34

In a Windows domain PDC isn't necessarily the domain time server. How could I identify the authoritative time server?

Hrvoje Zlatar
  • 463
  • 1
  • 4
  • 6

4 Answers4

27

I'm assuming that you're looking for the server used by the W32Time service to perform time sync on domain-member computers.

In a stock Active Directory deployment the only computer configured with a time server explicitly will be computer holding the PDC Emulator FSMO role in the forest root domain. All domain controllers in the forest root domain synchronize time with the PDC Emulator FSMO role-holder. All PDC Emulator FSMO role-holders in child domains synchronize their time with domain controllers in their parent domain (including, potentially, the PDF Emulator FSMO role-holder in the forest root domain). All domain member computers synchronize time with domain controller computers in their respective domains.

To determine if a domain member is configured for domain time sync, examine the REG_SZ value at HKLM\System\CurrentControlSet\Services\W32Time\Parameters\Type. If it is set to "Nt5DS" then the computer is synchronizing time with the Active Directory time hierarchy. If it's configured with the value "NTP" then the comptuer is synchronizing time with the NTP server specified in the NtpServer REG_SZ value in the same registry key.

The low-level details of the time synchronization protocol are available in this article: How Windows Time Service Works

Beware that not every domain controller (the KDC's, as James directs you in finding via DNS in his post) may be running a time service. In a stock AD deployment every domain controller will be, but some deployments may use virtualized domain controllers that have the W32Time service disabled (to facilitate hypervisor-based time synchronization) and, as such, you would probably do well to implement functionality as described by the "How Windows Time Service Works" article if you're developing a piece of software that needs to synchronize time in the same manner that a domain member computer would.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • Sorry if I am awaking a "sleeping" topic here, but could you elaborate how to properly handle time on a domain with more than one controller? Let's say, there are 5 controllers (Windows 2003 AD). Should the one with the PDC role be set to have "Type" NTP and query and external server Ntpserver (i.e., time.windows.com), and have the rest just to have "NT5DS"? Advise if you want me to post this as a separate question. Thanks! –  Mar 05 '10 at 16:14
24

Some helpful commands

Re-sync (requires admin rights):

w32tm /resync /nowait    

Re-sync to specific computer (requires admin rights):

w32tm /resync /nowait /computer:computername 

Show server currently in use (requires admin rights):

w32tm /query /source

Double check if its working:

w32tm /monitor /domain:mydomain.com 

See settings:

w32tm /dumpreg /subkey:parameters 

Then look at the Type:

  • NoSync
    The client does not synchronize time.

  • NTP
    The client synchronizes time from an external time source. Review the values in the NtpServer line in the output to see the name of the server or servers that the client uses for time synchronization.

  • NT5DS
    The client is configured to use the domain hierarchy for its time synchronization.

  • AllSync
    The client synchronizes time from any available time source, including domain hierarchy and external time sources.

Registry settings found here:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters]
"NtpServer"=""
"Type"="NT5DS" 
eckes
  • 835
  • 9
  • 21
user27387
  • 313
  • 4
  • 9
15

The domain authoritative is usually the PDC emulator, in turn, other DC's will sync from it.

To determine who is currently holding the PDC emulator role in your domain, use:

netdom query fsmo

For other ways to determine FSMO role holders, see the article Determining FSMO Role Holders.

Read more on the subject it the TechNet article How the Windows Time Service Works.

Oliver Salzburg
  • 4,505
  • 16
  • 53
  • 80
katriel
  • 4,407
  • 22
  • 20
  • Thanks for the link! The reason I asked this is that I got different answers on two apparently same commands. When I use net time I get Current time at \\PDC is ... ,but when I use net time /domain I get Current time at \\Secondary_DC is ... I'd like to know which is used for synchronization? w32tm /monitor returned both servers. PDC is synced with external source, while Secondary_DC is synced with PDC. – Hrvoje Zlatar Aug 02 '09 at 23:21
  • 1
    The "NET TIME ... /SET" command is legacy and deprecated. In an AD domain with good communication between the DCs and clients and an external-to-the-forest time source configured on the PDC Emulator role-holder on physical boxes time sync will "just work". If you're bringing VMs into the mix (especially virtual domain controller computers) you need to think about time sync at the hypervisor level and not using W32Time. – Evan Anderson Aug 03 '09 at 00:20
1

In a properly set up Windows domain the DC that holds the PDC emulator role (there are no "PDC"s in AD) will be the time server for the domain. No other machine on the domain - including other DCs - should have a time server set. At all. Time syncing will then be managed based on the domain hierarchy, and you will have a "set once and forget" environment - at least so far as time is concerned, and until you come to move the PDC emulator role to another server.

If you need to perform any regular or ongoing maintenance on your time server setup, then something is set up wrong.

Maximus Minimus
  • 8,937
  • 1
  • 22
  • 36