How to configure Windows Time Service

First short description of AD time source hierarchy:

All members of an Active Directory domain are capable of synchronizing their clock to a domain controller -> Domain controller synchronize their clocks with the domain controller which holds the PDCe role in their domain -> PDCe’s in child domain synchronize their clock with the PDCe of the root domain of the forest.

Windows Time service is responsible for keeping a computer’s clock synchronized and can be controlled/configured by w32tm command line tool.

To force a computer to synchronize:

w32tm.exe /resync /rediscover /no_wait

To check if a computer is synchronizing:

w32tm /monitor

To check where the computer is getting its time:

w32tm /query /source
  • “Local CMOS Clock”: The computer is using the hardware clock on the computer as its time source. If you are using VMware, this means that the virtual machine is synchronizing to the VMware host.
  • “Free Running System Clock”: The computer is not using any external source, but depending on the time tick generated by the System Idle Process running on the computer.
  • “A hostname of a domain controller in the AD forest”: The computer is using a domain controller as either an NTP server or as the time source via Active Directory. To determine which, see “/query /configuration”, discussed later.
  • “A hostname of a computer running a NTP server”: The computer is using a non-Active Directory server running an NTP server as its time source.
  • “VM IC Time Synchronization Provider”: In this case, the computer is using Hyper-V virtualization services as its time source. Best practices from Microsoft recommend that you never use virtualization services (regardless of your hypervisor provider) as a time source for domain-joined computer; instead, you should depend on typical Active Directory synchronization methods.

To check the time source:

w32tm /query /configuration
  • “NTP”: the external time source is the NTP server specified by the NtpServer key
  • “NT5DS”: the external time source is the domain hierarchy
  • “NoSync”: there is no external time source
  • “AllSync”: the computer should use both the domain hierarchy and the manually specified NTP server as external time sources

The appropriate PDCe configuration is setting external peers:

w32tm /config / /syncfromflags:manual
w32tm /config /update
net stop w32time
net start w32time
w32tm /resync /rediscover

For an alternate NTP configuration you can modify this key : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer

adding some special flags to NTP source:

  • 0x01 SpecialInterval
  • 0x02 UseAsFallbackOnly
  • 0x04 SymmatricActive
  • 0x08 Client


The primary NTP server (flag 0x9) is Client (0x08) + SpecialInterval (0x01)
The second NTP server (flag 0xa) is Client (0x08) + UseAsFallbackOnly (0x02)

The PDCe has now to sources; the second one with flag “UseAsFallbackOnly” will be queried only if all other time server is not working.

If you use “SpecialInterval” you can overwrite the W32Time poll specifying a static interval using this key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollInterval

For all domain-joined computer, the appropriate configuration is:

w32tm /config /syncfromflags:domhier
w32tm /config /update
net stop w32time
net start w32time
W32tm /resync /rediscover



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s