A Quick Tip To Configure Time Service In Active Directory Environment

by [Published on 24 March 2009 / Last Updated on 28 Nov. 2008]

This article explains how you can configure time service for an active directory environment.

Windows Time is necessary for domain controllers and client computers. This is a requirement for the Kerberos protocol for authentication purpose. You should keep the following points in mind when configuring the Windows Time Service in an Active Directory environment:

  • Configure your client computers to sync time from it's authentication or local domain controller in the site
  • Configure your DC to sync time from it's PDC Emulator for that domain
  • Configure your Child PDC to sync time from any DC in the Forest Root domain
  • Configure your Forest PDC to sync time from an external source (time.windows.com)

For the above things to work, you need to modify two registry entries:

For all Domain Controllers and PDC in the Forest except PDC in the Forest:

  • Key: HKLM\System\CurrentControlSet\Services\W32Time\Parameters
  • Entry: Type
  • Value: NT5DS

For Forest PDC:

  • Key: HKLM\System\CurrentControlSet\Services\W32Time\Parameters
  • Entry: Type
  • Value: NTP
  • Entry: NTPServer
  • Value: time.windows.com





See Also

The Author — Nirmal Sharma

Nirmal Sharma avatar

Nirmal Sharma is a MCSEx3, MCITP and was awarded the Microsoft MVP award in Directory Services and Windows Networking. He specializes in Microsoft Azure, Office 365, Directory Services, Failover Clusters, Hyper-V, PowerShell Scripting and System Center products. Nirmal has been involved with Microsoft Technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites and contributing to PowerShell-based Dynamic Packs for www.ITDynamicPacks.Net solutions.

Featured Links