Domain Controller time is 7 minutes fast

time active-directory domain-controller ntp time-synchronization
10,403

Solution 1

On the domain controller holding the PDC Emulator flexible single-master operations (FSMO) role in the forest root domain of your Active Directory forest should have an external-to-the-forest time source specified. On every other DC, time synchronization should be handled by the "Windows Time" service automatically. The DCs in each domain will sync with their domain's PDC Emulator role-holder, and the PDC Emulator role-holders in each domain will synchronize with the forest root PDC Emulator role-holder.

Per this document from Microsoft, be sure that you've disabled time synchronization in Host Integration Services.

Follow the procedure here to locate the DC in your domain that holds the PDC Emulator role. If you have a single-domain environment, then the PDC Emulator role-holder should have an external-to-the-forest time source configured.

Microsoft offers some more detailed guidance here, but the gist of setting an external-to-the-forest time source is using the "NET TIME" command, run on the forest root PDC Emulator role-holder, to specify the NTP server:

NET TIME /setsntp:server-name-here

Be sure that you can resolve the NTP server's name and that your firewall passes NTP (UDP port 123).

Solution 2

In addition to setting up SNTP/Windows Time, You also need to disable time syncronization under integration services. If you don't, you'll have conflicts as to what is setting the time, the Hyper-V Host or the Windows Time service.

Here's an article describing the process. You might also want to take a look at Ben Armstrong's article The Domain Controller Dilemma. One of the comments specifically mentions DC's under Hyper-V and time syncronization.

Share:
10,403

Related videos on Youtube

stead1984
Author by

stead1984

I've been a member of serverfault since 2008(ish) when I started as a Network Manager role for a small pharmaceutical company. After 3+ years as a network manager, I accepted a role of Deskside Support for a large rail infrastructure business. While the role was perhaps a backwards step technically, it would provide me with the exposure to large networks and a more promising career path. As of last year my company has been acquired by Siemens, which resulted in a nearly 2 year IT integration project. I'm currently employed as an Infrastructure Support Engineer for Siemens. This role involves support of Sun Solaris 10, I have a little knowledge of Unix/Linux gained from training courses. Serverfault has always been an incredibly useful tool for me during the years and if those answers that are not applicable are always enlightening and will continue to prove it's value to me as this role develops.

Updated on September 17, 2022

Comments

  • stead1984
    stead1984 over 1 year

    I have a Server 2008 R2 domain controller running in VM on Hyper-V that is 7 minutes fast which I need to fix. I understand that this maybe down to the DC running in VM's.

    What I would like to know is how I can correct it?

    I believe I can setup the DC to use a public/internet NTP server, but I don't know any or have any idea how to do. Also according to a few forums I may experience problems if the time is changed on the DC and that time is more than 3 minutes.

    If anyone can help I would be very grateful!

  • stead1984
    stead1984 over 14 years
    I'm running a single domain with a single domain controller so all the roles would be on the same server. Just to confirm, I have to disable time synchronisation in Host Integration Services (what is that by the way? [do you mean Hyper-V Manager]). Then run the above command on the forest root PDC Emulator role-holder. Right? Could you tell me a reliable Internet-based NTP server?
  • stead1984
    stead1984 over 14 years
    Also what are the risks of changing time as I've read that the DC thinks it has gone back in time? Something to do with Kerberos?
  • BillN
    BillN over 14 years
    My understanding is Kerberos complains if there is an excessive difference in the clocks on the server and the client(three minutes is the number I hear thrown around). Since your Server is the only DC, it should be the time server for the clients, so they should all change to match it at their next login/restart, so you wouldn't have any Kerberos ticket issues, other than potientially needing to restart the clients, or re-syncing the time on them with a net time command.
  • stead1984
    stead1984 over 14 years
    I'm still having problems with my time server being fast. The answer above did correct the problem but it seems to be back. The link below is a new posting I have made, one of the answers suggests to have the VM's time sync (or at least the DC) with the host and set the host up with NTP. serverfault.com/questions/97928/… Also perhaps using a physical server running a Linux NTP server?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Time not propagating to machines on Windows domain
How inaccurate must the clock's time be for NTLM requests to be denied due to the time being incorrect?
High time accuracy on Windows Servers - alternatives to w32tm?
How to change time source from a LOCAL CMOS CLOCK to a Cisco router configured as a NTP master
'This server's clock is not synchronized with the primary domain controller's clock' when accessing shared drive
Domain Controller/Active Directory Time is 5 minutes slow
Why doesn't the time match on two Windows Domain Controllers despite resync?
Domain Controller time won't sync with NTP server
How can I syncronize a non-domain server to a domain-controller's clock?
no internet time tab on domain controller, Windows Server 2016