How to Configure NTP Time Synchronisation on Windows Server 2025

How to Configure NTP Time Synchronisation on Windows Server 2025

Accurate system time is not merely a convenience — it is a security and operational requirement on every Windows Server. Kerberos authentication, the protocol underlying Active Directory logins, rejects tickets that arrive with a timestamp more than five minutes out of synchronisation with the domain controller. Certificate validity windows, audit log forensics, replication conflict resolution in DFS-R and Active Directory, and scheduled task accuracy all depend on clocks being tightly aligned. Windows Server 2025 ships with the Windows Time service (w32tm), a purpose-built NTP client and server that integrates with Active Directory to automatically distribute authoritative time from the PDC emulator down through the domain hierarchy. This guide explains how to configure, verify, and troubleshoot time synchronisation for both domain-joined servers and standalone workgroup machines.

Prerequisites

• Windows Server 2025 with local Administrator privileges.
• For domain-joined servers: membership in an Active Directory domain, with the ability to run commands on the PDC emulator role holder.
• Outbound UDP port 123 open to the internet (or internal NTP appliance) for external NTP source access.
• PowerShell or Command Prompt running as Administrator.
• Basic understanding of Active Directory FSMO roles is helpful but not required.

Step 1: Understand How Windows Time Service Works

The Windows Time service implements a simplified version of NTP and the proprietary Windows Time Protocol (WTP) over UDP port 123. In a domain environment, time flows in a strict hierarchy:

1. The PDC Emulator FSMO role holder in the forest root domain synchronises from an external NTP source (internet time servers or a hardware GPS clock).
2. Domain controllers in the same domain synchronise from the PDC emulator.
3. Domain controllers in child domains synchronise from their parent domain controllers.
4. Domain member servers and workstations synchronise from any available domain controller via the NT5DS mechanism.

Standalone (workgroup) servers are not part of this hierarchy and must be configured to synchronise directly from an external or internal NTP source.

Check the current time service configuration and synchronisation status:

# Query current time service status
w32tm /query /status

# Query configured NTP peers
w32tm /query /peers

# Query current configuration
w32tm /query /configuration

Step 2: Configure a Standalone Server to Use an External NTP Source

For workgroup servers or the PDC emulator, configure the NTP source explicitly. The w32tm /config command is the primary configuration tool:

# Configure w32tm to use the NTP pool with manual peer list
# Run as Administrator in an elevated Command Prompt or PowerShell
w32tm /config /manualpeerlist:"0.pool.ntp.org,0x8 1.pool.ntp.org,0x8 2.pool.ntp.org,0x8" /syncfromflags:MANUAL /reliable:YES /update

# Restart the Windows Time service to apply changes
net stop w32time
net start w32time

# Force an immediate synchronisation
w32tm /resync /force

# Confirm the new configuration
w32tm /query /peers
w32tm /query /status

The ,0x8 suffix on each peer address is a flag that means use SpecialInterval — the service polls the peer at the configured SpecialPollInterval (default 1,024 seconds) rather than calculating a dynamic interval. This is the recommended flag for manually specified NTP pools. The /reliable:YES flag marks this server as a reliable time source for clients, which is appropriate for the PDC emulator.

Step 3: Configure the PDC Emulator as the Authoritative NTP Server

In an Active Directory domain, all time configuration changes for the domain should be made on the PDC emulator. First, identify which domain controller holds the PDC emulator role:

# From any domain member, find the PDC emulator
(Get-ADDomain).PDCEmulator

# Or using netdom
netdom query fsmo

Log on to or remote into the PDC emulator and apply the external NTP configuration:

# Run on the PDC Emulator domain controller
# Configure authoritative NTP with stratum 1 NTP pool sources
w32tm /config `
    /manualpeerlist:"time.cloudflare.com,0x8 time.google.com,0x8 pool.ntp.org,0x8" `
    /syncfromflags:MANUAL `
    /reliable:YES `
    /update

# Restart the service
Restart-Service w32time

# Force a resync and verify
w32tm /resync /force
w32tm /query /status

All other domain controllers and domain members will automatically inherit accurate time from this configuration through the Active Directory domain hierarchy without any further manual configuration.

Step 4: Verify Time Synchronisation Across the Domain

After configuring the PDC emulator, verify that the synchronisation chain is healthy. On any domain member server, query which NTP source is currently being used:

# Check time source and offset on a member server
w32tm /query /status

# Sample output fields to check:
# Source     : dc01.corp.example.com,0x8   (should be a DC, not Local CMOS Clock)
# Last Successful Sync Time : the timestamp of the last successful sync
# Phase Offset : ideally under 1 second; above 5 seconds risks Kerberos failures

# Check the stratum of the current source (lower is more authoritative)
w32tm /query /configuration

Check time offset on multiple servers at once using PowerShell remoting:

$Servers = "SRV-APP01", "SRV-DB01", "SRV-WEB01"

Invoke-Command -ComputerName $Servers -ScriptBlock {
    $Status = w32tm /query /status
    [PSCustomObject]@{
        ComputerName = $env:COMPUTERNAME
        Status       = ($Status | Select-String "Source").Line
        Offset       = ($Status | Select-String "Phase Offset").Line
    }
}

Step 5: Configure Time Synchronisation via Group Policy

While direct w32tm configuration is effective for individual machines, Group Policy provides a scalable way to enforce NTP settings across many servers. Use a GPO linked to the Domain Controllers OU for DC time settings, and a separate GPO linked to the Servers OU for member servers.

