📔

Configure the Root PDC with an

Authoritative Time Source
Why Consider this
Your root PDC emulator is not set to use a Network Time Protocol (NTP) server.
Many Windows and network functions rely on robust time synchronization
across the network. Time synchronization failures can cause a variety of
problems, most notably logon failures. Kerberos authentication and claims-
based single sign-on can fail due to time disparities.

Context and Best Practices

By default, all computers and devices on a domain synchronize system time
using the domain hierarchy. Domain members synchronize time with domain
controllers, which in turn synchronize time with the domain controller running
the PDC emulator role. The PDC emulator of the forest root domain is at the top
of the domain hierarchy, and as such configuring this domain controller to
synchronize time with the domain hierarchy is invalid. Attempting to configure
the PDC emulator to synchronize its time with the domain hierarchy would be
an invalid setup, as there is no higher-level time source for it to reference. The
Windows Time Service, being aware of this anomaly, dutifully raises an alert in
the form of Event ID 12 from the W32Time event source. This event log entry

Configure the Root PDC with an Authoritative Time Source 1

 serves as a warning to the administrator, indicating that the time
synchronization configuration for the PDC emulator is not properly established.
In some scenarios, the PDC emulator gets its time from the BIOS clock.
However, this approach has drawbacks. If the time and date is not set
accurately in the PDC emulator BIOS, time and date settings will be incorrect
across the domain. In addition, if the PDC emulator goes offline, domain
members will be unable to synchronize time. A better approach is to configure
the PDC emulator to synchronize time directly with an external time source.
Alternatively, you can configure another device within your domain to
synchronize time with an external time service, and then configure the PDC
emulator to use your internal time server as the authoritative time source.

Authoritative external time sources are Internet-facing services, typically

maintained by governmental, scientific, or educational establishments that
enable you to synchronize your system time using Network Time Protocol
(NTP). For example, NIST provides time servers in various locations across the
United States.

Suggested Actions
You can configure the Domain Controller holding the PDCE role to use an NTP
Server to synchronize time, there are several approaches.

To configure time synchronization via command line:

In the PDC emulator, open the administrative Command Prompt and use the
following commands:

w32tm.exe /config /syncfromflags:manual /manualpeerlist:13

1.107.13.100,0x8 /reliable:yes /update

w32tm.exe /config /update

Configure the Root PDC with an Authoritative Time Source 2

 💡 Note

The IP address in the example is a National Institute of Standards and

Technology (NIST) time server at Microsoft in Redmond, Washington.
Replace this IP address with the time service of your choice.

💡 Command with Multiple IP

w32tm.exe /config /syncfromflags:manual /manualpeer

list:"131.107.13.100,0x8 192.168.1.50,0x8" /reliabl
e:yes /update

Configure the Root PDC with an Authoritative Time Source 3

 💡 What is 0x8
The 0x8 flag in w32tm configuration specifies that the PDC emulator
should receive time from an external source, not serve it to other
machines. This setting ensures that your Primary Domain Controller
(PDC) emulator remains accurate by syncing with an external time
source. Once synchronized, the PDC emulator will then distribute this
accurate time to all other domain controllers and workstations in your
domain.
Here's the logic:

1. Receiving Time (0x8):

When you configure the PDC to sync with an external time

source using 0x8 , it’s telling the PDC to act as a client to the
specified external NTP server (like 131.107.13.100 ). The PDC
emulator retrieves the time from this external source, ensuring
that the time it distributes to the domain is accurate.

2. Providing Time to Domain Members:

Once the PDC emulator’s time is accurate, it will act as a time

source for other domain controllers and all domain-joined
computers. In an Active Directory environment, all
workstations and member servers automatically look to the
PDC emulator as their primary time source by default.

3. Reliable Time Source ( /reliable:yes ):

Setting /reliable:yes on the PDC emulator marks it as a reliable

time source for the domain. This ensures that all domain-
joined machines know that they can depend on the PDC
emulator for time synchronization, even if other sources are
available.

Summary

0x8: This flag makes the PDC emulator receive time as a client
from an external NTP server.

/reliable: This marks the PDC emulator as a dependable time

source for all domain-joined machines.

Configure the Root PDC with an Authoritative Time Source 4

 In short, using 0x8 ensures that the PDC emulator gets accurate time
from a reliable source, and the /reliable:yes setting enables it to
redistribute that time to the rest of the domain. This setup keeps your
entire Active Directory environment in sync.

💡 Did we need to ping the IP first?

it’s a good idea to first check if you can reach the IP 131.107.13.100 by
using the ping command before configuring it as the time source.
This helps confirm that the NTP server is reachable from your
network.

