So you said Time Configuration right? Why should we care at the first place?
It's simple! Active Directory can't work correctly (or at all) if the clock is not synchronized around domain controllers/member machines.
For example, in Kerberos V5, computers that are more than 5 minutes out of sync will not authenticate (which is configurable by GPO: Maximum tolerance for computer clock synchronization in Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy).
Another example is replication, Active Directory uses time stamps to resolve replication conflicts.
Now, let's see how time should be configured in Active Directory:
But how do I configure time in my Active Directory?
Well, it's simple! Normally it should be set correctly if we don't modify it in purpose,
Otherwise, we do provide some tools for that: w32tm.exe command-line utility and GPO
w32tm /config /manualpeerlist:timeserver /syncfromflags:manual /reliable:yes /update
(where timeserver is a –space delimited– list of your time source servers)
Once done, restart W32Time service.
w32tm /config /syncfromflags:domhier /update
Using a GPO is always better to automate as much as possible (and of course in case we had to transfer the PDC role to another DC):
Select * from Win32_ComputerSystem where DomainRole = 5
All non-PDC domain controllers should be set to NT5DS (domain hierarchy).
Quick note: NtpServer contains a space-delimited time source servers with the format: Name-or-IP,server-flag
Find the value of Type under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
Trouble logging in? Simply enter your email address OR username in order to reset your password.
For faster and more reliable delivery, add firstname.lastname@example.org to your trusted senders list in your email software.