A Quick Tip To Configure Time Service In Active Directory Environment

by [Published on 24 March 2009 / Last Updated on 28 Nov. 2008]

This article explains how you can configure time service for an active directory environment.

Windows Time is necessary for domain controllers and client computers. This is a requirement for the Kerberos protocol for authentication purpose. You should keep the following points in mind when configuring the Windows Time Service in an Active Directory environment:

  • Configure your client computers to sync time from it's authentication or local domain controller in the site
  • Configure your DC to sync time from it's PDC Emulator for that domain
  • Configure your Child PDC to sync time from any DC in the Forest Root domain
  • Configure your Forest PDC to sync time from an external source (time.windows.com)

For the above things to work, you need to modify two registry entries:

For all Domain Controllers and PDC in the Forest except PDC in the Forest:

  • Key: HKLM\System\CurrentControlSet\Services\W32Time\Parameters
  • Entry: Type
  • Value: NT5DS

For Forest PDC:

  • Key: HKLM\System\CurrentControlSet\Services\W32Time\Parameters
  • Entry: Type
  • Value: NTP
  • Entry: NTPServer
  • Value: time.windows.com

 

 

 

 

See Also


The Author — Nirmal Sharma

Nirmal Sharma avatar

Nirmal Sharma is a MCSEx3, MCITP, and was awarded Microsoft MVP in Directory Services. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles for various online communities. Nirmal can also be found contributing to PowerShell based Dynamic Packs for ADHealthProf.ITDynamicPacks.Net solutions.

Featured Links