Kerberos authentication in Active Directory requires time among devices in the domain to be synced. If the time on a device is more than 5 minutes different than the domain controller, Kerberos will fail all authentication request from that device. For best practice, the PDC emulator should synchronize from reliable external time source. This external source could be an Internet time server, an internal network device such a router or switch that isn’t part of a domain or a hardware time keeping device. The other domain controllers will sync its time to PDC emulator. Member servers and workstations will sync to the available domain controllers.
In order to configure time server in your domain, you need to make sure the domain controller holds PDC emulator role. Here are the steps to configure authoritative time server.
- Verify the Domain Controller is the PDC emulator by typing the following command in en elevated Command Prompt.
netdom query fsmo
- Once you verified the Domain Controller is the PDC emulator, then you need to run the following command,
net stop w32time w32tm /configure /syncfromflags:manual /manualpeerlist:"0.us.pool.ntp.org,0x1 1.us.pool.ntp.org,0x1 2.us.pool.ntp.org,0x1 3.us.pool.ntp.org,0x1" net start w32time w32tm /configure /reliable:yes /update w32tm /resync
- If you have more than one Domain Controller, then run the following command on each of them.
w32tm /config /syncfromflags:domhier /update
- To verify if the configuration is correct, type in the following command on each of your Domain Controller.
w32tm /query /status