Where do computers/servers in a Windows Domain get their time settings from?
Solution 1
Also consider that sometimes, virtualized systems that run Windows OS joined to a domain have the wrong setting to synchronize time with the host. This is not a best practice because the VM continue to change its time setting first synchronizing from the PDC Emulator as Daniel said on Windows side, then from the host on Hypervisor side. This could generate a lot of kind of problems.
Solution 2
To clarify: All computers get their time from their RTC (real time clock), unless they're virtual machines, in which case the host hypervisor injects it's time into the VM at startup (because virtual machines don't have an RTC). Thereafter they sync their time either with the host hypervisor (if configured to do so), or in the case of a domain member, with the domain hierarchy. They don't get their time from the domain hierarchy, they sync their time with the domain hierarchy. Domain controllers that don't hold the PDCe role sync their time with the PDCe. All other domain members sync their time with their authenticating domain controller, which is not necessarily the PDCe. Host hypervisor time synchronization should be disabled for all domain joined virtual machines. At no time should any domain member be configured to sync with an external time source. Only the domain controller that holds the PDCe role should be configured to sync with a reliable external time source, if desired. Time is relative. There's no requirement that the domain time be synchronized with a reliable external time source, although it's considered best practice to do so.
Solution 3
This article explains it very well: “It’s Simple!” – Time Configuration in Active Directory
Summarized, clients get their time from the PDC emulator. And the PDC emulator gets its time from the BIOS clock, unless you configure an external time server, which is strongly advised.
You can set the clock on the PDC with this command:
w32tm /config /manualpeerlist:0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org /syncfromflags:manual /reliable:yes /update
Once done, restart W32Time service.
(Alternatively there are hardware devices that sync your BIOS clock, but I cannot remember how they are called.)
Related videos on Youtube
SMW
Updated on September 18, 2022Comments
-
SMW almost 2 years
I have 5 Windows Server 2012 servers and around 100 computers in our domain.
Recently I noticed that the time on the servers and computers is around 30 seconds fast.
Where do servers and computers on the domain get their time settings from? Is that set on a domain controller or elsewhere (I have 2 domain controllers).
On a Linux server I would use
server 0.pool.ntp.org server 1.pool.ntp.org server 2.pool.ntp.org server 3.pool.ntp.org
to keep the time in sync but to be honest I've never ever had a problem with time on a Windows domain so I've never had to look at it.
Where would I set it so that all servers and computers automatically use
{0-3}.pool.ntp.org
(or whatever the recommended would be)? -
SMW over 9 yearsThanks for the answer. What's the PDC emulator? I've never heard that term before. Is it a domain controller?
-
Daniel over 9 years"What's the PDC emulator?" Please research that yourself.
-
Daniel over 9 yearsIdentify the PDC emulator or "dsquery server -hasfsmo pdc"
-
SMW over 9 yearsHi. Yes the servers are visualized? 1 physical host...
-
SMW over 9 yearsI run that command (command was wrong, needed "" not ,) and restarted time service. Time on that server is now right but I rebooted a computer and time is still wrong. What else I need to do?
-
Daniel over 9 yearsGood hint! Time synchronisation between host and guest in Hyper-V or VMWare should be deactivated for domain controllers in every case (technet.microsoft.com/en-gb/library/…)
-
joeqwerty over 9 yearsDomain members sync their time with their authenticating DC, which is not necessarily the PDCe. The PDCe always get's it's time from it's RTC. It syncs it's time with an external time source, if configured to do so. It does not
get
it's time from the external time source. -
Daniel over 9 yearsIn other words, you have either other domain controllers that are configured to get their time from NOT the PDC, or the clients are configured to get their time NOT from the PDC. Run
w32tm /query /source
on all DCs. They all should show you the PDC as a source, except for the PDC of course. Run that command on any client and check if it's the PDC and not an external time server.