{"id":960,"date":"2025-11-09T16:37:22","date_gmt":"2025-11-09T21:37:22","guid":{"rendered":"https:\/\/dox.opentechnologies.ca\/?p=960"},"modified":"2025-11-10T18:05:20","modified_gmt":"2025-11-10T23:05:20","slug":"set-external-time-source-for-windows-server-2016-domain","status":"publish","type":"post","link":"https:\/\/dox.opentechnologies.ca\/index.php\/2025\/11\/09\/set-external-time-source-for-windows-server-2016-domain\/","title":{"rendered":"Set External Time Source for Windows Server 2016\/2019 Domain"},"content":{"rendered":"\n<p>Here\u2019s how to <strong>find out where your Windows Server 2016 domain controller (and the domain as a whole)<\/strong> is syncing its time from.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1. Check the Current Time Source on the DC<\/h3>\n\n\n\n<p>Open <strong>Command Prompt<\/strong> or <strong>PowerShell<\/strong> as Administrator and run:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>w32tm \/query \/status<\/code><\/pre>\n\n\n\n<p>You\u2019ll get output like this:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Leap Indicator: 0(no warning)\nStratum: 3 (secondary reference - syncd by (S)NTP)\nPrecision: -6 (15.625ms per tick)\nRoot Delay: 0.0414518s\nRoot Dispersion: 10.1234567s\nReferenceId: 192.168.1.10\nLast Successful Sync Time: 2025-11-08 01:23:45\nSource: time.windows.com,0x9\nPoll Interval: 10 (1024s)<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">2. Check Domain-Wide Time Hierarchy<\/h3>\n\n\n\n<p>In an <strong>Active Directory domain<\/strong>, time synchronization flows like this:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>PDC Emulator (Primary Domain Controller)<\/strong> in the <strong>forest root domain<\/strong> \u2192 syncs with an <strong>external NTP source<\/strong> (like time.windows.com or a GPS\/NTP appliance).<\/li>\n\n\n\n<li>All <strong>other domain controllers<\/strong> \u2192 sync with the <strong>PDC Emulator<\/strong>.<\/li>\n\n\n\n<li>All <strong>domain-joined clients and servers<\/strong> \u2192 sync with their <strong>authenticating DC<\/strong>.<\/li>\n<\/ul>\n\n\n\n<p>To see which DC is the <strong>PDC Emulator<\/strong>, run:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>netdom query fsmo<\/code><\/pre>\n\n\n\n<p>You\u2019ll see:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Schema master               dc01.dox.local\nDomain naming master        dc01.dox.local\nPDC                         dc01.dox.local\nRID pool manager            dc01.dox.local\nInfrastructure master       dc02.dox.local<\/code><\/pre>\n\n\n\n<p>The <strong>PDC<\/strong> listed here is the <strong>authoritative time source<\/strong> for your domain.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3. Check What Time Source the Domain Uses<\/h3>\n\n\n\n<p>On the <strong>PDC Emulator<\/strong>, run:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>w32tm \/query \/source<\/code><\/pre>\n\n\n\n<p>If it says:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Source: Local CMOS Clock<\/code><\/pre>\n\n\n\n<p>That means your domain isn\u2019t syncing with an external NTP source (it\u2019s using the server\u2019s local clock \u2014 not ideal).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">4. See the Full Time Configuration<\/h3>\n\n\n\n<p>Run this on the PDC:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>w32tm \/query \/configuration\n\nYou\u2019ll get details like:\n\n&#91;TimeProviders]\nNtpClient (Local)\n    Enabled: 1\n    NtpServer: time.nrc.ca,0x8\n    CrossSiteSyncFlags: 2\n    ResolvePeerBackoffMinutes: 15<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">5. Configure the PDC to Use an External NTP Source<\/h3>\n\n\n\n<p>If you find it\u2019s using the local CMOS clock, configure a proper source:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>w32tm \/config \/manualpeerlist:\"0.ca.pool.ntp.org 1.ca.pool.ntp.org\" \/syncfromflags:manual \/reliable:yes \/update\nnet stop w32time &amp;&amp; net start w32time\n\nThen check again:\n\nw32tm \/query \/status<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Check Clients and Other DCs<\/h3>\n\n\n\n<p>On any domain-joined machine:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>w32tm \/query \/source\n\nYou\u2019ll likely see:\n\nSource: DC01.dox.local<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Set Official Canadian Time Source<\/h3>\n\n\n\n<p>National Research Council of Canada<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>time.nrc.ca and time.chu.nrc.ca<\/code><\/pre>\n\n\n\n<p>Reference:<\/p>\n\n\n\n<p><a href=\"https:\/\/nrc.canada.ca\/en\/certifications-evaluations-standards\/canadas-official-time\/network-time-protocol-ntp\" target=\"_blank\" rel=\"noopener\">https:\/\/nrc.canada.ca\/en\/certifications-evaluations-standards\/canadas-official-time\/network-time-protocol-ntp<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Here\u2019s how to find out where your Windows Server 2016 domain controller (and the domain as a whole) is syncing its time from. 1. Check the Current Time Source on the DC Open Command Prompt or PowerShell as Administrator and run: You\u2019ll get output like this: 2. Check Domain-Wide Time Hierarchy In an Active Directory &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/dox.opentechnologies.ca\/index.php\/2025\/11\/09\/set-external-time-source-for-windows-server-2016-domain\/\" class=\"more-link\">Read more<span class=\"screen-reader-text\"> &#8220;Set External Time Source for Windows Server 2016\/2019 Domain&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":1040,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[105,48,6,37,106],"tags":[107],"class_list":["post-960","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-windows-2016","category-command-line","category-date","category-windows","category-windows-2019","tag-power-shell"],"_links":{"self":[{"href":"https:\/\/dox.opentechnologies.ca\/index.php\/wp-json\/wp\/v2\/posts\/960","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dox.opentechnologies.ca\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dox.opentechnologies.ca\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dox.opentechnologies.ca\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dox.opentechnologies.ca\/index.php\/wp-json\/wp\/v2\/comments?post=960"}],"version-history":[{"count":14,"href":"https:\/\/dox.opentechnologies.ca\/index.php\/wp-json\/wp\/v2\/posts\/960\/revisions"}],"predecessor-version":[{"id":1108,"href":"https:\/\/dox.opentechnologies.ca\/index.php\/wp-json\/wp\/v2\/posts\/960\/revisions\/1108"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/dox.opentechnologies.ca\/index.php\/wp-json\/wp\/v2\/media\/1040"}],"wp:attachment":[{"href":"https:\/\/dox.opentechnologies.ca\/index.php\/wp-json\/wp\/v2\/media?parent=960"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dox.opentechnologies.ca\/index.php\/wp-json\/wp\/v2\/categories?post=960"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dox.opentechnologies.ca\/index.php\/wp-json\/wp\/v2\/tags?post=960"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}