In order for Windows computers to function properly in Active Directory, they must have their time in sync with the domain. In the AD environment, domain controllers act as the time source for client devices. Kerberos AD authentication will fail if the clock offset between the client and the domain controller (KDC) is greater than 5 minutes.
Understanding the Time Hierarchy in the Active Directory Domain
There is a strict hierarchy to time synchronization in an Active Directory domain:
- The domain controller with the PDC emulator FSMO role is the main source of time in the domain. This DC synchronizes the time with an external time source or NTP server;
- Other domain controllers synchronize their time with the PDC domain controller;
- The domain workstations and the Windows member servers synchronize their time with the domain controller that is closest to them (in accordance with AD sites and subnets configuration);
Hint. Learn more about time syncing in an Active Directory domain using the GPO.
Sync Time with DC on the Domain-Joined Machine
The AD domain controller should be used as the time source on the workstation after you have joined it to the domain. On Windows 10 or 11, go to Settings > Time and Language and make sure your DC is used as the last time sync source.
You can also get the NTP source on your computer by using the command:
w32tm /query /source
The command should return the name of one of the domain controllers in your AD domain.
List details of the status of time synchronization on the client device:
w32tm /query /status
The command returns the following useful information:
- Leap Indicator (time sync status)
- Last Successful Sync Time
- Source (your DC)
- Poll Interval (1024 seconds by default)
Get a list of the AD domain controllers which can be used to synchronize time:
w32tm /monitor
In this example, there are three domain controllers available for the client to synchronize time with.
To re-enable time synchronization with a DC for computers in an Active Directory domain, use the following commands:
w32tm /config /syncfromflags:domhier /updatenet stop w32time && net start w32time
If the domain computer is configured to synchronize its time following to the AD DS Time hierarchy, the value of the Type parameter in the HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters registry key should be NT5DS.
If the Windows client fails to synchronize time with the AD domain controller, you must to reset the Windows Time service configuration. To do this, open a command prompt as an administrator and run the following commands:
- The first command unregisters the w32time service and removes the settings from the registry:
w32tm /unregister
- Then register w32tm service and restore the default time settings:
w32tm /register
- Set AD as the time sync source for the client (by changing the Type registry parameter to NT5DS):
REG add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters /v Type /d NT5DS
- Restart the service:
net stop w32time && net start w32time
- Update settings:
w32tm /config /update
- Synchronize the time:
w32tm /resync
- Check your current sync settings:
w32tm /query /status
The screenshot below shows that Windows is now synchronizing with DC (Source).
Time Sync Issues on Windows Domain Joined Computers
The Windows Time Service (W32Time) is responsible for time synchronization. First, ensure that this service is running on a Windows client computer:
Get-Service W32Time | Select-Object name,status
UDP port 123 is used for time synchronization on Windows. If this port is not available on the DC, the client computer won’t be able to synchronize the time.
You may get an error when you try to synchronize the time with the w32tm /resync command:
Sending resync command to local computer
The computer did not resync because no time data was available.
Check that the w32time service is running on the DC and listening on UDP port 123:
netstat -an | find "UDP" | find ":123"
Then check that the UDP inbound rule named Active Directory Domain Controller – W32Time (NTP-UDP-In) is enabled in Windows Defender Firewall (Control Panel > Windows Firewall > Advanced settings > Inbound rules).
You can check Windows Defender Firewall rule status with PowerShell:
Get-NetFirewallrule -DisplayName 'Active Directory Domain Controller - W32Time (NTP-UDP-In)'|select Enabled
If the rule is disabled, you must enable it:
Get-NetFirewallrule -DisplayName 'Active Directory Domain Controller - W32Time (NTP-UDP-In)'|Enable-NetFirewallrule
It is also possible to force a client to manually synchronize its time with another domain controller.
net time \\ny-dc01 /set /y
Configuring the NTP Client Time Sync on Windows Using GPO
In most cases, time sync with a domain on Windows client doesn’t require administrator intervention. However, if you find that time synchronization is not working properly on clients in your domain, you can centrally configure client NTP settings on Windows devices using Group Policy.
- Use the gpedit.msc console if you want to change Group Policy settings on a single computer (this is the best solution if you need to solve synchronization problems on a single computer or test new NTP client settings). To set up a GPO for multiple domain computers, use the Group Policy Management Console (gpmc.msc);
- Expand the following node in GPO editor: Computer Configuration > Administrative Templates > System > Windows Time Service;
- Enable the Enable Windows NTP Client policy;
- Then enable the Configure NTP Client policy and set the following settings in the Options panel:
NTPServer: your domain name (preferred) or FQDN name of the domain controller with the PDC Emulator role (you can find it with the command: netdom.exe query fsmo)
Type: NT5DS
CrossSiteSyncFlags: 2
ResolvePeerBackoffMinutes: 15
ResolvePeerBackoffMaxTimes: 7
SpecialPollInterval: 64
EventLogFlags: 0 - Restart your computer to apply the new GPO client time settings.
Cyril Kardashevsky
I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.
