Configure the Root PDC with an Authoritative Time Source and Avoid Widespread Time Skew
Why Consider this
Your root PDC emulator is not set to use a Network Time Protocol (NTP) server. Many Windows and network functions rely on robust time synchronization across the network. Time synchronization failures can cause a variety of problems, most notably logon failures. Kerberos authentication and claims-based single sign-on can fail due to time disparities.
Watch a Customer Engineer explaining the issue
Context and Best Practices
By default, all computers and devices on a domain synchronize system time using the domain hierarchy. Domain members synchronize time with domain controllers, which in turn synchronize time with the domain controller running the PDC emulator role. The PDC emulator of the forest root domain is at the top of the domain hierarchy, and as such configuring this domain controller to synchronize time with the domain hierarchy is invalid. The Windows Time Service warns you of this condition by writing event ID 12 to the Windows event log from the W32Time event source.
In some scenarios, the PDC emulator gets its time from the BIOS clock. However, this approach has drawbacks. If the time and date is not set accurately in the PDC emulator BIOS, time and date settings will be incorrect across the domain. In addition, if the PDC emulator goes offline, domain members will be unable to synchronize time. A better approach is to configure the PDC emulator to synchronize time directly with an external time source. Alternatively, you can configure another device within your domain to synchronize time with an external time service, and then configure the PDC emulator to use your internal time server as the authoritative time source.
Authoritative external time sources are Internet-facing services, typically maintained by governmental, scientific, or educational establishments that enable you to synchronize your system time using Network Time Protocol (NTP). For example, NIST provides time servers in various locations across the United States.
You can configure the Domain Controller holding the PDCE role to use an NTP Server to synchronize time, there are several approaches:
To configure time synchronization via command line, on the PDC emulator open administrative Command Prompt and use the following commands:
w32tm.exe /config /syncfromflags:manual /manualpeerlist:220.127.116.11,0x8 /reliable:yes /update
w32tm.exe /config /update
The IP address in the example is a National Institute of Standards and Technology (NIST) time server at Microsoft in Redmond, Washington. Replace this IP address with the time service of your choice.
To configure time synchronization via registry edit on the PDC emulator:
- Open Registry Editor(regedit.exe)
- Navigate to the following registry key: HKLM\System\CurrentControlSet\Services\W32Time\Parameters
- To use a specific NTP source, modify the Type value to NTP
- Modify the NtpServervalue to contain the NTP server to synchronize time with followed by 0x8, for example 18.104.22.168,0x8. Multiple NTP servers must be space-delimited, for example 22.214.171.124,0x8 126.96.36.199,0x8
- Open an administrative Command prompt and execute the following command: w32tm /config /update
To configure time synchronization via Group Policy:
- Open Group Policy Management Console
- Create a new GPO
- Open the GPO and navigate to Computer Settings -> Administrative Templates -> System -> Windows Time Service -> Time Providers
- Double click the Configure Windows NTP Client.
- Set the state to Enabled
- Configure the Typeto NTP
- Configure NTPServerto point to an IP address of a time server, followed by ,0x8, for example: 188.8.131.52,0x8
- Close the Group Policy Editor
- In the Security Filteringpane of the Group Policy management console remove Authenticated users for the newly created policy and add the machine that holds the PDC Emulatorrole
- Link the GPO to Domain ControllersOU
How To Troubleshoot
To see current configuration of the Windows Time service, use the following command in an elevated command prompt:
w32tm /query /configuration
to see the current source for time synchronization use the following command:
w32tm /query /source
For more information on how to synchronize domain controllers with an external time source, see Synchronize the Time Server for the Domain Controller with an External Source at https://technet.microsoft.com/library/cc784553.aspx.
For more information on the NIST Internet Time Service, see NIST Internet Time Service (ITS) at https://www.nist.gov/pml/div688/grp40/its.cfm.
For more information on Windows Time Service, see How the Windows Time Service Works
If you have general feedback on the Resource Center or its content, contact your Microsoft representative. If you have any specific requests or content updates for Services Hub, contact our Support Team.