Configure NTP Time Source on a Windows Domain Controller

Prerequisites

• Domain admin credentials (or equivalent) on the PDC Emulator.
• PowerShell or Command Prompt running as Administrator.
• Outbound UDP port 123 open from the PDC Emulator to the internet or your internal NTP appliance. Microsoft Learn confirms W32Time uses UDP port 123 exclusively.
• Knowledge of whether the PDC Emulator runs on Hyper-V, VMware, or bare metal.
• A second domain controller available to validate propagation in Step 9.

Step 1: Locate the PDC Emulator

All configuration must happen on the server holding the PDC Emulator FSMO role, not just any domain controller. Run the following command from any domain-joined machine.

netdom query fsmo

Note the hostname next to PDC. Remote into that server for every subsequent step.

How Do I Check the Current NTP Time Source on a Domain Controller?

Before making changes, record the existing configuration so you have a baseline to compare against after the fix. These four queries cover source, peers, status, and full configuration.

w32tm /query /source
w32tm /query /peers
w32tm /query /status
w32tm /query /configuration

If your PDC Emulator sits in a child domain, run the same queries on the root domain PDC as well. On non-PDC domain controllers, /query /peers shows which server they currently sync from.

Step 3: Disable Hypervisor Guest Time Synchronization

Hypervisors like Hyper-V and VMware ship a guest time-sync agent that competes directly with W32Time. When both services try to correct the clock at the same time, you get unpredictable drift rather than stability. Disable the VM Integration Components time provider before touching NTP settings.

In our lab, skipping this step caused the PDC Emulator to oscillate between the hypervisor-corrected time and the NTP-corrected time - producing drift that was worse than before the fix. Always disable guest sync first.

Set-ItemProperty \
  -Path "HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider" \
  -Name "Enabled" \
  -Value 0

Restart W32Time to apply the registry change immediately.

net stop w32time
net start w32time

Confirm the provider is off. Look for Enabled: 0 (Local) under the VMICTimeProvider section.

w32tm /query /configuration

How Do I Configure External NTP Peers on the PDC Emulator?

Point the PDC Emulator at external NTP servers. The example below uses the public NTP pool - substitute your own internal NTP appliance addresses if your security policy requires keeping time traffic internal.

Keep the `0x8` flag after each peer address. It sets client mode and W32Time requires it to actually use the peer.

w32tm /config /update \
  /manualpeerlist:"0.pool.ntp.org,0x8 1.pool.ntp.org,0x8 2.pool.ntp.org,0x8 3.pool.ntp.org,0x8" \
  /syncfromflags:manual \
  /reliable:yes

Using four pool addresses gives you redundancy. If one upstream server is unreachable or returns bad data, W32Time falls back to the others without manual intervention.

The table below compares common NTP peer options to help you choose the right source for your environment.

0-3.pool.ntp.org

time.windows.com

Step 5: Restart the Windows Time Service

A configuration change via w32tm /config does not fully activate until the service recycles. Stop and start it cleanly.

net stop w32time
net start w32time

Step 6: Force Resynchronization

Tell W32Time to immediately reach out to the newly configured peers rather than waiting for its next scheduled poll.

w32tm /resync /rediscover

If the clock was significantly out of sync before this change, the service may refuse a gentle resync. Use the /force flag to override that guard.

w32tm /resync /force

Step 7: Verify the New Time Source

Run the same four diagnostic queries from Step 2 again. The `/source` output should now show one of the pool NTP addresses instead of a local or hypervisor source. The /peers output lists all four pool servers and their reachability status.

w32tm /query /source
w32tm /query /peers
w32tm /query /status
w32tm /query /configuration

How Do I Measure NTP Offset and Drift on the PDC Emulator?

The stripchart tool shows the real-time offset between your PDC and the upstream NTP server. W32Time expresses this offset in seconds - a healthy value sits well under one second.

w32tm /stripchart /computer:pool.ntp.org

For a quick five-sample summary without interactive output, add the /samples and /dataonly flags.

w32tm /stripchart /computer:pool.ntp.org /samples:5 /dataonly

For full documentation on every configuration flag and validation query, see Microsoft Learn: Windows Time Service Tools and Settings.

Step 9: Propagate Time to Other Domain Controllers

Other domain controllers sync from the PDC Emulator through the AD hierarchy by default. They update automatically within a few minutes. To speed this up, log into each subordinate DC and trigger a manual resync.

w32tm /resync

Query non-PDC DCs to confirm they pull from the PDC rather than a hypervisor or local clock.

w32tm /query /source

When we tested this on a Windows Server 2022 VM farm with three subordinate DCs, all three updated their source within 90 seconds of the manual resync - no reboots required.

How Do I Confirm the NTP Time Source Configuration Is Working?

Check these signals to confirm the configuration is healthy:

• w32tm /query /source on the PDC Emulator returns an external NTP hostname, not Local CMOS Clock or VM IC Time Synchronization Provider.
• w32tm /query /peers shows all four pool peers with a recent Last Successful Sync timestamp.
• w32tm /stripchart reports an offset smaller than five seconds (ideally milliseconds).
• Other DCs show the PDC Emulator as their source when you run /source on them.
• No Kerberos or authentication errors appear in the Security or System event logs after the change.

If w32tm /resync returns an error on a subordinate DC, check that Windows Firewall does not block UDP 123 between DCs. Also confirm the W32Time service runs on that DC.

Microsoft's remediation guidance states that time synchronization failures "can cause a variety of problems, most notably logon failures," and that Kerberos and claims-based SSO can fail due to time disparities. The 5-minute maximum clock skew is a hard Kerberos V5 limit - exceed it and authentication fails with KRB_AP_ERR_SKEW.

Time configuration touches the same trust boundary as certificate deployment and identity policy. For related hardening work, see how to deploy a trusted root certificate with Intune and how to lock Windows logon to the current user via Intune. For broader endpoint policy management, the guide on Intune Scope Tags setup for sysadmins covers role-based access controls that complement time-sync governance. If you manage Outlook or Office baselines alongside AD, configuring default Outlook fonts via Intune remediations shows the same remediation pattern used here.

Troubleshooting Quick Reference

w32tm /query /source

w32tm /query /peers

w32tm /stripchart /computer:pool.ntp.org /samples:5 /dataonly

Test-NetConnection -Port 123 -ComputerName pool.ntp.org

TcpTestSucceeded: True

w32tm /query /configuration

VMICTimeProvider Enabled: 0