Here’s how to do it:

1. Open Command Prompt on the PDC emulator.

2. Type the following command:

ping 131.107.13.100

3. Analyze the Response:

If you get a successful reply, it means the NTP server is

reachable.

If the ping fails (e.g., "Request timed out"), the NTP server
might be unreachable due to network issues, firewall settings,
or the server itself not responding to ICMP (ping) requests.

If the server doesn’t respond to pings but you’re certain it’s valid and
publicly reachable, you can still try configuring it in w32tm . Some NTP
servers block ICMP traffic for security, but they may still respond to
NTP requests.

Configure the Root PDC with an Authoritative Time Source 5

 💡 Use Telnet to check if the outbound NTP connection is
working
The command telnet portquiz.net 123 is used to test if port 123 (the
Network Time Protocol, or NTP port) is open and accessible from
your network.

Here’s what each part means:

telnet: This command is used to check if you can reach a remote

server on a specific port. Telnet itself uses TCP, but this test can
still indicate if there's connectivity to the target port.

portquiz.net: This is a public server designed specifically for

testing outgoing network connections on any port. It allows you to
test if certain ports are open and reachable from your network.

123: This is the port number you’re testing. Port 123 is typically
used by NTP, which is why you’re checking it in this context.

Why Use This Command?

By running telnet portquiz.net 123 , you can verify whether your

network allows outbound traffic on port 123. If the connection is
successful, you should see some response text from the portquiz.net
server, confirming that your network firewall or router allows access
to that port. If you get a "connection failed" message, it might indicate
that port 123 is blocked on your network, preventing NTP requests
from reaching external time servers.

This can be useful when troubleshooting NTP configuration issues, as

NTP synchronization requires port 123 to be open for communication.

Configure the Root PDC with an Authoritative Time Source 6

 💡 When you use telnet portquiz.net 123 and the screen goes black
momentarily before returning to the command prompt without
displaying any error messages, it typically indicates a successful
connection to the specified port. Telnet doesn’t always provide clear
feedback, so this behavior often means the connection to port 123 on
portquiz.net was successful.
Here's how to interpret the response:

Successful Connection: The screen goes blank (black) briefly

and returns to the prompt without error messages. This suggests
that port 123 is open and accessible on your network.

Failure: If there was an issue, such as the port being blocked,

you’d likely see a message saying something like "Could not open
connection to the host" or "Connection failed."

If you want more detailed feedback, using tools like Test-

NetConnection in PowerShell can provide clearer output:

Test-NetConnection -ComputerName portquiz.net -Port

123

This command will explicitly show if the connection is successful or if

the port is blocked.

Configure the Root PDC with an Authoritative Time Source 7

 💡 Installing Telnet
Option 1: Install Telnet via Command Prompt

1. Open PowerShell or Command Prompt as Administrator.

2. Run the following command to install Telnet:

dism /online /Enable-Feature /FeatureName:Telnet

Client

3. Wait for Installation to complete. You should see a message

confirming that Telnet was successfully installed.

4. Retry the Telnet Command:

Now, try running:

telnet portquiz.net 123

Option 2: Install Telnet via Control Panel

1. Go to Control Panel > Programs > Turn Windows features on or

off.

2. In the list, locate and check Telnet Client.

3. Click OK, and wait for Windows to install the Telnet client.

4. Open a new Command Prompt or PowerShell window and try the

Telnet command again.

After installing, you should be able to use Telnet to test connectivity

on specific ports.

To configure time synchronization through registry edit on the

PDC emulator:
Open Registry Editor (regedit.exe).

Configure the Root PDC with an Authoritative Time Source 8

 Navigate to the following registry
key: HKLM\System\CurrentControlSet\Services\W32Time\Parameters .
To use a specific NTP source, modify the Type value to NTP.

Configure the Root PDC with an Authoritative Time Source 9

 Modify the NtpServer value to contain the NTP server to synchronize time with
followed by 0x8, for example 131.107.13.100,0x8. Multiple NTP servers must be
space-delimited, for example 131.107.13.100,0x8 24.56.178.140,0x8

Open an administrative Command prompt and execute the following

command: w32tm /config /update .

Configure the Root PDC with an Authoritative Time Source 10

 To configure time synchronization through Group Policy:

Configure the Root PDC with an Authoritative Time Source 11

 💡 1. Open Group Policy Management Console.

2. Create a new GPO.

3. Open the GPO and navigate to Computer Settings ->

Administrative Templates -> System -> Windows Time Service -
> Time Providers.