Navigate in the Group Policy Management Editor to:

Computer Configuration > Administrative Templates > System > Windows Time Service > Time Providers

The relevant policies are:

• Configure Windows NTP Client — set NTP Server (peer list), Type (NTP for manual, NT5DS for domain hierarchy), CrossSiteSyncFlags, ResolvePeerBackoffMaxTimes, and SpecialPollInterval.
• Enable Windows NTP Client — ensures the NTP client is active.
• Enable Windows NTP Server — enables this machine to serve time to NTP clients (enable on DCs).

Equivalent PowerShell using the registry (GPO preference or direct configuration):

# Set NTP server for Windows NTP Client via registry (equivalent to GPO)
$RegPath = "HKLM:SYSTEMCurrentControlSetServicesW32TimeParameters"

Set-ItemProperty -Path $RegPath -Name Type -Value "NTP"
Set-ItemProperty -Path $RegPath -Name NtpServer `
    -Value "time.cloudflare.com,0x8 time.google.com,0x8"

$PolicyPath = "HKLM:SYSTEMCurrentControlSetServicesW32TimeConfig"
Set-ItemProperty -Path $PolicyPath -Name AnnounceFlags -Value 5

Restart-Service w32time
w32tm /resync /force

Step 6: Troubleshoot Time Synchronisation with w32tm /stripchart

The w32tm /stripchart command performs a real-time offset analysis against a target NTP server, displaying the round-trip delay and clock offset at each sample. This is invaluable for diagnosing large offsets or intermittent synchronisation failures:

# Display real-time NTP offset against the Microsoft time server (10 samples)
w32tm /stripchart /computer:time.windows.com /samples:10 /dataonly

# Display offset against the domain PDC emulator
w32tm /stripchart /computer:dc01.corp.example.com /samples:5

# Show round-trip latency in addition to offset
w32tm /stripchart /computer:pool.ntp.org /samples:8 /packetinfo

A healthy stripchart output shows offsets consistently below 0.1 seconds for servers on a reliable network. Offsets above 2 seconds indicate a configuration problem; offsets above 5 seconds will cause Kerberos authentication failures and require immediate remediation.

Additional diagnostic commands:

# View the Windows Time event log for errors
Get-WinEvent -LogName "Microsoft-Windows-Time-Service/Operational" -MaxEvents 20 |
    Select-Object TimeCreated, Id, LevelDisplayName, Message

# Check if the Windows Time service is running
Get-Service w32time | Select-Object Name, Status, StartType

# Register the Windows Time service if it has been unregistered
w32tm /register

Step 7: Handle Time Synchronisation on Hyper-V Virtual Machines

Virtual machines running on Hyper-V present a special challenge: the hypervisor’s Integration Services include a Time Synchronisation component that can override the VM’s NTP configuration and force the VM to synchronise from the Hyper-V host. For domain-joined VMs (particularly domain controllers), this can create a conflict if the host’s time is not as accurate as the domain hierarchy.

Best practice for Hyper-V VMs:

• Domain member VMs: Disable the Hyper-V Time Synchronisation integration service on the VM and allow domain NTP to manage time. The VM will sync from a DC via NT5DS.
• Domain Controller VMs (non-PDC): Disable Hyper-V time sync; allow the VM DC to sync from the PDC emulator via domain hierarchy.
• PDC Emulator VM: Configure the PDC emulator VM to use an external NTP source AND disable Hyper-V time sync to prevent the hypervisor from overriding the authoritative configuration.

# Disable Hyper-V Time Synchronisation on a specific VM (run on the Hyper-V host)
Disable-VMIntegrationService -VMName "DC01" -Name "Time Synchronization"

# Verify the integration service is disabled
Get-VMIntegrationService -VMName "DC01" | Select-Object Name, Enabled

Conclusion

Correct NTP configuration on Windows Server 2025 is a relatively straightforward task, but the consequences of getting it wrong ripple across authentication, logging, replication, and compliance systems. The key principles are simple: configure the PDC emulator to synchronise from a reliable external source, allow all other domain members to follow the NT5DS domain hierarchy without manual NTP configuration, disable Hyper-V time synchronisation on domain controller VMs, and use w32tm /stripchart and w32tm /query /status as your first diagnostic tools when clocks drift. Enforcing settings through Group Policy ensures that new servers joining the domain inherit the correct time configuration automatically, removing per-server manual work from your operational processes.