AD DS: The PDC emulator master in this forest should be configured to correctly synchronize time from a valid time source
Updated: August 31, 2012
Applies To: Windows Server 2008 R2, Windows Server 2012
This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Active Directory Domain Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer (https://go.microsoft.com/fwlink/?LinkId=122786).
Operating System |
Windows Server 2008 R2 Windows Server 2012 |
Product/Feature |
Active Directory Domain Services (AD DS) |
Severity |
Error |
Category |
Configuration |
Issue
The primary domain controller (PDC) emulator operations master in this forest is not configured to correctly synchronize time from a valid time source.
The Windows Time Service tool (W32time) ensures that all the computers in an organization that are running Microsoft Windows operating systems (excluding operating systems earlier than Windows 2000) use a common time. By default, Windows-based computers use a hierarchy in which the domain controller that holds the primary domain controller (PDC) emulator operations master (also known as flexible single master operations or FSMO) role at the root of the forest becomes the authoritative time server for the network.
Impact
If the PDC emulator master in this forest is not configured to correctly synchronize time from a valid time source, it might use its internal clock for time synchronization. If the PDC emulator master in this forest fails or otherwise becomes unavailable (and if you have not configured a reliable time server (GTIMESERV) in the forest root domain), other member computers and domain controllers in the forest will not be able to synchronize their time.
Resolution
Set the PDC emulator master in this forest to synchronize time with a reliable external time source. If you have not configured a reliable time server (GTIMESERV) in the forest root domain, set the PDC emulator master in this forest to synchronize time with a hardware clock that is installed on the network (the recommended approach). You can also set the PDC emulator master in this forest to synchronize time with an external time server by running the w32tm /config /computer:<<PDC-FQDN>> /manualpeerlist:time.windows.com /syncfromflags:manual /update command. If you have configured a reliable time server (GTIMESERV) in the forest root domain, set the PDC emulator master in this forest to synchronize time from the forest root domain hierarchy by running w32tm /config /computer:<<PDC-FQDN>> /syncfromflags:domhier /update.
To configure the PDC emulator master to synchronize time from a hardware clock device on the internal network, consult the instructions for the hardware clock device.
You can use the following procedure to configure the PDC emulator master to synchronize time in your forest.
Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure remotely. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
To configure the time source for the forest
Open a Command Prompt window as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
Do one of the following:
If you have not configured a reliable time server (GTIMESERV) in the forest root domain, to configure the PDC emulator master to use a Network Time Protocol (NTP) time source, at the command prompt, type the following command, and then press ENTER:
w32tm /config /computer:<<PDC-FQDN>> /manualpeerlist:time.windows.com /syncfromflags:manual /update
Note
GTIMESERV is a netlogon flag that the Windows Time service uses. This flag indicates that the computer is a reliable time source. For more information about how to set a domain controller in your forest as a reliable time source, see Configure a domain controller in the parent domain as a reliable time source (https://go.microsoft.com/fwlink/?LinkId=148260).
- If you have configured a reliable time server (GTIMESERV) in the forest root domain, to set the PDC emulator master in this forest to synchronize time from the forest root domain hierarchy, type the following command, and then press ENTER:
w32tm /config /computer:<<PDC-FQDN>> /syncfromflags:domhier /update
<table>
<colgroup>
<col style="width: 50%" />
<col style="width: 50%" />
</colgroup>
<thead>
<tr class="header">
<th>Parameter</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>w32tm /config /update</p></td>
<td><p>Configures the computer to synchronize time.</p></td>
</tr>
<tr class="even">
<td><p>/computer:<<PDC-FQDN>></p></td>
<td><p>Specifies the fully qualified domain name (FQDN) of the PDC for which you are configuring time synchronization.</p></td>
</tr>
<tr class="odd">
<td><p>/manualpeerlist:time.windows.com</p></td>
<td><p>Specifies that time.windows.com is the NTP time source with which this PDC emulator master is being configured to synchronize time.</p></td>
</tr>
<tr class="even">
<td><p>/syncfromflags:manual</p></td>
<td><p>Specifies that time will be synchronized with peers in the manual peer list.</p></td>
</tr>
<tr class="odd">
<td><p>/syncfromflags:domhier</p></td>
<td><p>Specifies that time will be synchronized from the forest root domain hierarchy.</p></td>
</tr>
</tbody>
</table>
For more information about the **w32tm** command, at a command prompt type **w32tm /?**, or see Windows Time Service Tools and Settings ([https://go.microsoft.com/fwlink/?LinkId=112116](https://go.microsoft.com/fwlink/?linkid=112116)).
Additional references
For more information, see Configure the Time Source for the Forest (https://go.microsoft.com/fwlink/?LinkId=149595).