One of my customers contacted me today with an issue where the time on all of their servers was off by about 8 minutes or so. My first thought was “which Active Directory domain controller is their authoritative time server?” and “I’ll update the time on it manually and then set it up to synchronize from an Internet time server”.
By default, the authoritative time server for your organization is the server that holds the PDC Emulator FSMO role in the forest root domain. You can run “netdom /query fsmo” from a machine in the forest root domain to determine which DC this role is running on. Each domain has a PDC Emulator, but you want the one in the forest root domain.
Once I had this information, I manually adjusted the time on that domain controller, but within 5 seconds the time changed back to being about 8 minutes or so off. I stopped the windows time service (w32time) thinking that would keep the time from updating automatically, but I experienced the same problem again.
This meant the domain controller that was hosting the PDC Emulator FSMO role for the forest root domain was running as a guest operating system on top of a Hyper-V virtualization server, and it was synchronizing its time from the Hyper-V host OS which was indeed about 8 minutes off. A quick time adjustment to the Hyper-V host OS and the time was correct, at least for now. To keep the guest operating system from synchronizing its time from the host operating system, I went into Hyper-V Manager and disabled the “Time synchronization” Service under “Management>Integration Services”:
Now the source to synchronize its time from was “Local CMOS Clock” which is the default.
I have read the best practices for configuring an authoritative time server which states that it is recommended to use a hardware source for the time instead of a time server on the Internet, but unless you have some type of Atomic Clock hardware to synchronize from, or you just enjoy manually adjusting the time on your server, I recommend synchronizing the time from an Internet time server.
I followed the “Configuring the Windows Time service to use an external time source” procedure found in Microsoft Knowledge Base Article 816042.
Once everything was configured based on this article, I restarted the Windows Time Service (w32Time), ran “w32tm /resync /rediscover”, and then “w32tm /query /status” which showed the server was now synchronizing it’s time from an Internet time server: