How to Configure Windows Server 2016 NTP Server

Accurate time synchronization is critical for Active Directory authentication, Kerberos tickets, audit logs, and certificate validity. Windows Server 2016 includes the Windows Time Service (W32TM) which can be configured to act as an NTP server for your network. This guide explains how to configure a Windows Server 2016 domain controller as the authoritative NTP time source for your organization.

Understanding the Windows Time Hierarchy

In an Active Directory environment, all domain members synchronize time through a hierarchy. Domain clients sync from domain controllers, domain controllers sync from the PDC Emulator, and the PDC Emulator should sync from an external NTP source. Misconfigured time can cause Kerberos authentication failures, where a maximum skew of 5 minutes is allowed by default.

Step 1: Identify the PDC Emulator

The PDC Emulator FSMO role holder is the authoritative time source in the domain. Identify it with:

netdom query fsmo

Or using PowerShell:

Get-ADDomain | Select-Object PDCEmulator

Step 2: Configure the PDC Emulator to Sync from External NTP

Log on to the PDC Emulator and configure it to use an external NTP source. Public NTP pools such as pool.ntp.org are commonly used:

w32tm /config /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org" /syncfromflags:MANUAL /reliable:YES /update

Restart the Windows Time service to apply the changes:

net stop w32tm && net start w32tm

Or use PowerShell:

Restart-Service w32tm

Step 3: Verify Time Synchronization

Check that the PDC Emulator is successfully syncing from the external source:

w32tm /query /status

To see the NTP peer list and sync status:

w32tm /query /peers

To force an immediate time sync:

w32tm /resync /force

Step 4: Configure Non-PDC Domain Controllers

Other domain controllers should sync from the PDC Emulator, which is the default behavior. Verify their configuration:

w32tm /query /configuration

The NtpServer value should show the domain hierarchy flag. If not, reset to domain hierarchy sync:

w32tm /config /syncfromflags:DOMHIER /update
net stop w32tm && net start w32tm

Step 5: Configure Windows Firewall for NTP

NTP uses UDP port 123. Ensure the firewall allows this traffic:

New-NetFirewallRule -DisplayName "Allow NTP Inbound" -Direction Inbound -Protocol UDP -LocalPort 123 -Action Allow

Step 6: Configure Clients via Group Policy

To ensure all domain members use the correct NTP configuration, configure Group Policy. Navigate to:

Computer Configuration > Administrative Templates > System > Windows Time Service > Time Providers

Enable “Configure Windows NTP Client” and set the NtpServer value to your PDC Emulator’s FQDN with the 0x9 flag:

dc01.corp.local,0x9

Alternatively, configure via registry using PowerShell on a client:

Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesW32TimeParameters" -Name "NtpServer" -Value "dc01.corp.local,0x9"
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesW32TimeParameters" -Name "Type" -Value "NTP"
Restart-Service w32tm

Step 7: Check Time Accuracy Across Domain

Run the following on any domain member to check time offset from the domain hierarchy:

w32tm /monitor /domain:corp.local

This queries all domain controllers and displays the time offset relative to the local clock, helping identify any machines drifting beyond acceptable limits.

Step 8: Stripchart for Continuous Monitoring

For real-time offset monitoring against a specific server:

w32tm /stripchart /computer:dc01.corp.local /period:5 /samples:10

This displays the time offset every 5 seconds for 10 samples, helping identify intermittent drift issues.

Troubleshooting Common Issues

If a machine shows “The system cannot find the path specified” when running w32tm queries, re-register the service:

w32tm /unregister
w32tm /register
net start w32tm

If the PDC cannot reach the external NTP server, verify DNS resolution and check that UDP 123 is permitted through firewalls and routers. Corporate environments may require using an internal NTP appliance or a GPS-based time source.

Summary

Configuring NTP on Windows Server 2016 ensures consistent, accurate timekeeping across your domain. The key steps are identifying the PDC Emulator, pointing it at a reliable external NTP source, and ensuring all other domain members follow the domain hierarchy for time synchronization. Group Policy provides a centralized way to enforce NTP settings across all clients without manual configuration.