Active Directory uses Kerberos for authentication, which relies strongly on having the date and time of day running synchronously across the entire network and all devices in it. By default, each server and client joined in the AD, including domain controllers, will follow the domain hierarchy to sync its time. Domain controllers are set to automatically determine whether they can be used as a (reliable) time source. If a DC has considered itself as a time source, it will accept requests from clients and provide them with the its own current time.
Domain controllers at the top of the forest (top-level DCs) don't have another server above them to sync against, so they can either opt to sync time with its own hardware clock (this is the default behaviour), or sync to an external (internet) time server through (S)NTP (not default, and needs to be configured). Using its own hardware clock is a viable option, as the time will be synchronised across the forest, but it has one considerable drawback: if the hardware clock of the top-level domain controllers start to drift, then the entire forest will suffer from this clock skew. Although authentication will continue to function, the clock will not be in sync with "the rest of the world". As such, it is highly recommended to have the top-level DC sync with an external time source, such as an internet time server.
Configure the time server to advertise itself as a reliable time source. By default, the DC will automatically determine for itself it is a reliable time source, but when we enable sync with an internet time server, the DC will no longer consider itself as one, so we need to override this behaviour.
How the server advertises itself is determined by the AnnounceFlags in the Windows Registry. See this Technet article for a list of possible values.
Although Microsoft states in KB 816042 to configure the external time sources in the registry, this info is a bit deprecated: starting with 2008/Vista, it is now very easy to configure the external time sources with the w32tm command. Using this command is now the preferred and recommended method to configure external time sources.
To configure external time sources, run this command:
w32tm /config /syncfromflags:MANUAL /manualpeerlist:0.europe.pool.ntp.org
The command does two things at once:
Note that you could split up the command above in two different ones: one to enable sync through the specified peers list, and one to specify the peers.
In our example, if we want to synchronize with two time sources selected from the European pool of publically available NTP servers, we would run this:
w32tm /config /syncfromflags:MANUAL "/manualpeerlist:0.europe.pool.ntp.org 1.europe.pool.ntp.org"
With the external time sources set up, we still have to apply the changes. You can either restart the w32time service:
net stop w32time && net start w32time
Another method is to trigger the service to re-read all parameters from the registry. This will include any changes you've made with the w32tm command:
w32tm /config /update
It is recommended to use servers from pool.ntp.org rather than choosing fixed servers. Using the pool means random servers will be selected from that pool, and ensures that if a server ever becomes unreachable, another server will automatically be selected from the pool. It is recommended to use servers that are geographically closest, which can be achieved by using the pool's geographical subdivisions.
Because selection occurs only at startup of the time service on your server, it is also highly recommended to select at least two servers from the pool to quickly ensure a failback if the first server goes down.
For example, if my server is in Europe, and I want to pick two randomly selected servers from the European pool of time servers, I would set the peers on my server to 0.europe.pool.ntp.org and 1.europe.pool.ntp.org.
Because we want our DC to always have the correct time, we also need to adjust some polling settings. These are settings that specify in what interval the external time source needs to be polled for the correct time. How these values have to be determined depends greatly on the server. For example, a virtualized DC usually requires a slightly tighter polling interval as they are more prone to clock skewing than a DC running on hardware.
The values mentioned below are recommended values by Microsoft, but can be changed if needed. Use common sense when determining the values for your own environment, keeping in mind that it is not appreciated if a server polls an external time source every minute.
Although some of the polling parameters can be changed with the w32tm command, the more advanced settings can only be configured directly in the registry, so I prefer to adjust the values manually through regedit.
For each of the registry subkeys mentioned above, adjust the values to the recommendations, or fill in your own to accomodate your needs.
net stop w32time && net start w32time
w32tm /config /update
The w32tm command provides several query subcommands to check the status of the service and the polling statistics of the external time source(s). It is recommended to query these after configuring the server, as to be sure everything is working properly. Also recommended is to regularly re-check to ensure the server continues to properly sync its time with the configured external time source(s).
In our example, I've configured two internet time sources to synchronize to. By default, only one will be selected as the effective time source, and this will always be the source with the lowest stratum.
To show a list of the current configured external time sources (= peers) and their status:
w32tm /query /peers
In our example, it is also revealed that one of our time sources is a stratum 1 server (1.europe.pool.ntp.org), and our server will prefer this one over the other server (0.europe.pool.ntp.org), which is a stratum 2 server. This can be seen with the following command:
w32tm /query /source
To view our own server's status:
w32tm /query /status
This shows our own server's status more in detail. It reveals indeed the active external time source, and also shows what stratum our server has. Because our server is synced with a stratum 1 server, it is a stratum 2 server. Futhermore, it also reveals how accurate our own clock is, the clock dispersion, and some polling statistics.