How Do I Configure my Server to use an Internet Time Service?

Article ID: 607

Last updated: 26 Feb, 2019

Article ID: 607

Last updated: 26 Feb, 2019

Revision: 14

Posted: 18 Aug, 2016
by Andrew Sharrad

Updated: 26 Feb, 2019
by Andrew Sharrad

Using a Reliable Time Source

A reliable time source is especially important if you use Windows Servers with Active Directory (AD). All servers and systems in an AD environment should be running on exactly the same time.

We recommend that you use an internet time source on your first Domain Controller, otherwise known as the PDC emulator. You can also use this setting on additional domain controllers.

Sections in this article:

How To Configure Time Services to Use an Internet Time Server
How to Configure Time Services to Use Domain Controller Time
How To Check the Time Server Settings
Troubleshooting Steps
How to Turn off Virtual Machine Host Time Integration / Synchronisation Under Hyper-V

Tip: One common mistake in a virtual server environment is for your virtual servers to get the time from the physical Host servers. In this situation, we recommend that your domain controllers are NOT configured to get time from the hosts but are instead configured to use an internet time source. You may need to edit the virtual domain controllers settings on the host to stop time services being presented.

How To Configure Time Services to Use an Internet Time Server

Run the following command from an Administrative command prompt, on your Domain Controller(s).

net stop w32time

w32tm /config /syncfromflags:manual /manualpeerlist:"0.uk.pool.ntp.org 1.uk.pool.ntp.org"

w32tm /config /reliable:yes

net start w32time

w32tm /resync

Note: The commands above tell Windows to use two public NTP time servers from ntp.org. Your internet service provider may have their own NTP servers and may prefer that you use those. Use the w32tm /resync command to make sure the new settings are work - ensure that you get a message that this completed successfully.

How to Configure Time Services to Use Domain Controller Time

PCs and member servers in a domain should automatically use time from domain controllers. If they do not, and appear to be using time.windows.com or other default time settings, use the commands below.

net stop w32time
w32tm /config /syncfromflags:DOMHIER
net start w32time
w32tm /resync /nowait

How To Check the Time Server Settings

Use the following commands:

w32tm /query /configuration - This enables you to see what NTP settings you are using.

w32tm /query /status - This enables you to see the current performance of the time service, including its connection to the NTP server.

Troubleshooting Steps

If the w32tm /resync command faults, or the w32tm /query /status shows that the system is still using a CMOS clock, then the NTP server is likely blocked.

Steps:

Trying pinging the NTP server, if it is a hostname, and make sure it resolves to an IP Address. For example, pinging 0.uk.pool.ntp.org should resolve to an address such as 185.53.93.157. Note that a reply is not necessarily expected, but your DNS system must be able to resolve the hostname to an IP address.
Try using your Internet Service Providers (ISP) own NTP server. Some ISPs block access to NTP servers other than their own.
Check that your Proxy Server and/or firewall are not blocking NTP. For NTP to work, UDP port 123 must be unblocked.
Try configuring your Proxy Server or Firewall to use the same NTP time source. If this works, the problem is between your Windows Server and the Proxy Server or Firewall. If it doesn't work, the problem is further upstream.