How to Configure Web Application Proxy on Windows Server 2022

Why Accurate Time Matters on Windows Server 2022

Time synchronisation is not a cosmetic concern on Windows Server — it is a hard operational requirement. Kerberos authentication, the default protocol in Active Directory environments, refuses to authenticate tickets when the time difference between a client and a domain controller exceeds five minutes (the default MaxClockSkew). Certificate validity depends on accurate time. Log correlation across servers becomes impossible when clocks drift. Database transaction ordering, replication conflict resolution, and audit compliance all require that every server in an environment reads the same time.

Windows Server 2022 uses the Windows Time Service (W32Time), a long-standing component that implements the Network Time Protocol (NTP) and, on domain-joined machines, the Microsoft-specific MS-SNTP variant for Active Directory time hierarchy. This guide covers configuring W32Time from scratch, including all the w32tm commands, domain-aware time hierarchy, workgroup settings, and troubleshooting approaches.

Understanding the Active Directory Time Hierarchy

In a domain environment, time flows down a defined hierarchy:

The PDC Emulator FSMO role holder in the forest root domain is the authoritative time source for the entire forest. It should be configured to synchronise from a reliable external NTP source (a stratum 1 or stratum 2 server). All other domain controllers synchronise from the PDC Emulator. Domain-joined member servers and workstations synchronise from their nearest domain controller as determined by AD site topology. This hierarchy means you only need to configure one server — the PDC Emulator — to use an external NTP source, and everything else inherits correct time automatically through the domain hierarchy.

To find which server currently holds the PDC Emulator role, run from any domain-joined machine:

netdom query fsmo

Configuring the PDC Emulator to Use an External NTP Source

Log onto the PDC Emulator domain controller and open an elevated command prompt. Configure it to synchronise from external NTP servers using the w32tm /config command:

w32tm /config /manualpeerlist:"0.pool.ntp.org,0x8 1.pool.ntp.org,0x8 2.pool.ntp.org,0x8" /syncfromflags:manual /reliable:yes /update

Breaking down the flags:

/manualpeerlist — a space-separated list of NTP server addresses. The 0x8 suffix (SpecialPollInterval flag) tells W32Time to use the configured poll interval rather than burst mode. You can use public pool servers from pool.ntp.org or your ISP/organisation-specific NTP servers.

/syncfromflags:manual — instructs W32Time to sync from the manually specified peer list rather than from domain hierarchy, which is correct for the PDC Emulator.

/reliable:yes — marks this server as a reliable time source for other machines in the domain to trust.

/update — applies the changes to the W32Time service without requiring a restart.

After configuring, restart the Windows Time service and force an immediate synchronisation:

net stop w32tm && net start w32tm
w32tm /resync /force

Configuring All Other Domain Controllers

Non-PDC domain controllers should synchronise from the domain hierarchy (i.e., from the PDC Emulator), not from external NTP sources. On each non-PDC domain controller:

w32tm /config /syncfromflags:domhier /reliable:no /update
net stop w32tm && net start w32tm
w32tm /resync /force

The /syncfromflags:domhier flag restores the default AD-hierarchy-based synchronisation. Member servers and workstations do not require any manual configuration — they automatically use domain hierarchy when joined to the domain.

Checking Time Synchronisation Status

Use w32tm /query /status to display the current synchronisation state of a server:

w32tm /query /status

The output shows:

Source — the NTP peer this server is currently synchronising from. On domain members this should be a domain controller’s hostname or IP.

Stratum — the distance from a stratum 1 (atomic clock) source. Stratum 2 means your PDC Emulator is pulling directly from a stratum 1 server. Stratum 3 means a domain member is one hop further.

Last Successful Sync Time — when W32Time last completed a successful sync.

ReferenceId — an encoded identifier of the upstream NTP source.

