Recipe 3.13 Configuring a Domain Controller to Use an External Time Source

3.13.1 Problem

You want to set the reliable time source for a domain controller.

3.13.2 Solution Using a command-line interface

Run the following commands from the command line on a domain controller:

> net time /setsntp:<TimeServerNameOrIP>
> net stop w32time
> net start w32time Using VBScript
' This codes configures a reliable time source on a domain controller
strPDC = "<DomainControllerName>"       ' e.g.
strTimeServer = "<TimeServerNameOrIP>"  ' e.g.
' ------ END CONFIGURATION ---------

strTimeServerReg = "SYSTEM\CurrentControlSet\Services\W32Time\Parameters"
const HKLM = &H80000002
set objReg = GetObject("winmgmts:\\" & strPDC & "\root\default:StdRegProv")
objReg.GetStringValue HKLM, strTimeServerReg, "ntpserver", strCurrentServer
WScript.Echo "Current Value: " & strCurrentServer
objReg.SetStringValue HKLM, strTimeServerReg, "ntpserver", strTimeServer
objReg.SetStringValue HKLM, strTimeServerReg, "type", "NTP"
strCurrentServer = ""
objReg.GetStringValue HKLM, strTimeServerReg, "ntpserver", strCurrentServer
WScript.Echo "New Value: " & strCurrentServer

' Restart Time Service
set objService = GetObject("winmgmts://" & strPDC & _
WScript.Echo "Stopping " & objService.Name
objService.StopService( )

Wscript.Sleep 2000  ' Sleep for 2 seconds to give service time to stop

WScript.Echo "Starting " & objService.Name
objService.StartService( )

3.13.3 Discussion

You need to set a reliable time source on the PDC Emulator FSMO for only the forest root domain. All other domain controllers sync their time either from that server or from a PDC (or designated time server) within their own domain. The list of external time servers is stored in the registry under the W32Time Service registry key in the following location: HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\ntpserver.

If you want a domain controller, such as the PDC, to use an external time source, you have to set the ntpserver registry value along with the type value. The default value for type on a domain controller is Nt5DS, which means that the domain controller will use the Active Directory domain hierarchy to find a time source. You can override this behavior and have a domain controller contact a non-DC time source by setting type to NTP. In the CLI example, the /setsntp switch automatically sets the type value to NTP. In the VBScript solution, I had to set it in the code.

After setting the time server, the W32Time service should be restarted for the change to take effect. You can check that the server was set properly by running the following command:

> net time /querysntp

Since the PDC Emulator is the time source for the other domain controllers, you should also make sure that it is advertising the time service, which you can do with the following command:

> nltest /server:<DomainControllerName> /dsgetdc:<DomainDNSName> /TIMESERV

3.13.4 See Also

MS KB 216734 (How to Configure an Authoritative Time Server in Windows 2000), MS KB 223184 (Registry Entries for the W32Time Service), MS KB 224799 (Basic Operation of the Windows Time Service), MSDN: StdRegProv, and MSDN: Win32_Service

    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List