Windows Time Server Role In AD Forest/Domain
Posted by Awinish on October 7, 2011
I have seen various query related with the windows time service configuration in forest and domain, so I decided to pen down a article which might be helpful to answer the queries. Foremost, let’s try to understand what is the time server role, how and why it is important to set it right in forest/domain and implications involved if it is not configured or assigned to the right PDC((Primary Domain Controller)) Emulator DC(Domain COntroller) in the forest/domain.
Time server role is assigned to the DC holding PDC role in the domain, but if there are multiple domains in the same forest then how to assign the time server role and which domain PDC should be the time server for other domains?
By default, there is one PDC Emulator in each and every domain and the reason to assign time server role to only DC holding PDC role is DC with PDC role is a king of the kingdom with ability to authorize the changes to resolve or avoid conflicts. When new objects are created or existing object are modified in AD (Active Directory), it is first validated by the PDC and post authorization allowed to replicate the changes to all other DC’s in the forest/domain to check/avoid collusion.
User login to domain, Kerberos ticket assigning, AD/DNS replication, Creation/Change/modification in AD etc. are all dependent on time server ,so if there is time mismatch between DC’s in the domain authentication will fail, changes will not replicated to other DC’s, resource access will fail and so many other tons of issues.
By default domain allow time skew of 5min means systems in the domain including DC can have time difference of 5mins but not more or less then that else user will not be able to login to the system and get authenticated by the DC whose time system differs by more than 5mins.
If, there is single domain in the forest then it is easy in choosing PDC role to play as time server role, but if there are multiple domain Like Parent-Child or Tree-Root domains then make DC with PDC role in the Parent/Root domain to be the time server and let all other forest to sync time from the Parent/Root DC but it should be only DC holding PDC role.
By default, DC holding the PDC role syncs the time from the reliable/external source and all other the domain clients follow the PDC as their time source to sync their time. The protocol used by the time server is NTP/SNTP.
In some cases you need to reset the time service configuration on the DC or member machine, the simple fix is unregister the time service on the problem member machine and re-register it using below cmds. It worked for me most of the time and should work for you too.
– Type CMD in the run windows
– Type Net stop w32time to stop the time service
– Type W32tm /unregister to unregister the time service registry
– Type W32tm /register to register the time service registry back
– Type Net start w32time
Port Assignments for the Windows Time Service
August 2011 cumulative time zone update for Windows operating systems
How to configure authoritative time server
Configure a client computer for automatic domain time synchronization
Configure the Windows Time service on the PDC emulator in the Forest Root Domain
Configuring a time source for the forest
Keeping the Domain On Time
Windows Time Service Tools and Settings
How to turn on debug logging in the Windows Time Service
A list of the Simple Network Time Protocol (SNTP) time servers that are available on the Internet
Windows Time Service Technical Reference
Windows Time and the W32TM service
High Accuracy W32time Requirements
NET TIME and w32time
Windows Time Service