Share via

Recommendation - Configure the Root PDC with an Authoritative Time Source and Avoid a Widespread Time Skew

  • Article

Why Consider this

Your root PDC emulator is not set to use a Network Time Protocol (NTP) server. Many Windows and network functions rely on robust time synchronization across the network. Time synchronization failures can cause a variety of problems, most notably logon failures. Kerberos authentication and claims-based single sign-on can fail due to time disparities.

Watch a Customer Engineer explaining the issue

Context and Best Practices

By default, all computers and devices on a domain synchronize system time using the domain hierarchy. Domain members synchronize time with domain controllers, which in turn synchronize time with the domain controller running the PDC emulator role. The PDC emulator of the forest root domain is at the top of the domain hierarchy, and as such configuring this domain controller to synchronize time with the domain hierarchy is invalid. The Windows Time Service warns you of this condition by writing event ID 12 to the Windows event log from the W32Time event source.

In some scenarios, the PDC emulator gets its time from the BIOS clock. However, this approach has drawbacks. If the time and date is not set accurately in the PDC emulator BIOS, time and date settings will be incorrect across the domain. In addition, if the PDC emulator goes offline, domain members will be unable to synchronize time. A better approach is to configure the PDC emulator to synchronize time directly with an external time source. Alternatively, you can configure another device within your domain to synchronize time with an external time service, and then configure the PDC emulator to use your internal time server as the authoritative time source.

Authoritative external time sources are Internet-facing services, typically maintained by governmental, scientific, or educational establishments that enable you to synchronize your system time using Network Time Protocol (NTP). For example, NIST provides time servers in various locations across the United States.

Suggested Actions

You can configure the Domain Controller holding the PDCE role to use an NTP Server to synchronize time, there are several approaches.

To configure time synchronization via command line:

In the PDC emulator, open the administrative Command Prompt and use the following commands:

w32tm.exe /config /syncfromflags:manual /manualpeerlist:131.107.13.100,0x8 /reliable:yes /update

w32tm.exe /config /update

Note

The IP address in the example is a National Institute of Standards and Technology (NIST) time server at Microsoft in Redmond, Washington. Replace this IP address with the time service of your choice.

To configure time synchronization through registry edit on the PDC emulator:

  1. Open Registry Editor (regedit.exe).

  2. Navigate to the following registry key: HKLM\System\CurrentControlSet\Services\W32Time\Parameters.

  3. To use a specific NTP source, modify the Type value to NTP.

  4. Modify the NtpServer value to contain the NTP server to synchronize time with followed by 0x8, for example 131.107.13.100,0x8. Multiple NTP servers must be space-delimited, for example 131.107.13.100,0x8 24.56.178.140,0x8

  5. Open an administrative Command prompt and execute the following command: w32tm /config /update.

To configure time synchronization through Group Policy:

  1. Open Group Policy Management Console.

  2. Create a new GPO.

  3. Open the GPO and navigate to Computer Settings -> Administrative Templates -> System -> Windows Time Service -> Time Providers.

  4. Double click the Configure Windows NTP Client.

  5. Set the state to Enabled.

  6. Configure the Type to NTP.

  7. Configure NTPServer to point to an IP address of a time server, followed by ,0x8. For example: 131.107.13.100,0x8

  8. Close the Group Policy Editor.

  9. In the Security Filtering pane of the Group Policy management console, remove Authenticated users for the newly created policy, then add your machine that holds the PDC Emulator role.

  10. Link the GPO to Domain Controllers OU.

Note

The group policy settings for Windows Time are written to the registry path HKLM\Software\Policies\Microsoft\W32time.

How To Troubleshoot

To see current configuration of the Windows Time service, use the following command in an elevated command prompt:

w32tm /query /configuration

To see the current source for time synchronization, use the following command:

w32tm /query /source

Learn More

For more information on the NIST Internet Time Service, see NIST Internet Time Service (ITS).

For more information on Windows Time Service, see How the Windows Time Service Works.