About this Post
Any Active Directory domain needs to be configured with external NTP server to maintain time sync across domain and not to have any issues in domain due to time sync issues. Most of the recent applications are very sensitive with time sync, couple of minutes difference in time sync will cause errors.
Many cases Domain Controllers are built as VM, But sync with host is not disabled. there are cases the domain time is keep changing and causing issues, this can be addressed with below listed tasks.
This post will explain the complete NTP server configuration and some useful commands and registry keys for troubleshooting as well.
How to disable VM time sync with Host
By default any VM built on VMWare or Hyper-V will sync time with Host. So there are chances that even if we sync time with external sources, Host time sync will take precedence.
Below methods will help to disable the time sync. Please note that this needs to be done only for NTP servers not for all the servers which will be joined to domain, Because any machine joined to AD domain will sync with AD.
Domain Controller hosted on VMWare infra:
From VSphere 6.x there is option to disable time sync when we edit the VM settings, But that will do only tools.synctime setting, so recommended to do all parameters listed below manually.
Domain Controller VM – Edit Settings – VM Options – Advanced – Configuration Parameters – Edit Configuration – Add Row (select)
Insert the parameter and value
tools.syncTime = “0”
time.synchronize.continue = “0”
time.synchronize.restore = “0”
time.synchronize.resume.disk = “0”
time.synchronize.shrink = “0”
time.synchronize.tools.startup = “0”
time.synchronize.tools.enable = “0”
time.synchronize.resume.host = “0”
This will completely disable the time sync with the ESXi Host.
Ref Article: https://kb.vmware.com/s/article/1189
Domain Controller hosted on Hyper-V
Run below line of command from Elevated command prompt on DC VM. this will disable from VM leval not at integration services level.
Below REG key will disable the Hyper-V time synchronization provider.
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider /v Enabled /t reg_dword /d 0
Configuring Standalone or Domain Controller to sync time with external source
In an active directory environment Domain Controller holding PDC emulator will act as NTP server. There will be only one PDC emulator even if we have 100 Domain Controllers in the domain (abc.com).
In case of standalone windows server which is in work group not part of any domain, leave step 1 and follow steps 2-4, everything else stays the same like disable time sync with host and all. Standalone NTP server is used when there is no AD in place, like some environments will have separate networks for hardware management and they need NTP server.
1. Run below command on any Domain joined PC or Domain Controler to find PDC emulator.
netdom /query fsmo
2.Open elevated command prompt on the PDC emulator DC.
w32tm /config /manualpeerlist:“External NTP servers List” /syncfromflags:manual /reliable:yes /update
Example: w32tm.exe /config /manualpeerlist:”uk.pool.ntp.org” /syncfromflags:manual /reliable:yes /update
3.Configuring the NTP source as reliable
w32tm /config /reliable:yes
4. Stop and Stop the windows time service
net stop w32time && net start w32time
update the time on clients from domain
Run below two commands from the domain joined PC / servers to update the time with above configured NTP servers. This can be ran on additional domain controllers as well if required.
w32tm /config /syncfromflags:domhier /update
net stop w32time && net start w32time
NTP useful commands
Force synchronizing the time with external time sources.
w32tm /resync /nowait
Verify the existing NTP configuration
w32tm /query /configuration
Verify the time sources
w32tm /query /source
Verify NTP peers
w32tm /query /peers
Display the NTP server Sync status
w32tm /query /status
Reset time service settings to default
Run below commands to reset the NTP or Time configuration on a server.
net stop w32time
net start w32time
Useful Registry values for NTP server settings
1. Key to find the poll interval with external sources.
Reg Key: SpecialPollInterval
Recommended Value: 900
2.Key to find the configured External NTP servers
Reg Key: NtpServer
this key will be set when w32tm /config “/manualpeerlist: command is executed
3.Key to find the time source
Recommended Value: NTP