Active Directory

Synchronizing Active Directory with External Time Source

One of the crucial parts in modern IT world is proper time and date. While it may seem that 30 seconds or even 5 minutes is not a big deal it actually matters. Modern certificates, systems and many security features require proper time verification. In Active Directory based environment all computers, servers are by default to sync time from main domain controller. While this is great it also means main domain controller actually has to to have proper time. And this is where you need to make sure it's always up to date. Solution to this is synchronizing active directory with external time source.

Solution

To make sure your Primary Domain Controller (PDC) is always up to date when it comes to time you have to:

Find your PDC (I assume you know one, but just in case…) 

[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().RootDomain.PdcRoleOwner.Name

Find out your current configuration

# Get current time settings
w32tm /query /status

Change your time settings to multiple trusted NTP servers:

# Set time settings 
w32tm.exe /config /manualpeerlist:"0.europe.pool.ntp.org 1.europe.pool.ntp.org 2.europe.pool.ntp.org 3.europe.pool.ntp.org" /syncfromflags:manual /reliable:YES /update

# Update configuration
w32tm.exe /config /update

# Restart Time service
Restart-Service w32time

Verify if the settings were updated properly. If the answer is incorrect try multiple times. It may take a moment or two to process things.

# Get current time settings
w32tm /query /status

Finally confirm output

PS C:\Windows\system32> w32tm /query /status
Leap Indicator: 0(no warning)
Stratum: 3 (secondary reference - syncd by (S)NTP)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0418354s
Root Dispersion: 7.8054506s
ReferenceId: 0x8AC9876C (source IP:  138.201.135.108)
Last Successful Sync Time: 1/24/2018 5:10:56 PM
Source: 2.europe.pool.ntp.org 
Poll Interval: 6 (64s)

If you're located elsewhere it's quite easy to find multiple other NTP sources such as US based: “0.us.pool.ntp.org 1.us.pool.ntp.org 2.us.pool.ntp.org 3.us.pool.ntp.org”

This post was last modified on January 24, 2018 17:36

Przemyslaw Klys

System Architect with over 14 years of experience in the IT field. Skilled, among others, in Active Directory, Microsoft Exchange and Office 365. Profoundly interested in PowerShell. Software geek.

Share
Published by
Przemyslaw Klys

Recent Posts

Upgrade Azure Active Directory Connect fails with unexpected error

Today, I made the decision to upgrade my test environment and update the version of…

1 week ago

Mastering Active Directory Hygiene: Automating Stale Computer Cleanup with CleanupMonster

Have you ever looked at your Active Directory and wondered, "Why do I still have…

4 months ago

Active Directory Replication Summary to your Email or Microsoft Teams

Active Directory replication is a critical process that ensures the consistent and up-to-date state of…

8 months ago

Syncing Global Address List (GAL) to personal contacts and between Office 365 tenants with PowerShell

Hey there! Today, I wanted to introduce you to one of the small but excellent…

1 year ago

Active Directory Health Check using Microsoft Entra Connect Health Service

Active Directory (AD) is crucial in managing identities and resources within an organization. Ensuring its…

1 year ago

Seamless HTML Report Creation: Harness the Power of Markdown with PSWriteHTML PowerShell Module

In today's digital age, the ability to create compelling and informative HTML reports and documents…

1 year ago