Вы находитесь на странице: 1из 5

Configure an Active Directory authoritative

time source
One of the most fundamental tasks in a network is to keep the clocks on all computers (and
network devices) synchronized with world time. This is essential for domain controllers, member
servers, and client computers of an Active Directory (AD) domain, so one of the first tasks after
deploying a forest root domain should be to configure an external authoritative time source. By
default, all domain-joined computers (including domain controllers) must be accurate to within
five minutes of one another. This is a requirement of Kerberos authentication.
The domain controller holding the primary domain controller (PDC) emulator role (in the forest
root domain) is considered the default authoritative time source for the whole forest. Only this
specific domain controller should have an external time source set.
Configure

The following examples were tested on Windows Server 2008 R2 (domain/forest functional
level). They should work on previous (and later) versions, but it is highly recommended to test
thoroughly before changes are made in production.
# PDC emulator operations master role
Identify the domain controller, with the PDC emulator operations master role, in the forest root
domain. Run the following commands from a PowerShell prompt:
PS> $forest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
PS> $forest.RootDomain.PdcRoleOwner.Name
dc01.example.com
# Link the domain controller to an external time source
After the specific domain controller has been identified, it is time (pun intended) to configure the
Windows Time service on that computer. In this example, the following command will set the
external time source to the US pool.ntp.org virtual cluster. Run the following commands from an
elevated PowerShell prompt:
PS> w32tm.exe /config /manualpeerlist:"0.us.pool.ntp.org 1.us.pool.ntp.org
2.us.pool.ntp.org 3.us.pool.ntp.org" /syncfromflags:manual /reliable:YES /update
PS> w32tm.exe /config /update
Restart the Windows Time service for the changes to take effect. Run the following command
from an elevated PowerShell prompt:
PS> Restart-Service w32time
# Switch roles (optional)
You may encounter a requirement to revert the time server computer back as a normal member in
the time synchronization domain hierarchy. For example, this may be required if you migrate the
PDC emulator operations master role to another domain controller. Once you configure another

authoritative time server and confirm this designation, you can remove the designation from the
local computer. Run the following commands from an elevated PowerShell prompt:
PS> w32tm.exe /config /syncfromflags:Domhier /reliable:NO /update
PS> w32tm.exe /config /update
Restart the Windows Time service for the changes to take effect. Run the following command
from an elevated PowerShell prompt:
PS> Restart-Service w32time
# VMware Guests
It is recommended to disable the VMware Tools periodic time synchronization feature for AD
domain-joined virtual machine computers. This can be accomplished with at least two different
methods:
1. Set tools.syncTime = "FALSE" (or "0" for some VMware versions) in the configuration file
( .vmx file) of the virtual machine. Or...

2. Deselect Time synchronization between the virtual machine and the host operating system in
the VMware Tools toolbox GUI of the guest operating system.

Verify and Troubleshoot

The w32tm command-line tool is your primary resource to verify and troubleshoot the time
synchronization software configuration.
# Determine the time difference between the local computer and a remote time server
Run this command from a PowerShell prompt:
PS> w32tm /stripchart /computer:dc01 /dataonly /samples:5
Tracking dc01 [10.10.1.60:123].
Collecting 5 samples.
The current time is 4/14/2012 10:49:28 AM.
10:49:28, +00.3586386s
10:49:30, +00.3586515s
10:49:32, +00.3586644s
10:49:34, +00.3586773s
10:49:36, +00.3586902s
# Determine whether the computer is configured to synchronize time from the domain or
manual list of time servers
This command should be run from a member computer to verify its getting its time source from
the domain hierarchy. The Type attribute should be NT5DS if it is using the domain hierarchy
for time synchronization. Run this command from an elevated PowerShell prompt:
PS> w32tm /query /configuration | Select-String type
Type: NT5DS (Local)

# Display a list of peers and their status


This first example displays output from a member computer. Run this command from an
PowerShell prompt:
PS> w32tm /query /peers
#Peers: 1
Peer: dc01.example.com
State: Active
Time Remaining: 28765.7593447s
Mode: 3 (Client)
Stratum: 3 (secondary reference - syncd by (S)NTP)
PeerPoll Interval: 15 (32768s)
HostPoll Interval: 15 (32768s)

This specific example displays output from the domain controller holding the PDC emulator
operations master role (if configured to sync with the US pool.ntp.org virtual cluster). Run this
command from an PowerShell prompt:
PS> w32tm /query /peers
#Peers: 4
Peer: 0.us.pool.ntp.org
State: Active
Time Remaining: 904.5625720s
Mode: 1 (Symmetric Active)
Stratum: 2 (secondary reference - syncd by (S)NTP)
PeerPoll Interval: 10 (1024s)
HostPoll Interval: 10 (1024s)
Peer: 1.us.pool.ntp.org
State: Active
Time Remaining: 487.6398725s
Mode: 1 (Symmetric Active)
Stratum: 3 (secondary reference - syncd by (S)NTP)
PeerPoll Interval: 10 (1024s)
HostPoll Interval: 10 (1024s)
Peer: 2.us.pool.ntp.org
State: Active
Time Remaining: 36.4734125s
Mode: 1 (Symmetric Active)
Stratum: 2 (secondary reference - syncd by (S)NTP)
PeerPoll Interval: 10 (1024s)
HostPoll Interval: 10 (1024s)
Peer: 3.us.pool.ntp.org
State: Active
Time Remaining: 547.1089785s
Mode: 1 (Symmetric Active)
Stratum: 2 (secondary reference - syncd by (S)NTP)
PeerPoll Interval: 10 (1024s)
HostPoll Interval: 10 (1024s)

# Display the specific time source of the local computer


This first example displays output from a member computer. Run this command from an

elevated PowerShell prompt:


PS> w32tm /query /source
dc01.example.com

This example displays output from the domain controller holding the PDC emulator operations
master role (if configured to sync with the US pool.ntp.org virtual cluster). You will notice
from this output the DC is currently syncing with the 0.us.pool.ntp.org node in the cluster. Run
this command from an elevated PowerShell prompt:
PS> w32tm /query /source
0.us.pool.ntp.org

# Perform a manual resync


Sometimes you may need to manually resynchronize the local clock with its time source. Run
this command from an elevated PowerShell prompt:
PS> w32tm /resync /rediscover
Sending resync command to local computer
The command completed successfully.