The basis of the normal functioning of the domain environment AD is the correct operation of the Windows Time Service (W32Time). In this article we will discuss the main points of working with ntp via Powershell on Windows server 2012. We will do this on the domain controller. So let's get started.
1. How Does Time Synchronization Work in a Domain Environment
Time synchronization process:
In practice, the PDC emulator is usually synchronized with the dedicated NTP server of the organization, or with the NTP server of the provider, or with an external source of exact time.
2. An Example of Setting up a Domain Controller with the Role of a PDC Emulator
To configure, we need a PowerShell console running as administrator.
Define the name of the PDC emulator - the easiest way to execute the command:
netdom query FSMO
When we connected to DC with the PDC role, we can begin to configure.
Configuring external sources of synchronization - we indicate with which sources the PDC will be synchronized.
w32tm /config /syncfromflags:manual /manualpeerlist:"nodes"
/ syncfromflags: manual- synchronization with nodes from the manually specified list.
manualpeerlist: nodes- list (DNS or IP addresses) of time sources.
Important! The name of each time source (if there are several) must be separated by a space. And on the firewall, UDP traffic on port 123 in both directions must be allowed.
We declare PDC-Emulator a reliable time source for clients:
w32tm /config /reliable:yes
After making changes, restart the time service:
Or update the configuration with the command:
w32tm / config / update
If you transferred the role of the PDC emulator to another domain controller, then the old DC still considers it to be an authoritative time server for the entire domain, which can cause errors in the system debug log. You can fix this situation with the command:
w32tm /config /syncfromflags:domhier /reliable:no /update
3. Useful Commands to Work with Ntp via Powershell
w32tm / query / configuration - view current time service settings;
SpecialPollInterval: 3600- synchronization interval in seconds, 3600 - day. Synchronization will be held once a day.
NtpServer- indicates the servrera with which the computer can synchronize time.
Type: NTP- type of time synchronization.
Type parameter can have the following parameters:
NoSync- the time service is not synchronized with anything at all.
NTP- the time service is synchronized with the servers specified in the NtpServer parameter.
NT5DS- time service is synchronized using a domain hierarchy (typical of members of an Active Directory domain).
AllSync- time service uses all possible mechanisms for synchronization.
w32tm / monitor- displays the current time synchronization hierarchy by domain;
w32tm / resync- force the computer to synchronize with the time server it uses;
w32tm / unregister- removes the time service from the computer;
w32tm / register- registers the time service on the computer;
If anyone is interested in setting up an NTP server through the registry, then use this thread:
HKLM \ System \ CurrentControlSet \ services \ W32Time \
Also consider using Action1 to set time remotely if: