Release date: January 11th 2019
Welcome to my Microsoft Tips & Tricks section. In this session I will describe how I setup the Time Service settings in my domain/forest.
Time in a Microsoft Windows domain and forest is incredibly important. If time on domain controllers begin to drift off, problems aren’t far away. Why Microsoft haven’t added this check to their Best Practice Analyzer is strange to me. This is one of the first things I check whenever I am troubleshooting Active Directory-related problems. I also do a check of Windows Time Service functionality before I start any new implementations of VMware Horizon View, as a good working time source in a domain and forest is critical. I will cover my VMware Horizon View setup in a later post.
I know that this is basic stuff, and everyone should know this. But more often than not, I see a misconfigured Windows Time service as reason for Active Directory problems. Therefore, I will show below how I set this up in my lab-domain. As a source for my NTP I will use no.pool.ntp.org. Read more about The Network Time Protocol from their website here: http://www.ntp.org/
First, identify the PDC. This can be done from any windows server in the domain. From an administrative command prompt run the following command:
netdom query fsmo
As we can see here, the server AD-01.ad.admin.frelab.net has the PDC role in my domain.
Next, login to the pdc and start an administrative command prompt window. The syntax for setting windows time settings are as follows:
w32tm /config /manualpeerlist:timeserver /syncfromflags:manual /reliable:yes /updateIn my lab it will be:
w32tm /config /manualpeerlist:no.pool.ntp.org /syncfromflags:manual /reliable:yes /update
Next, I do a resync and rediscover…
w32tm /resync /rediscover
I restart Windows Time Service in order to apply changes…
net stop w32time && net start w32timeI verify the new configuration…
w32tm /query /configuration" and "w32tm /query /source
When I check the Event Viewer I can see that the time service is now advertising as good time source in the domain
The time service is synchronizing with the correct external time provider
The last thing I will check on ny PDC is the status…
w32tm /query /status
w32tm /monitor
Finally, I will configure the other domain controllers to sync using the forest/domain time hierarchy. I login to the other DC’s desktop start an administrative command prompt, run the following command:
w32tm /config /syncfromflags:domhier /update
Next, I do a resync and rediscover
w32tm /resync /rediscover
I restart Windows Time Service in order to apply changes…
net stop w32time && net start w32time
I verify the new configuration…
w32tm /query /source
With these small steps, I can now be guaranteed a smooth working Time Service in my domain and forest. No problems with replication or other Active Directory issues can now be related to malfunctioning or misconfigured Windows Time Service.
A BIG thanks to Ace Fekay and his excellent write-up about Configuring the Windows Time Service in an Active Directory Forest – A step by step with a Contingency Plan
Recommended reading from Microsoft: Windows Time Service (W32Time)
Microsoft Tips & Tricks section
Disclaimer: Every tips/tricks/posting I have published here, is tried and tested in different it-solutions. It is not guaranteed to work everywhere, but is meant as a tip for other users out there. Remember, Google is your friend and don’t be afraid to steal with pride! Feel free to comment below as needed.
bjosoren's IT-Tech blog 