4. Double click the Configure Windows NTP Client.

5. Set the state to Enabled.

6. Configure the Type to NTP.

7. Configure NTPServer to point to an IP address of a time server,

followed by ,0x8. For example: 131.107.13.100,0x8

8. Close the Group Policy Editor.

9. In the Security Filtering pane of the Group Policy management

console, remove Authenticated users for the newly created
policy, then add your machine that holds the PDC Emulator role.

10. Link the GPO to Domain Controllers OU.

1. Open Group Policy Management Console.

Configure the Root PDC with an Authoritative Time Source 12

 2. Create a new GPO.

Configure the Root PDC with an Authoritative Time Source 13

Configure the Root PDC with an Authoritative Time Source 14
 3. Open the GPO and navigate to Computer Settings -> Administrative
Templates -> System -> Windows Time Service -> Time Providers.

4. Set the state to Enabled.

Configure the Root PDC with an Authoritative Time Source 15

 5. Configure the Type to NTP.

6. Configure NTPServer to point to an IP address of a time server, followed

by ,0x8. For example: 131.107.13.100,0x8

7. In the Security Filtering pane of the Group Policy management console,

remove Authenticated users for the newly created policy, then add your
machine that holds the PDC Emulator role.

Configure the Root PDC with an Authoritative Time Source 16

Configure the Root PDC with an Authoritative Time Source 17
Configure the Root PDC with an Authoritative Time Source 18
Configure the Root PDC with an Authoritative Time Source 19
Configure the Root PDC with an Authoritative Time Source 20
 8. Link the GPO to Domain Controllers OU.

Configure the Root PDC with an Authoritative Time Source 21

Configure the Root PDC with an Authoritative Time Source 22
 How To Troubleshoot
To see current configuration of the Windows Time service, use the following
command in an elevated command prompt:
w32tm /query /configuration

To see the current source for time synchronization, use the following
command:
w32tm /query /source

Restart w32 time server, now DC should synchronize time with the ntp time
servers.
net stop w32time && net start w32time

Check the Event Log on the server

w32tm sync commands:

Force synchronizing the time asap: w32tm /resync /nowait

Check NTP configuration: w32tm /query /configuration

Configure the Root PDC with an Authoritative Time Source 23

 Check NTP status: w32tm /query /status

Display time source: w32tm /query /peers

Display time between Domain Controllers: w32tm /monitor

Force domain computers to synchronize the time with the DC; use elevated
command prompt
w32tm /config /syncfromflags:domhier /update

net stop w32time && net start w32time

💡 Following commands will reset the time service to default.

Running the following commands will reset the Windows Time
service (w32time) and effectively restore it to its default state, which
is to sync time with the domain controller (for client machines) or be
the time source (for domain controllers).

After running these commands, the time service will:

On domain-joined clients: It will sync time with the domain

controller. The client will typically sync time with the PDC
Emulator in the domain.

On the PDC Emulator: The machine will continue to act as the

authoritative time source for the domain, typically syncing from an
external NTP server (if configured).
net stop w32time
w32tm /unregister
w32tm /register
net start w32time

Configure the Root PDC with an Authoritative Time Source 24

 💡 Trigger Immeiate Time Update Using PowerShell (for All
Computers)
You can also push a time update across the network from the PDC
using a PowerShell script.

1. Open PowerShell on the PDC with administrative privileges.

2. Run the following command to force all domain-joined PCs to

sync their time with the domain controller:

Invoke-Command -ScriptBlock { w32tm /resync } -C

omputerName (Get-ADComputer -Filter *).Name

This command retrieves all computers in Active Directory and

triggers a time synchronization on each.

Make sure you have administrative permissions on each

machine for this command to work.

Individual Command on Domain PCs (if you need a

specific computer to sync)
If you need an individual PC to sync with the PDC, use the following
command on that specific machine:

w32tm /resync

These methods will help ensure that time synchronization occurs

across the domain without waiting for the default polling interval.

Configure the Root PDC with an Authoritative Time Source 25

 Inside fresh vm:
---------------
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Serv
ices\w32time\TimeProviders\NtpServer" -Name "Enabled" -Valu
e 1

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Serv

ices\W32Time\Config" -Name "AnnounceFlags" -Value 5

Restart-Service w32Time

Configure the Root PDC with an Authoritative Time Source 26

 firewall

w32tm /config /manualpeerlist:"192.168.1.167" /syncfromflag

s:manual /reliable:YES /update

net stop w32time

net start w32time

w32tm /resync

w32tm /query /source

===============================
Inside PDC:
----------
w32tm /query /source
w32tm.exe /config /syncfromflags:manual /manualpeerlist:10.
15.1.169,0x8 /reliable:yes /update
w32tm.exe /config /update
w32tm /resync /nowait
w32tm /query /source

Configure the Root PDC with an Authoritative Time Source 27