Here we will configure your primary domain controller (PDC) to connect to an external source to keep your time synchronized up with the rest of the world. By changing the primary DC's time source to an external source, the changes will be replicated from the PDC to other clients in your domain; limiting the amount of bandwidth needed to synchronize with an external source. First, I am going to reference much of the information provided by Marc Weisel. I would highly recommend you check out his blog post as it contains a ton of valuable information on the subject as well as more information/best practicies in regards to keeping time in your organization's infrastrucutre: http://binarynature.blogspot.co.uk/2012/04/configure-active-directory.html
- Find out what your primary domain controller (PDC) is for your domain by executing the following powershell commands from any machine in the domain
- [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().RootDomain.PdcRoleOwner.Name
- [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().RootDomain.PdcRoleOwner.Name
- Login to your primary domain controller
- Open up a command prompt/powershell window with administrative privileges
- Execute the following command to configure the domain controller to look at an external time source
- w32tm.exe /config /manualpeerlist:"0.us.pool.ntp.org 1.us.pool.ntp.org 2.us.pool.ntp.org 3.us.pool.ntp.org" /syncfromflags:manual /reliable:YES /update
- Notes: You can find the closest time server near you by browsing the following page and clicking on the nearest zone: http://www.pool.ntp.org/zone/@
- w32tm.exe /config /manualpeerlist:"0.us.pool.ntp.org 1.us.pool.ntp.org 2.us.pool.ntp.org 3.us.pool.ntp.org" /syncfromflags:manual /reliable:YES /update
- Execute the following command to actually perform a time synchronization with the external source
- w32tm.exe /config /update
- w32tm.exe /config /update
- Execute the following command for the changes to take effect
- Restart-Service w32time
- Restart-Service w32time
That's all that is to it!
Pingback: Migrating Domain Controllers From Server 2008 R2 to Server 2012 R2 | Jack Stromberg
Tried this, on 2008R2 DC
all went fine, but when i do run first command to check the source ([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().RootDomain.PdcRoleOwner.Name)
im getting my DC name as at the beginning
why?
The result should be one of your domain controller's; specifically, we are trying to find the PDC.
Jack
Can second DC also be configured with external time source? or only PDC can be configured with external and second DC point to the PDC for time source?
I believe it is recommended to only have one DC configured to an external time source so you can ensure all the DCs have the exact same time. That way when your clients sync up to a DC, they will all have a very similar time.
Jack
If only 1 DC is configured to sync time externally, what would happen in the scenario where that DC went down and another DC became the PDC.
are there settings to have this sync externally in a failover situation? looked all over the interwebs and i have not been able to find anything, unfortunately.
I walked in to a domain that already had NTP setup and i see the secondary DC in the peer list. Not sure that is correct. Hoping someone here has experience with this setup!
Thanks all
If you have two DCs and one fails, the secondary DC will not automatically become the FISMO master/PDC. You'd have to transfer the FSMO roles to designate it as the PDC; in which you'd likely then need to resync the machine to an external timesource.
Please see this article in regards to the PDC Emulator FSMO role: https://support.microsoft.com/en-us/help/197132/active-directory-fsmo-roles-in-windows
Jack
To find your PDC, alternatively, you can run the below command from either Powershell or a regular command prompt. This lists all the FSMO roles quick-and-easy:
netdom query fsmo
Great article! Concise directions & best of all.......it works!
This worked great on my 2008R2 pdc. Thank you very much!
Worked perfectly. Thank you for a very simple and concise how-to.
Hi,
Thanks for a very useful article... although did not work on vmware hosted VM server 2012 r2.
The commands appear be accepted (no errors)... but post sync command and the w32time service restart... the time remains unchanged 🙁 on the server even after a reboot and a w32tm /status even tells me last synch success... but time is unchanged 🙁
Please advise where I am going wrong?
I am running on the PDC role holder, elavated.
Regards,
Nazrul
It sounds like you have the time synchronized with the VMware host. Please ensure this is not the case:
https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1189
Superhero you are!!!... thanks Jack!
That solved my problem.
All the best and thanks again
Good! Thanks
Thank you. Works great!
do not do this if you have more than 1 DC! I tried it in a lab environment first. After doing this, my 2nd dc no longer replicates to the one I ran this on with all FSMO Roles.
BAD NEWS!!!
Where error do you see in event viewer? I've tried this in several environments and it has worked fine. It's a documented best practice by Microsoft to set an external time source as outlined here: https://technet.microsoft.com/en-us/library/cc794937(v=ws.10).aspx
Jack,
Would you know if I can have my DC get its NTP time from my router, that looks at some different repositories?
Also instead of using a fqdn in my manualpeerlist, I was using the routers IP
If your router provides the NTP service, yes, you could point your DCs to that if you wish. Typically, the external time sources are going to be much more accurate though.
Thank you, works great
I have a 2019 standard server system and I used your tech sheet here to configure the time server really well last summer. Now that I have moved and turned the server back on again, I can't get the server to sync with any external time servers. I have reconfigured everything multiple times today with no success. I am still synched to my CMOS clock. I tried the NIST servers from last summer but they wouldn't ping so I went with the pool.ntp.org servers, which pinged, with no success so I switched to the time.goggle.com time server and still no go. Any advice?
I fixed my problem. Turned out I was trying to use out of date time servers. Once I changed everything over to time.windows.com, everything switched over like it is supposed to. Thank you for the tech information.