One of my customers contacted me today with an issue where the time on all of their servers was off by about 8 minutes or so. My first thought was “which Active Directory domain controller is their authoritative time server?” and “I’ll update the time on it manually and then set it up to synchronize from an Internet time server”.
By default, the authoritative time server for your organization is the server that holds the PDC Emulator FSMO role in the forest root domain. You can run “netdom /query fsmo” from a machine in the forest root domain to determine which DC this role is running on. Each domain has a PDC Emulator, but you want the one in the forest root domain.
Once I had this information, I manually adjusted the time on that domain controller, but within 5 seconds the time changed back to being about 8 minutes or so off. I stopped the windows time service (w32time) thinking that would keep the time from updating automatically, but I experienced the same problem again.
The server was synchronizing its time from the “VM IC Time Synchronization Provider” based on the results of running “w32tm /query /status” from the command line of the DC:
This meant the domain controller that was hosting the PDC Emulator FSMO role for the forest root domain was running as a guest operating system on top of a Hyper-V virtualization server, and it was synchronizing its time from the Hyper-V host OS which was indeed about 8 minutes off. A quick time adjustment to the Hyper-V host OS and the time was correct, at least for now. To keep the guest operating system from synchronizing its time from the host operating system, I went into Hyper-V Manager and disabled the “Time synchronization” Service under “Management>Integration Services”:
Once complete, I ran “w32tm /resync /rediscover” on the domain controller:
If this command fails, check to make sure you have access to the Internet:
I then ran “w32tm /query /status” on the domain controller:
Now the source to synchronize its time from was “Local CMOS Clock” which is the default.
I have read the best practices for configuring an authoritative time server which states that it is recommended to use a hardware source for the time instead of a time server on the Internet, but unless you have some type of Atomic Clock hardware to synchronize from, or you just enjoy manually adjusting the time on your server, I recommend synchronizing the time from an Internet time server.
I followed the “Configuring the Windows Time service to use an external time source” procedure found in Microsoft Knowledge Base Article 816042.
Once everything was configured based on this article, I restarted the Windows Time Service (w32Time), ran “w32tm /resync /rediscover”, and then “w32tm /query /status” which showed the server was now synchronizing it’s time from an Internet time server:
I am so happy to read this. This is the kind of info that needs to be given and not the random misinformation that is at the other blogs. Appreciate your sharing this beneficial content.
Quite a beautiful website. I built mine and i was looking for some ideas and you gave me a few. The website was developed by you?
Cheers
REALLY helped alot. Thanx 🙂
Helped me alot, thanks for sharing!
thank you so much have been trying to fix this issue for days now !
this helped me..
thanks for sharing 😀
Thnk you for sharing this information!
I have been wrestling with this for hours. Thanks a lot,you solved my problem!
Thanks……
Isto Resolveu pra mim. This fix worked for me.
Just as a reminder that totally disabling time sync will prevent you from recovering the domain controller properly if it is suspended (i.e. the hyper-v host is restarted) as it will not know how much time has passed.
MS recommend that you partially disable time sync by entering the following command on all domain controller guests:
reg add HKLMSYSTEMCurrentControlSetServicesW32TimeTimeProvidersVMICTimeProvider /v Enabled /t reg_dword /d 0
This will allow the hyper-v time service to properly handle Gues OS suspends, etc. while allowing normal time updates without the huper-v time source.
According to the new guidance, Microsoft is now recommending to completely disable the time synchronisation:
“[…]it is recommended that you disable time synchronization between the host system and guest operating system acting as a domain controller […] to reflect the current recommendation to synchronize time for the guest domain controller from only the domain hierarchy, rather than the previous recommendation to partially disable time synchronization […]”
Reference:
http://technet.microsoft.com/en-us/library/d2cae85b-41ac-497f-8cd1-5fbaa6740ffe(v=ws.10)#deployment_considerations_for_virtualized_domain_controllers
You nailed it. Thanks. Bookmarking this site to look for answers here first!
Thanks, very good indication, helped me a lot.
I have a PDC running on ESXI and I cant get the source to change from Local CMOS Clock to anything else and /rediscover gives the error no time data was available. Any Ideas Please?:
C:UsersAdministrator>w32tm /query /status
Source: Local CMOS Clock
Poll Interval: 6 (64s)
C:UsersAdministrator>w32tm /resync /rediscover
Sending resync command to local computer
The computer did not resync because no time data was available.
Thanks,
Thank you,
It’s so simple when you know the parameters and the correct order.
Thank you, Easy step by step how 2’s, locations, . . . . .just plane simple and straight to the point. Thanks again.
Its very helpful worked for me.Thanks…Vijay
Thank you, it worked just fine…
Wonderful website.
Thank you! Good article!
The MS artcile helped. Changing the type from the default NT5DS to NTP fixed for me. Thanks
Thank you, this saved my day 🙂
Thanks alot really helpful 😀
Extremely helpful article
Thank you. Worked great on 2016 HyperV.
Thank you for your helpful article. You have saved my whole day.
8 years later and still relevant. Excellent article that helped me fix my issue
Thank you, great article
Perfect. Thanks a lot.