Synchronize the Time Server for the Domain Controller with an External Source

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

By default, the primary domain controller (PDC) emulator gets its time from the BIOS clock. In a network with a single DC, that DC automatically has this role.

The PDC emulator establishes the time and date settings for all computers within its domain. If the time is not accurately set in the PDC emulator’s BIOS, all computers in the domain have incorrect time and date settings.

To prevent this, you can synchronize the domain controller with an external time source such as the time servers provided by the National Institute of Standards and Technology (NIST). For a list of the names and IP addresses of NIST time servers for your area, see the National Institute of Standards and Technology (NIST) Internet Time Servers link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources.

Note

  • Be aware that the Network Time Protocol (NTP) is unauthenticated, and unencrypted, and it is possible for an intruder to spoof the time root source, causing the wrong time to be set on the DC. You can avoid this possibility by using IPSec to secure the transmission, by accessing the time root source by its IP address rather than its fully qualified domain name, or by purchasing an NTP-capable hardware clock for your DC time synchronization.

To synchronize the domain controller with an external time source

  1. Click Start, and then click Command Prompt.

  2. In the Command Prompt window, type the following line, where peers is a comma-separated list of IP addresses of the appropriate time sources, and press ENTER:

    w32tm /config /manualpeerlist: peers /syncfromflags:MANUAL

    The time sources you choose depend on your time zone. For example, if your domain controller is located in the Pacific Time zone, this line might read:

    w32tm /config /manualpeerlist:131.107.1.10 /syncfromflags:MANUAL

    In this example, the IP address of the timeserver is used instead of the fully qualified domain name for security purposes.

  3. Press ENTER. You should get a message that the command completed successfully.

  4. Type w32tm /config /update

  5. Press ENTER. You should get a message that the command completed successfully.

    W32time uses a variable poll interval based on the quality of timesync with the server. On DCs, this interval defaults to between 64 and 1024 seconds.

  6. To immediately synchronize with the external time server, type w32tm /resync and press ENTER. You should get a message that the command completed successfully.

  7. Type Exit and press ENTER.