Close Up Photo of Mining Rig

How to configure NTP server in AD

Leave a Comment / Active Directory, Windows Server / By

How to configure NTP server in Active Directory, Step by step

If you want to know how to configure NTP server in your Active Directory environment, including domain controllers and domain computers, as well as what the NTP port is in order to have a reliable time service working correctly and synchronizing with an external time server, this post shows how to do that in a step-by-step, easy way.

Table of Content

Why is NTP so important in AD?

Active Directory can’t work correctly if the clock is not synchronized around domain controllers and member machines.

Some of the services that rely on the correct time configuration is Kerberos, which by default, computers that are more than 5 minutes out of sync will not authenticate to domain. Another example is replication, Active Directory uses time stamps to resolve replication conflicts, etc.

How Does NTP Work in AD?

  1. In Active Directory, we use the Windows Time service for clock synchronization: W32Time;
  2. All member machines synchronizes with any domain controller;
  3. In a domain, all domain controllers synchronize from the PDC Emulator of that domain;
  4. The PDC Emulator of a domain should synchronize with any domain controller of the parent domain: using NTP;
  5. The PDC Emulator of the root domain in a forest should synchronize with an external time server, which could be a router, another standalone server, an internet time server, etc.

You can have a better idea about this flow in the following picture:

How to configure NTP server AD, ntp port

Without further ado, let’s set up the time service!

How to configure NTP server

From your PDC, open the prompt as administrator and type:

w32tm /config /manualpeerlist:yourNTPserver,0x8 /syncfromflags:manual /reliable:yes /update

w32tm /resync /rediscover

net stop w32time && net start w32time

Where “yourNTPserver” should be the address of the external NTP source you want set up, it could be a pool in the Internet or your internal NTP server.

Note the “,0x8” is part of the command and it will set the PDC to force sending client requests to the specified NTP server, and not other different type of requests like symmetric, which could cause PDC to do not receive correct NTP answers. 

Also, should you wish to add more than one NTP server in the command above you should put them within quotes and separated by a space, like that:

w32tm /config /manualpeerlist:"yourNTPserver1,0x8 yourNTPserver2,0x8" /syncfromflags:manual /reliable:yes /update

Confirm if your server is properly configured:

w32tm /query /status

The output from command above should show the peers you configured, if not something is wrong, double check firewall and other settings, more troubleshooting details below.

Once the PDC was correctly configured, force all other DCs to rediscover the new time server by configuring it to Domain Hierarchy with the commands below:

w32tm /config /syncfromflags:DOMHIER /update
w32tm /resync /nowait
net stop w32time && net start w32time

Check settings after a minute, it should show your PDC/Time Server:

w32tm /query /status

Once the commands above were executed in all DCs, check the NTP settings for them with the command below:

w32tm /monitor

The correct and expected output should be the PDC/NTP with Stratum = 3 and all other DCs with Stratum = 4

Firewall

Set your internal firewall and your perimeter firewall to allow outgoing and incoming NTP traffic from/to your server on 123 UDP port.

Virtual Server?

Don’t forget, if your PDC is a virtual machine hosted on a Hyper-V server, you have to disable the time synchronization in your VM settings. To do that follow the instruction below:

1 – Open Hyper-V Manager.

2 – Select the Virtual Guest DC

3 – Click Settings.

4 – Click Integration services.

5 – Clear the Time Synchronization option.

6 – Exit Hyper-V Manager.

7 – Restart the server.

Screwed up configuration, what now?

Don’t worry, you can restore time service to its default value:

net stop w32time
w32tm /unregister
w32tm /register

Errors?

If you are facing Event ID errors 47, or if your configuration has the source configuration set as “Local CMOS Clock“, try:

1 – Do the above procedures again and be sure to set “,0x8” immediate after the NTP address without any spaces.

2 – Make sure you can reach your external NTP server through port UDP 123.

3 – Restart your server and try again.

4 – Make sure you don’t have any other NTP setting being applied on your domain through GPO.

5 – Make sure your current time is not as far as 1000 seconds from the real time.

6 – Make sure your server is set at the right zone time.

7 – You can also check for time advertisement on the PDC by running this command w32tm.exe /resync /rediscover /no_wait, then check for Event ID 139

8 – You can check the registry entries if the domain controller is using NTP (should be on PDC) or NT5DS (on non-PDC):Find the value of Type under:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

What is the NTP Port?

NTP port

The NTP port is a specific communication channel used by devices to synchronize their clocks over a network. It plays a key role in ensuring all systems within a network, like those in an Active Directory environment, operate on the same accurate time.

Here’s everything you need to know about the NTP port and why it’s critical for network synchronization:

The Technical Basics of the NTP Port

  • Port Number: NTP uses UDP Port 123.
  • Protocol: It operates over the User Datagram Protocol (UDP), which is lightweight and efficient for sending time-sensitive packets.
  • Function: Devices use this port to communicate with NTP servers, requesting time updates or sharing synchronized time with other systems.

Why the NTP Port Matters in Active Directory

As covered in our article above in details, in Active Directory (AD) environments, time synchronization isn’t just a nice-to-have—it’s essential. Here’s why:

  • Kerberos Authentication: AD relies on Kerberos, which requires all systems to be within a narrow time window (typically 5 minutes). Incorrect time can lead to authentication failures.
  • Log Correlation: Consistent timestamps across devices help in auditing and troubleshooting.
  • Replication Accuracy: AD domain controllers replicate data frequently. Accurate time ensures data consistency across the network.

How the NTP Port Works in Syncing Time

When a device communicates with an NTP server over UDP Port 123:

  1. Time Request: The client sends a request to the NTP server through Port 123.
  2. Response Packet: The server responds with a packet containing accurate time data, typically sourced from a stratum-1 or stratum-2 server.
  3. Clock Adjustment: The client adjusts its clock based on the time data received, ensuring synchronization.

This simple yet powerful process keeps all devices on the same page.

Key Points to Remember About NTP Port Security

Since the NTP port is essential for network operation, it’s also a potential target for malicious activity. Here’s how you can secure it:

  • Firewall Rules: Ensure UDP Port 123 is open only to trusted NTP servers.
  • Monitor Traffic: Regularly monitor and log NTP traffic to detect anomalies.
  • Use Authentication: Configure NTP authentication to verify trusted servers and prevent spoofing.

I hope this article can help you a bit on your NTP set up within your AD environment, and also to give you a bit more information on how it actually works. By understanding the role of UDP Port 123, you’ll have a stronger grasp of how NTP ensures seamless time synchronization, laying the foundation for a stable and secure Active Directory environment.

Please, don’t hesitate to contact me by leaving a comment below, I would love to hear and help you a bit further with NTP port and actual set up in AD.

Still need help with how to configure NTP server?

Running out of ideas or time how to configure NTP server in AD, please contact me here, I will be happy to provide you with a quick analysis for resolution and configuration, at a fair price. Or use the form below if you prefer:

Name
Email
Message
The form has been submitted successfully!
There has been some error while submitting the form. Please verify all form fields again.

Find out more NTP-related articles below:

References how to configure NTP port and server within AD:

https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-simple-time-configuration-in-active-directory

https://kb.meinbergglobal.com/kb/time_sync/timekeeping_on_windows/configuring_w32time_as_ntp_client

For any doubts or suggestions about how to configure NTP server, please leave a comment below.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top