How to Configure NTP Time Synchronisation on Windows Server 2012 R2

Accurate, synchronised time is a foundational requirement in Windows Server environments. Active Directory Kerberos authentication has a maximum default clock skew tolerance of five minutes — if any machine’s clock drifts beyond this threshold, domain users and computers cannot authenticate, causing widespread service outages. Beyond Kerberos, accurate timestamps are critical for security audit logs, certificate validity, scheduled tasks, and event correlation during incident response.

Windows Server 2012 R2 uses the Windows Time Service (W32tm) to synchronise clocks. In a domain environment, the time hierarchy flows from the PDC Emulator — which is the authoritative time source for the entire domain — down through domain controllers to member servers and workstations. This guide explains configuring the complete time synchronisation chain from the PDC Emulator to clients.

Prerequisites

  • Active Directory domain deployed.
  • Domain Administrator account.
  • UDP port 123 open outbound from the PDC Emulator to internet NTP sources.
  • Knowledge of which DC holds the PDC Emulator FSMO role.

Step 1: Identify the PDC Emulator

# Find the PDC Emulator (the authoritative time source for the domain)
netdom query fsmo | findstr "PDC"

# Or via PowerShell
(Get-ADDomain).PDCEmulator

# Check current time source on any server
w32tm /query /source

# Check current time configuration
w32tm /query /configuration

# Check time sync status
w32tm /query /status

Step 2: Configure the PDC Emulator as an External NTP Client

The PDC Emulator is the only machine in the domain that should synchronise directly with external NTP servers. All other domain members get their time from the domain hierarchy.

# Run these commands on the PDC Emulator

# Configure the PDC Emulator to sync with external NTP pool servers
w32tm /config /manualpeerlist:"0.pool.ntp.org,0x8 1.pool.ntp.org,0x8 2.pool.ntp.org,0x8 3.pool.ntp.org,0x8" /syncfromflags:MANUAL /reliable:YES /update

# The flags mean:
# 0x8 = SpecialInterval (use the server's preferred poll interval)
# 0x1 = UseAsFallbackOnly
# /reliable:YES marks this DC as a reliable time source for child DCs

# Restart the Windows Time service to apply
Stop-Service -Name W32Time
Start-Service -Name W32Time

# Force an immediate sync
w32tm /resync /force

# Verify the PDC Emulator is now syncing from external NTP
w32tm /query /source
w32tm /query /status

Step 3: Verify Time Synchronisation on Other Domain Controllers

All non-PDC Emulator DCs should automatically sync from the PDC Emulator once it is configured correctly. Verify this is working properly.

# On a non-PDC DC, check where time is coming from (should be the PDC Emulator)
w32tm /query /source

# Should return something like: dc01.corp.example.com (the PDC Emulator)

# Force a sync on the secondary DC
w32tm /resync /force

# Check the detailed peer list
w32tm /query /peers

# Verify time accuracy
w32tm /stripchart /computer:dc01.corp.example.com /samples:5 /dataonly

Step 4: Configure Member Servers and Workstations

Domain-joined member servers and workstations should use the NT5DS (domain hierarchy) sync type, which means they follow the domain hierarchy and ultimately sync from the PDC Emulator. This is the default configuration for domain members — but after rebuilds or cloning issues it sometimes needs to be reset.

# Reset a domain member server to use domain hierarchy sync
w32tm /config /syncfromflags:DOMHIER /update
Stop-Service W32Time
Start-Service W32Time
w32tm /resync /force

# Verify source on member server (should be a domain controller)
w32tm /query /source

# Check current time offset from DC
w32tm /stripchart /computer:dc01.corp.example.com /samples:3 /dataonly

# If the time is badly out of sync (over 5 minutes), manually set it first
# Then let the W32tm service take over
Set-Date -Date "2024-01-15 10:30:00"
w32tm /resync /force

Step 5: Configure NTP on a Workgroup Server (Non-Domain)

Servers not joined to a domain cannot use the domain hierarchy and must be configured to sync directly with NTP servers.

# On a standalone/workgroup server, configure NTP server list
w32tm /config /manualpeerlist:"pool.ntp.org,0x8" /syncfromflags:MANUAL /update

# Register the W32Time service (if it isn't registered)
w32tm /register

# Set service to automatic start
Set-Service -Name W32Time -StartupType Automatic
Start-Service -Name W32Time

# Resync
w32tm /resync /force

# Check status
w32tm /query /status

Step 6: Validate Time Synchronisation Across the Environment

# Check time on multiple servers at once (PowerShell remoting)
$servers = @("dc01","dc02","srv-app01","srv-db01","srv-file01")

Invoke-Command -ComputerName $servers -ScriptBlock {
    $time = Get-Date
    $source = (w32tm /query /source 2>&1)
    $status = (w32tm /query /status 2>&1)
    [PSCustomObject]@{
        Server      = $env:COMPUTERNAME
        CurrentTime = $time
        TimeSource  = ($source | Select-String "Source:" | ForEach-Object { $_.Line })
        LastSync    = ($status | Select-String "Last Successful" | ForEach-Object { $_.Line })
    }
} | Select-Object Server, CurrentTime, TimeSource, LastSync

# Check time sync event log on the PDC Emulator
Get-EventLog -LogName System -Source "W32Time" -Newest 20 | 
    Select-Object TimeGenerated, EntryType, Message | Format-List

Step 7: Troubleshooting Common Time Sync Issues

# Error: "The computer did not resync because the required time change was too big"
# Solution: Manually adjust the time, then resync
w32tm /resync /rediscover /force

# Error: "The service has not been started"
# Solution: Reregister and restart W32Time
w32tm /unregister
w32tm /register
Start-Service W32Time
w32tm /resync /force

# Check if UDP 123 is blocked to external NTP servers
Test-NetConnection -ComputerName "pool.ntp.org" -Port 123

# Diagnose with verbose output
w32tm /debug /enable /file:C:Tempw32tm_debug.log /size:10000000 /entries:0-300
# Wait a few minutes, then disable
w32tm /debug /disable
Get-Content "C:Tempw32tm_debug.log" -Tail 100

# Check for virtual machine time sync overriding Windows time service
# In Hyper-V Manager, check the VM's Integration Services
# If "Time Synchronization" is enabled on a VM that is a PDC Emulator, DISABLE it
# The Hyper-V host's time sync will override the PDC's external NTP sync

Summary

NTP time synchronisation on Windows Server 2012 R2 follows a strict hierarchy: the PDC Emulator synchronises with external NTP sources and acts as the authoritative time server for the entire domain, all other DCs sync from the PDC Emulator, and all member servers and workstations sync from the domain hierarchy automatically. The most common issues are: the PDC Emulator not configured to use external NTP (it defaults to the BIOS clock or VM host time), virtual machine time integration services overriding the Windows Time Service on PDC Emulators, and firewall rules blocking UDP 123 outbound. Verifying the time synchronisation chain regularly — especially after VM migrations and daylight saving changes — prevents the sudden Kerberos authentication failures that catch many administrators off guard.