Welcome to my Microsoft Tips & Tricks section. In this session I will describe how I setup the Time Service settings in my domain/forest.
Time in a Microsoft Windows domain and forest is incredibly important. If time on domain controllers begin to drift off, problems aren’t far away. Why Microsoft haven’t added this check to their Best Practice Analyzer is strange to me. This is one of the first things I check whenever I am troubleshooting Active Directory-related problems. I also do a check of Windows Time Service functionality before I start any new implementations of VMware Horizon View, as a good working time source in a domain and forest is critical. I will cover my VMware Horizon View setup in a later post.
I know that this is basic stuff, and everyone should know this. But more often than not, I see a misconfigured Windows Time service as reason for Active Directory problems. Therefore, I will show below how I set this up in my lab-domain. As a source for my NTP I will use no.pool.ntp.org. Read more about The Network Time Protocol from their website here: http://www.ntp.org/
First, identify the PDC. This can be done from any windows server in the domain. Start a command prompt window, run: “netdom query fsmo”
As we can see here, the server AD-01.ad.admin.frelab.net has the PDC role in my domain.
Next, login to the pdc and start an administrative command prompt window. The syntax for setting windows time settings are as follows:
“w32tm /config /manualpeerlist:timeserver /syncfromflags:manual /reliable:yes /update”
In my lab it will be:
“w32tm /config /manualpeerlist:no.pool.ntp.org /syncfromflags:manual /reliable:yes /update”
After setting this, I will restart the Windows Time service
Next, I do a resync of w32tm with the command: “w32tm /resync”
Now we can check that windows time is syncing from the correct source with the command: “w32tm /query /source”
If I now check my Event Viewer, I will also see that Windows Time Service is syncing nicely with my external NTP-server and is advertising as a good time source in my domain.
Back in the command prompt windows I can now query the configuration with the command: “w32tm /query /configuration”
The last thing I will check on ny PDC is the status, using the command: “w32tm /query /status”. Another good test is using the command: “w32tm /monitor”
Finally I will configure the other domain controllers to sync using the forest time hierarchy. I login to the other dc’s desktop start an administrative command prompt, run the following command:
“w32tm /config /syncfromflags:domhier /update”
I restart the Windows Time service and do a resync using the command: “w32tm /resync”
When I now check time source using the command “w32tm /query /source”, I see that this dc is syncing with my pdc.
The Event Viewer confirms the correct sync.
With these small steps, I can now be guaranteed a smooth working Time Service in my domain and forest. No problems with replication or other Active Directory issues can now be related to malfunctioning or misconfigured Windows Time Service.
A BIG thanks to Ace Fekay and his excellent write-up about Configuring the Windows Time Service in an Active Directory Forest – A step by step with a Contingency Plan
Recommended reading from Microsoft: Windows Time Service (W32Time)
Disclaimer: Every tips/tricks/posting I have published here, is tried and tested in different it-solutions. It is not guaranteed to work everywhere, but is meant as a tip for other users out there. Remember, Google is your friend and don’t be afraid to steal with pride! Feel free to comment below as needed.