Configuring Internet Time (Atomic NTP) in Windows 2008 R2 or 7 Domains

Default installations of Windows Server 2008 R2 and Windows 7 will configure domain based network time resolution as soon as you create or join a domain. That’s the best option for all servers and computers except:

  • Forest root servers – Establish the correct atomic time at the root, which is then (potentially) propagated to all other servers and computers in the forest.
  • Site masters – Limit the damage caused by incorrect time configuration to one site.
  • Infrastructure operations master – The purpose of this server is to cross-check that replication is functioning correctly, hence having its own atomic time source will also check for any time issues.

There are two configuration options for any machine (server or computer) in the domain, shown below along with the correct new command to configure them (NET TIME is depreciated).

  1. Machines which should source their time from an internet NTP (time) server, effectively an atomic clock proxy:
    w32tm /config /syncfromflags:manual /manualpeerlist:europe.pool.ntp.org /update /reliable:yes
  2. Machines which should source their time from their domain hierarchy, assuming the time from the other servers (is hopefully correct):
    w32tm /config /syncfromflags:domhier /update /reliable:yes

After changing the configuration run the following command to update immediately:

w32tm /resync

If you are running virtualized servers (e.g. Hyper-V) then you need to think carefully about your settings. When the host reboots or for any other reason pauses or saves the machines, their clocks stop! When they restart it may take a long time for the domain or internet synchronization to run again. When the difference is really great (machine offline for days) then it will refuse to sync at all without the manual intervention and the w32tm “/force” option. That means you really must have integration services installed with host time synchronization enabled on all virtual machines. Following on, it is then even more important that virtual machine hosts have their time synchronized accurately, especially when they host virtual domain controllers (which may be the time server for other machines in the domain hierachy).

4 thoughts on “Configuring Internet Time (Atomic NTP) in Windows 2008 R2 or 7 Domains

    1. I had that problem too once, but a while ago. As far as I remember it is either something to do with the Windows Time service not able to start or the configured time source is unavailable. If internet connectivity is available, configure w32tm to ONLY use “europe.pool.ntp.org” NTP server (/syncfromflags:manual) then run a “w32tm /resync /force”. If it is a domain member, after a successful sync via the internet NTP, run a “gpupdate /force” to make sure the policies sync from the domain. Once it works you could consider returning to the domain hierarchy sync mode, or just leave it with an external NTP time source. If it doesn’t work it could be the DC which is out of sync. If all else fails check the event log (system and application) and search the Microsoft forums with any additional information you find there.

  1. I comment when I appreciate a post on a site or I have
    something to add to the discussion. Usually it’s triggered by the fire communicated in the post I browsed. And on this post Configuring Internet Time (Atomic NTP) in Windows 2008 R2 or 7 Domains | Code Chief’s Space.
    I was excited enough to post a thought 😉 I do have 2 questions for you if you tend not to mind.
    Is it simply me or do some of these remarks look like left
    by brain dead individuals? 😛 And, if you are writing on additional places,
    I’d like to keep up with anything new you have to post. Could you make a list every one of all your public pages like your linkedin profile, Facebook page or twitter feed?

    1. I generally make posts which I feel are missing from the documentation. Yes I guess most people don’t RTFM, sometimes me too 🙂 But since Apple made the iPhone people finally worked out that technology can be easy. So it’s fair to say it’s expected now. Software should just “do what it says on the tin”, meaning no need to read lengthy manuals or complete obscure setup procedures.

      But sadly we still see frequent sloppy development, bad or politically driven product planning and architecture means we still have substandard products. Even from the big companies. I tend to follow Microsoft solutions which I like but they do have a lot of issues right now, especially during such a large change as Windows 8/Phone8/Surface RT.

      Thanks for the interest. Regarding updates, I generally use the handle “Code Chief”. It’s a developer twist on the original XBOX Halo “Master Chief”. I’m CodeChief on Twitter and Facebook and have most of the main domain names, i.e. codechief.co, .com, .net, etc…

      I’ll update my about page with specific links including my Linked-In profile.

Leave a Reply

Your email address will not be published. Required fields are marked *