Configuring Time in Active Directory

Hello all,

I was talking with someone about this subject recently and realized I should write some of it down.  To make sure that all of your Windows machines – virtual or otherwise – have the same time the process below will help.  Remember that AD will tolerate only about a five minute difference – meaning if a person or computer tries to authenticate and the local time is more then five minutes different from the DC they will not be successful in logging in.  Windows is not alone in this, vRealize Automation, SSO, are several other examples that are impacted in similar ways.  So it is quite important to have consistent, and correct, time.

When you install Windows machines in a Windows Active Directory domain Windows takes care of the time.  It will make sure all of the machines have the same time (more or less – it is not perfectly accurate nor does it need to be).  This is done by the first installed Domain Controller (called the PDC emulator) which is responsible for time.  It is because of this that we configure that PDC emulator to use an external clock so that it always has the correct time, which means the rest of the domain will have the right time.

BTW, the commands below are done at the command line but be sure to start the command line as Admin.

Setup

I used the command below to configure my DC (PDC Emulator) with three external NTP servers.

w32tm /config “manualpeerlist:1.us.pool.ntp.org,2.us.pool.ntp.org,3.us.pool.ntp.org” /syncfromflags:manual /reliable:yes /update

And to be safe I stop and start the w32tm service.

This all looks like below.  As always click on the image to see a bigger version of it.

Setting external time support in a DC

Setting external time support in a DC

How do we check that it is set?

Confirm config

Confirm config

Notice part way down we see the Type: NTP which is good, and below it we see the NTP hosts too.  So our config looks good.  BTW, the command we used for this is below.

w32tm /query /configuration

Test – PDC to time source (NTP)

We should see what the time difference between our DC and the NTP server is.  It may take some time for that to look good.

Checking DC time with NTP server

Checking DC time with NTP server

So this looks mighty fine.  Is that .009 of a second?  Note bad at all.  The command we used for this is below.

w32tm /stripchart /computer:1.us.pool.ntp.org

Test – VM to time source (PDC)

This is likely not going to be as good as above as Windows takes longer to sync up time.  But here is what it looks like.

Testing time between VM and DC

Testing time between VM and DC

So that is just under 10 seconds difference.  Not bad but we will keep an eye on it.  We use the same command here as above but pointing at our PDC emulator.

w32tm /stripchart /computer:bosad01.pml.com

 

Test – is my VM getting time from the Windows Domain?

You will need to check the time configuration on one of your Windows machines.  This does not need to be done on all machines.  When a Windows machine is joined to a domain this is automatically done.  Use the following command to check.

w32tm /query /configuration

You need to look for the Type: NT5DS field to confirm the Windows machine is getting time from the AD domain.  See below for an example.

Windows machine that gets time from domain, NOT NTP

Windows machine that gets time from domain, NOT NTP

Something to remember:

  • When a physical machine, or a virtual machine starts the OS gets an update of the time during the start-up process.  For physical machines that time comes from the BIOS real time clock.  For virtual machines it comes from ESXi.  This is why we like to have our ESXi hosts pointed at the same time server(s) as the PDC emulator.
  • How do you find the PDC emulator?  If you use Active Directory Users and Computers, Right-click the domain, and select Operations Master, you will see a PDC tab and you can find the PDC name on that tab.
  • I believe it is best to use Windows to keep your Windows machines time current and NOT VMware Tools.
  • I believe it is best to have Windows and ESXi hosts point at the same source.  Can be an edge router configured to talk to three external sources or it can be three external sources.

Background Information

Conclusion

This has shown you how to configure your Windows domain to have consistent time as well as correct since it is connected to external time sources.

Questions or comments welcome!

Michael

=== END ===

Tagged with: , ,
Posted in How To
2 comments on “Configuring Time in Active Directory
  1. KickAss VPS says:

    Thank you very much for your detailed review of the settings in Active directory, you helped me a lot.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: