works the time sync in AD or how to set it up.

My questions were:

1. What happen if the memeber server have different "Time Zone" set then DC = -1 hour on the member server?
2. If answer on question #1 is "nothing bad or this is not problem", can I leave it? Does will have some consequences in future?

I hope that I clarify it.

Thanks.

R,

M.

Hello MirekZeman,

Thank you for posting on the Microsoft Community Forum.

In a domain, the domain control is the time source, and the member server or client will not actively find the DC synchronization, so you need to configure the windows time in the DC's default domain policy, and the specific path is: Computer Configuration - > Management Template - > System - > Windows Time Service, and enable "Windows NTP Client" and "Windows NTP Server".

You can also view the time synchronization service configuration by entering w32tm /query /configuration in cmd, w32tm /query /source displays the synchronization time source specified by the current server.

For more information about the time configuration in the domain, please refer to links below.

“It’s Simple!” – Time Configuration in Active Directory | Microsoft Learn

Configure authoritative time - Windows Server | Microsoft Learn

Time Synchronization in Active Directory Forests | Microsoft Learn

In general, computers in an AD domain synchronize time in the following order:

1. The domain client or member server requests synchronization from the local domain DC
2. The DCs in one domain are synchronized to the PDC simulator in the domain
3. All non-forest root zone PDC simulators are synchronized to the forest root zone PDC simulator
4. The Forest Root Zone PDC Simulator is configured to synchronize to an external time source.

I hope you the information above is helpful.

If you have any questions or concerns, please do not hesitate to let us know.

Best Regards,

Daisy Zhou