How does time synchronization work in Active Directory?

AD uses a hierarchical time sync model: domain member computers sync with the domain controller they authenticate against, domain controllers sync with the PDC Emulator of their domain, and the PDC Emulator at the forest root should sync with a reliable external NTP source (like time.nist.gov or pool.ntp.org). This hierarchy ensures all machines in the forest are within acceptable time tolerance.

How do I configure the PDC Emulator to sync with an external NTP server?

Run these commands on the PDC Emulator: w32tm /config /manualpeerlist:'0.pool.ntp.org 1.pool.ntp.org' /syncfromflags:manual /reliable:yes /update, then restart the service with 'net stop w32time && net start w32time' and force a sync with 'w32tm /resync'. This configures the PDC to use external NTP and advertises it as a reliable time source.

How do I check if time is synchronized properly?

Use 'w32tm /monitor' to check the time offset of all DCs in the domain. Use 'w32tm /query /status' to see the current sync source and last sync time on any machine. Use 'w32tm /stripchart /computer:time.nist.gov' to visualize the time offset between the local machine and an NTP server in real time.

Using Windows Time Services to sync time

Accurate time synchronization is essential in Windows environments, particularly in Active Directory domains where Kerberos authentication requires clocks to be within 5 minutes of each other. If time drifts too far, users cannot log in, services fail to authenticate, and replication can break. This guide covers how Windows Time Services (W32Time) works, how to configure it correctly in an AD environment, and how to troubleshoot time synchronization issues.

How Windows Time Synchronization Works

The NTP Hierarchy in Active Directory

Active Directory uses a hierarchical time synchronization model:

External NTP Source (e.g., time.nist.gov, pool.ntp.org)
    └── PDC Emulator (Forest Root Domain)
          └── Domain Controllers
                └── Domain Member Computers

Domain member computers synchronize their clocks with the domain controller they authenticated against
Domain controllers synchronize with the PDC Emulator of their domain
The PDC Emulator in the forest root domain should synchronize with a reliable external NTP source

If the PDC Emulator does not have an external time source configured, it relies on its own hardware clock, which can drift significantly over time — especially on virtual machines.

Why Time Matters

Kerberos authentication has a default maximum tolerance of 5 minutes. Clocks outside this window cause authentication failures.
AD replication uses timestamps to resolve conflicts. Incorrect time can cause replication issues.
Log correlation across servers requires synchronized time for accurate event analysis.
Certificate validation depends on accurate time for expiration checks.
Scheduled tasks and backups run at the wrong time if clocks are off.

Configuring the PDC Emulator for External NTP

The most critical configuration is the PDC Emulator. This is the authoritative time source for the entire domain (or forest).

Identify the PDC Emulator

# Find the PDC Emulator
Get-ADDomain | Select-Object PDCEmulator

# Or use netdom
netdom query fsmo

Configure External NTP Source

Run these commands on the PDC Emulator:

# Configure the NTP peers
w32tm /config /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org" /syncfromflags:manual /reliable:YES /update

# Restart the Windows Time service
net stop w32time
net start w32time

# Force an immediate sync
w32tm /resync /rediscover

Parameters explained:

/manualpeerlist — Space-separated list of NTP servers
/syncfromflags:manual — Sync from the manual peer list (not domain hierarchy)
/reliable:YES — Advertise this server as a reliable time source
/update — Apply the configuration changes

Recommended NTP Sources

Source	Address	Notes
NTP Pool Project	`0.pool.ntp.org` through `3.pool.ntp.org`	Distributed pool, most common choice
NIST	`time.nist.gov`	US government time server
Google	`time.google.com`	Uses “leap smearing” approach
Microsoft	`time.windows.com`	Default for non-domain Windows

For redundancy, specify multiple servers in the peer list.

Configuring Domain Controllers

Domain controllers other than the PDC Emulator should sync from the domain hierarchy (the default behavior):

# Reset a DC to sync from the domain hierarchy
w32tm /config /syncfromflags:domhier /update

# Restart the service
net stop w32time
net start w32time

This is the default configuration. You only need to run this if a DC was previously configured with manual peers.

Configuring Domain Member Computers

Domain members automatically sync with their authenticating DC. No configuration is typically needed. If you need to override:

# Force resync on a client
w32tm /resync

# Check the current time source
w32tm /query /source

W32tm Command Reference

Check Synchronization Status

# Show current time source and status
w32tm /query /status

# Verbose status output
w32tm /query /status /verbose

# Show configured peers
w32tm /query /peers

# Show the current configuration
w32tm /query /configuration

Monitor Time Across the Domain

# Monitor all DCs in the domain
w32tm /monitor

# Monitor specific computers
w32tm /monitor /computers:DC01,DC02,DC03

# Stripchart (real-time offset display)
w32tm /stripchart /computer:time.nist.gov /samples:5 /dataonly

The /monitor output shows the offset (in seconds) between each DC and the PDC Emulator. Anything over 1-2 seconds warrants investigation.

Force Resynchronization

# Force resync
w32tm /resync

# Force resync and rediscover peers
w32tm /resync /rediscover

# Force resync on a remote computer
w32tm /resync /computer:WORKSTATION01

Register and Unregister the Service

# Re-register the W32Time service (fixes corrupted configurations)
w32tm /unregister
w32tm /register

# Then restart
net start w32time

Group Policy Configuration

For large environments, configure time synchronization via Group Policy.

Configure the PDC Emulator via GPO

Create a GPO linked to the Domain Controllers OU with a WMI filter that targets only the PDC Emulator:

WMI Filter:

SELECT * FROM Win32_ComputerSystem WHERE DomainRole = 5

(DomainRole 5 = PDC Emulator)

GPO Settings:

Navigate to:

Computer Configuration > Policies > Administrative Templates > System > Windows Time Service > Time Providers

Enable Windows NTP Client: Enabled
Configure Windows NTP Client:
- NtpServer: 0.pool.ntp.org,0x9 1.pool.ntp.org,0x9 2.pool.ntp.org,0x9
- Type: NTP
- CrossSiteSyncFlags: 2
- SpecialPollInterval: 3600

The 0x9 flag means NTP mode with special poll interval.

Configure All Other DCs via GPO

Create a separate GPO for all DCs with a WMI filter that excludes the PDC:

WMI Filter:

SELECT * FROM Win32_ComputerSystem WHERE DomainRole = 4

(DomainRole 4 = Domain Controller, not PDC)

GPO Settings:

Configure Windows NTP Client:
- Type: NT5DS (sync from domain hierarchy)

Configure Domain Members

Domain members sync from the hierarchy by default. If you need a GPO:

Type: NT5DS

Troubleshooting Time Synchronization

Time Is Drifting on a Domain Controller

Check if the DC knows about the PDC Emulator:
```
w32tm /query /source
```
Should show the PDC Emulator’s name.
Check replication health:
```
repadmin /replsummary
```
Force resync:
```
w32tm /resync /rediscover
```

“The computer did not resync because no time data was available”

This means the configured time source is unreachable:

If on the PDC Emulator, verify firewall allows UDP port 123 outbound to the NTP servers.
Test connectivity: w32tm /stripchart /computer:pool.ntp.org /samples:3
Verify DNS resolution of the NTP server names.

Time Is Significantly Off (More Than 5 Minutes)

Kerberos may prevent authentication. Manually set the time first:

# Manually set the time
net time /setsntp:time.nist.gov

# Or set it directly
w32tm /config /manualpeerlist:"time.nist.gov" /syncfromflags:manual /update
net stop w32time
net start w32time
w32tm /resync /force

On virtual machines, also check:

Hyper-V: Disable Time Synchronization integration service if the host’s time is wrong. In Hyper-V Manager > VM Settings > Integration Services, uncheck Time Synchronization.
VMware: Check VMware Tools time sync settings. In the .vmx file, set tools.syncTime = "FALSE" if using AD time sync.

W32Time Service Will Not Start

# Re-register the service
w32tm /unregister
w32tm /register
net start w32time

If that does not work, check the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time

Ensure the service is configured with Start value of 2 (Automatic).

Check Event Logs

Time service events are logged in:

Event Viewer > Applications and Services Logs > Microsoft > Windows > Time-Service

Also check the System log for Event IDs:

Event ID 35 — The time service is now synchronizing with…
Event ID 36 — The time service has not been able to synchronize…
Event ID 129 — NTP client provider is unable to reach the server…

Virtual Machine Considerations

Virtual machines are particularly susceptible to time drift:

Hyper-V VMs have a Time Synchronization Integration Service that syncs the guest clock with the host. In AD environments, disable this for DCs to prevent conflicts with the AD time hierarchy.
VMware VMs have VMware Tools time sync that can also conflict with AD time sync. Disable it on DCs.
After restoring a VM from a snapshot, the clock may be set to the snapshot time. Run w32tm /resync /force immediately after restoration.

Summary

Windows Time Services (W32Time) maintains clock synchronization across your Active Directory environment through a hierarchical model. The most critical step is configuring the PDC Emulator to sync with a reliable external NTP source — without this, time drift will propagate to all domain members. Use w32tm /query /status to verify configuration, w32tm /monitor to check all DCs, and Group Policy for enterprise-wide configuration. On virtual machines, be careful to avoid conflicts between hypervisor time sync and the AD time hierarchy.