Time is a critical service in an IT environment and most of the services are highly depend on it. In case of a time mismatch between Domain controller and a workstation, domain authentication can be failed. Regarding to the Microsoft best practices, it is recommend to sync time from external source for Primary domain controller and all clients should use domain hierarchy as the time source.
Configuring Domain hierarchy for Time
By defaults all clients are configured to get time from the domain hierarchy. If you are not sure run the following command to get know the time source from a workstation.
W32tm /query /source
If the source is different than the PDC or an Additional Domain controller’s you have to type the following command in every Domain controller.
W32tm /config /syncfromflags:domhier /update
Once complete restart the W32Time service
Net stop W32time
Net start W32time
Configuring External time source for PDC
You have to configure external time source for Primary domain controller, this can be a hardware time server or internet time source like “time.windows.com”. UDP port 123 need to be opened to PDC to get the time.
- Login to the PDC and open a command prompt using run as admin
- Type the following command to get the time difference between the PDC and the external time source.
w32tm /stripchart /computer: target /samples: n /dataonly
Ex - w32tm /stripchart /computer:time.windows.com /samples:10 /dataonly
- If you get an error from the external time source, it may be relevant access is not given to get time data. Check the UDP port 123 is open from external to PDC.
Type the following command to set the external time source in PDC
w32tm /config /manualpeerlist: peers /syncfromflags:manual /reliable:yes /update
Peers represent the DNS names or IP Addresses of the NTP time source, you can add multiple time servers while using a space as the delimiter and enclose them in quotation marks.
EX- w32tm /config /manualpeerlist:"time.windows.com" /syncfromflags:manual /reliable:yes /update
Restart the time service
Net stop W32time
Net start W32time
Check again the time comparison while running the following command.
w32tm /stripchart /computer: target /samples: n /dataonly
Ex - w32tm /stripchart /computer:time.windows.com /samples:10 /dataonly
Login to a client and check the time by using net time command. To get the time source type W32tm /query /source
Time Synchronization for Azure Virtual Machines
As you know the Virtual machines that running on Hyper-V or VMware take its time source as the Host server by default. In Hyper-V you have to untick the Time synchronization from integration services.
But in Azure VM’s you don’t have the access to the VM settings from hosts. And by default it’s taking the time source as VM IC Time Synchronization provider. This is the time integration service that’s runs in the Hypervisor of Azure site.
But this can be disabled easily so you can use the domain hierarchy to sync the time with Azure VM’s. it can be disabled from the VM’s registry but you have to do this on all Azure VM’s.
- Open reclgistry editor on Azure VM
- Go to the following key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider – Enabled
- Change the value for Enabled registry from 1 to 0.
- Restart the time service.
Hope this is useful cheers
Asitha De Silva
References
https://technet.microsoft.com/en-us/library/cc786897(WS.10).aspx
http://blogs.technet.com/b/nepapfe/archive/2013/03/01/it-s-simple-time-configuration-in-active-directory.aspx