To see a detailed list of configured peers and their reachability:

w32tm /query /peers

To display the current time offset from the synchronisation source in real time:

w32tm /stripchart /computer:0.pool.ntp.org /samples:5 /dataonly

This command shows five samples of the time offset (in seconds) between your server and the specified NTP source. Values close to zero indicate good synchronisation.

Configuring NTP for Workgroup Machines

Servers and workstations that are not domain-joined do not participate in the AD time hierarchy. They must be configured to use external NTP sources directly. The process is similar to configuring the PDC Emulator but without the /reliable:yes flag:

w32tm /config /manualpeerlist:"0.pool.ntp.org,0x8 1.pool.ntp.org,0x8" /syncfromflags:manual /update
net stop w32tm && net start w32tm
w32tm /resync /force

For workgroup environments with many machines, consider running a local NTP server (another Windows Server configured as authoritative) to reduce outbound NTP traffic and provide a controlled time source for all internal machines.

Configuring Time via Group Policy

In a domain, the most reliable way to ensure consistent W32Time configuration across all domain controllers is Group Policy. Create or edit a GPO linked to the Domain Controllers OU:

Navigate to: Computer Configuration → Administrative Templates → System → Windows Time Service → Time Providers

Enable the Configure Windows NTP Client policy and set the NTP server list. Enable the Enable Windows NTP Client policy. For the PDC Emulator specifically, you can use Item Level Targeting or a separate GPO linked to a specific OU containing only the PDC Emulator computer account.

Setting the Time Zone

Time zone configuration is separate from NTP synchronisation. W32Time synchronises the system clock to UTC; the time zone setting controls the local offset displayed to users. Set the time zone with PowerShell:

# List all available time zones
Get-TimeZone -ListAvailable

# Set to GMT Standard Time (London)
Set-TimeZone -Name "GMT Standard Time"

# Or for Eastern US
Set-TimeZone -Name "Eastern Standard Time"

# Verify
Get-TimeZone

Alternatively, from the command line:

tzutil /l        # list all time zones
tzutil /g        # get current time zone
tzutil /s "UTC"  # set to UTC

VMware and Hyper-V Time Synchronisation Considerations

When Windows Server 2022 runs as a virtual machine, the hypervisor itself can provide time synchronisation to the guest. This creates a conflict: both the hypervisor and W32Time may try to adjust the clock simultaneously, causing erratic time behaviour.

Hyper-V — the Hyper-V Integration Services include a Time Synchronization component. For domain controllers (especially the PDC Emulator), Microsoft recommends disabling Hyper-V time synchronisation and relying entirely on NTP. Disable it in Hyper-V Manager → VM Settings → Integration Services → uncheck Time Synchronization. For other domain-joined VMs, Hyper-V time sync is acceptable but NTP via domain hierarchy is preferred.

VMware — VMware Tools also provides time synchronisation. The same principle applies: disable VMware Tools time synchronisation for domain controllers to avoid interference with NTP. In vmx configuration or via VMware Tools settings, set tools.syncTime = "FALSE" and time.synchronize.continue = "FALSE".

Troubleshooting Time Sync Issues

If w32tm /resync returns an error such as The computer did not resync because no time data was available, start with the following checks:

# Check if W32Time service is running
Get-Service W32Time

# Re-register W32Time (fixes corrupt service registration)
w32tm /unregister
w32tm /register
net start w32tm

# Check firewall — NTP uses UDP port 123 outbound
netsh advfirewall firewall show rule name="W32TM"

# Test connectivity to NTP server
w32tm /stripchart /computer:0.pool.ntp.org /dataonly /samples:3

Event Viewer logs related to W32Time are found under Applications and Services Logs → Microsoft → Windows → Time-Service. Error events here often contain the specific NTP error code. Common issues include UDP port 123 blocked by an upstream firewall, incorrect NTP server addresses, or the W32Time service not running. On domain controllers, verify that the PDC Emulator is reachable over UDP 123 and that non-PDC DCs can reach the PDC Emulator over the same port.