Configuring external time source on your Primary Domain Controller

Here we will configure your primary domain controller (PDC) to connect to an external source to keep your time synchronized up with the rest of the world.  By changing the primary DC's time source to an external source, the changes will be replicated from the PDC to other clients in your domain; limiting the amount of bandwidth needed to synchronize with an external source.  First, I am going to reference much of the information provided by .  I would highly recommend you check out his blog post as it contains a ton of valuable information on the subject as well as more information/best practicies in regards to keeping time in your organization's infrastrucutre: http://binarynature.blogspot.co.uk/2012/04/configure-active-directory.html

  1. Find out what your primary domain controller (PDC) is for your domain by executing the following powershell commands from any machine in the domain
    1. [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().RootDomain.PdcRoleOwner.Name
      PowerShell - PdcRoleOwner
  2. Login to your primary domain controller
  3. Open up a command prompt/powershell window with administrative privilegesServer 2012 - PowerShell - Run as Administrator
  4. Execute the following command to configure the domain controller to look at an external time source
    1. w32tm.exe /config /manualpeerlist:"0.us.pool.ntp.org 1.us.pool.ntp.org 2.us.pool.ntp.org 3.us.pool.ntp.org" /syncfromflags:manual /reliable:YES /update
      w32tm config manualpeerlist syncfromflags manual ntp

      1. Notes: You can find the closest time server near you by browsing the following page and clicking on the nearest zone: http://www.pool.ntp.org/zone/@
  5. Execute the following command to actually perform a time synchronization with the external source
    1. w32tm.exe /config /update
      w32tm config update
  6. Execute the following command for the changes to take effect
    1. Restart-Service w32time
      Restart-Service w32time

That's all that is to it!

23 thoughts on “Configuring external time source on your Primary Domain Controller

  1. Pingback: Migrating Domain Controllers From Server 2008 R2 to Server 2012 R2 | Jack Stromberg

  2. Alex

    Tried this, on 2008R2 DC
    all went fine, but when i do run first command to check the source ([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().RootDomain.PdcRoleOwner.Name)
    im getting my DC name as at the beginning

    why?

    Reply
  3. Solongo

    Can second DC also be configured with external time source? or only PDC can be configured with external and second DC point to the PDC for time source?

    Reply
    1. Jack Post author

      I believe it is recommended to only have one DC configured to an external time source so you can ensure all the DCs have the exact same time. That way when your clients sync up to a DC, they will all have a very similar time.

      Jack

      Reply
      1. Eric

        If only 1 DC is configured to sync time externally, what would happen in the scenario where that DC went down and another DC became the PDC.

        are there settings to have this sync externally in a failover situation? looked all over the interwebs and i have not been able to find anything, unfortunately.

        I walked in to a domain that already had NTP setup and i see the secondary DC in the peer list. Not sure that is correct. Hoping someone here has experience with this setup!

        Thanks all

        Reply
  4. Jonathan

    To find your PDC, alternatively, you can run the below command from either Powershell or a regular command prompt. This lists all the FSMO roles quick-and-easy:

    netdom query fsmo

    Reply
  5. Nazrul

    Hi,
    Thanks for a very useful article... although did not work on vmware hosted VM server 2012 r2.

    The commands appear be accepted (no errors)... but post sync command and the w32time service restart... the time remains unchanged 🙁 on the server even after a reboot and a w32tm /status even tells me last synch success... but time is unchanged 🙁

    Please advise where I am going wrong?
    I am running on the PDC role holder, elavated.

    Regards,
    Nazrul

    Reply
  6. Chris P

    do not do this if you have more than 1 DC! I tried it in a lab environment first. After doing this, my 2nd dc no longer replicates to the one I ran this on with all FSMO Roles.
    BAD NEWS!!!

    Reply
  7. Erik K

    Jack,

    Would you know if I can have my DC get its NTP time from my router, that looks at some different repositories?

    Also instead of using a fqdn in my manualpeerlist, I was using the routers IP

    Reply
    1. Jack Post author

      If your router provides the NTP service, yes, you could point your DCs to that if you wish. Typically, the external time sources are going to be much more accurate though.

      Reply
  8. Terry O'Donal

    I have a 2019 standard server system and I used your tech sheet here to configure the time server really well last summer. Now that I have moved and turned the server back on again, I can't get the server to sync with any external time servers. I have reconfigured everything multiple times today with no success. I am still synched to my CMOS clock. I tried the NIST servers from last summer but they wouldn't ping so I went with the pool.ntp.org servers, which pinged, with no success so I switched to the time.goggle.com time server and still no go. Any advice?

    Reply
    1. Terry O'Donal

      I fixed my problem. Turned out I was trying to use out of date time servers. Once I changed everything over to time.windows.com, everything switched over like it is supposed to. Thank you for the tech information.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *