In Active Directory, the time configuration is an important topic as the domain controllers has to be in sync with each other, member servers and clients. Using the default Kerberos settings, a time difference of more than 5 minutes will cause logon issues as the logon token will be outdated.
The domain controllers
In an Active Directory environment the domain controller hosting the PDC emulator FSMO role is the master time server. All other DC’s, member server and clients should synchronize their time with this server. The PDC emulator should always retrieve the time settings from an external, reliable source. Personally I’ve used no.pool.ntp.org as a time source with no issues. To check your current configuration, run this line from an elevated command prompt:
w32tm /query /source
The outout shuld either display the name/ip of your current time source. If you synchronize from the bios it will display “Local CMOS clock”.
To set the time source, run this command from an elevated command prompt on the DC hosting the PDC emulator, replace “no.pool.ntp.org” with a source of your choice.
w32tm /config /syncfromflags:manual /manualpeerlist:no.pool.ntp.org /update
But when the domain controller is virtualized, the virtualization platform has an agent installed in the virtual machine (vmware tools, hyper-v integration services etc) and these often synchronize the time with the host servers time as default, and you should avoid using this setting on your DCs. This will display “VM IC Time Synchronization Provider” from the command above if your DC is virtual on a Hyper-V server. If you run Hyper-V you can leave the time sync enabled under integration tools, and run this line from an elevated command prompt on the virtual domain controller. Select yes to overwrite if you are prompted for it.
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider /v Enabled /t reg_dword /d 0
The domain members:
As for the rest of the domain it should be able to sync up automatically, but should you need to specify a server or client to us the domain sync you can run these lines from an elevated command prompt:
w32tm /config /syncfromflags:domhier /update
net stop w32time
net start w32time
Finally , don’t forget to open your firewalls. NTP requires UDP port 123 to be opened and forwarded to the DC hosting the PDC emulator, and also remember the local firewall on the server.