How to make domain clients sync time with NTP server?

ryanbrad · 2017-03-01T19:24:53.000Z

Hello, In my AD domain there are two domain controllers. DC1 and DC2.

DC1 is the complete operations master, and fulfills the PDC emulator role. This should be the authoritative NTP server for my whole domain, which itself syncs up to an external NTP server. Here is its registry settings capture:

I understand that DC2 should sync up with the PDC Emulator (DC1).

Here is the registry settings capture for DC2:

Both DC1 and DC2 seem to have an up to date time when running the net time cmd.

However it seems that all of the client workstations in my domain are not synchronizing up with that same up to date time. Here is an example of a time registry settings screenshot for a workstation in the domain:

I have the scope option 042:NTP set to the IP addresses of DC1 and DC2 within my DHCP server.

How can I ensure that DC2 is synchronizing it’s time with DC1?

and

How can I ensure that any given workstation will synchronize time with either DC1 or DC2?

I am not sure what I am doing wrong, do I need to configure anything via GPO at all? Any suggestions and advice is much appreciated. Thank you.

@alexw

legoman · 2017-03-01T19:32:56.000Z

On every DC, run this batch, then the problems should be worked out: http://jpelectron.com/sample/Batch%20Files/set%20time%20Win2K8.bat

You do not need any DHCP options for domain joined PCs to get their time from the DCs. I would remove that, cause it seems to be adding an unnecessary complexity. You also do not need any special GPOs for time sync to the DCs to work.

When you double-click on the clock on any domain joined PC, is the “Internet time” tab missing? (as it should be for a domain joined PC)

justin1250 · 2017-03-01T19:35:19.000Z

Unless you changed it, the default behavior of domain clients is to get their time from the PDCe.

You can check via:

w32tm /query /configuration
w32tm /query /status
Time /T

kfberns · 2017-03-01T19:35:53.000Z

As I understand it…The network properties of the clients must have the DC IP address listed as the DNS servers.

maxsec · 2017-03-01T19:51:03.000Z

Domain members use win32time to sync not ntp
If you need higher resolution than that you need to look at server2016 and the high resolution time settings

dbeato · 2017-03-01T20:26:00.000Z

Take a look at the below for GPO settings for your servers:

learn.microsoft.com

“It’s Simple!” – Time Configuration in Active Directory

All the domain computers will have the time from the DC

Mike400 · 2017-03-01T21:51:58.000Z

Windows clients get their time from the logonserver. This will be the DC that authenticated that system’s initial network access and may or may not be the PDC Emulator. Domain controllers all receive their time from the PDC Emulator and also provide an NTP service for non Windows domain joined systems. I always set my DHCP scope to include NTP and Time servers pointed to my DCs.