Tuesday, September 4, 2012

Configuring Time Synchronization for Domain Joined Computers

A Windows-based network with Active Directory relies on time synchronization to allow authentication between computers. All of the domain members must have their time reasonably close to the domain controllers to allow for authentication. In early versions of Active Directory the limit was 20 minutes. I believe it may have been changed to 5 minutes.

In most cases, a domain joined computer is automatically configured to obtain time from the PDC emulator in the domain. This is generally desired and simple. You can verify this configuration by using:
w32tm /query /status
The value listed for Source will be the name of the PDC emulator. If it is configured to use static time sources instead of the PDC emulator, you can reset it to use the PDC emulator with the following:
w32tm /config /syncfromflags:domhier /update
The PDC emulator should be configured to use a reliable time source. In most cases, this will be an NTP time source on the Internet.

The NTP Pool project provides a set of NTP servers that are publicly available as time sources. The benefit of using a pool is that a single NTP server in the pool being offline will not affect your time synchronization. Some of the available pools are:
  • ca.pool.ntp.org
  • us.pool.ntp.org
  • mx.pool.ntp.org
  • uk.pool.ntp.org

To manually specify a timesource on your PDC emulator use the following command:
w32tm /config /syncfromflags:manual /manualpeerlist:"ca.pool.ntp.org" /update
Other useful time resources:

1 comment:

  1. Note that you should never use an NTP country pool other than the country you are in. If multiple servers must be specified, you can use 0.ca.pool.ntp.org, 1.ca.pool.ntp.org, 2.ca. pool.ntp.org and so on.
    If your country pool is too small (this should never happen) then there are also continental, regional, and global pools - see the NTP pool website for details.
    Also, if you are configuring a large number of hosts to all poll public NTP servers, the project asks that you register your own sub domain with them for load-balancing purposes (e.g. pool.ubuntu.ntp.org, pool.redhat.ntp.org and similar).

    ReplyDelete