When configuring time synchronization in Active Directory environments, some Windows clients stubbornly maintain their Local CMOS Clock as the time source despite proper GPO and command configurations. This creates time drift issues that can affect Kerberos authentication and other time-sensitive operations.
First, check the current time source on problematic clients:
w32tm /query /status
Sample problematic output:
Source: Local CMOS Clock
For domain-joined machines, these steps ensure proper DC synchronization:
# Configure time service on DC
w32tm /config /manualpeerlist:"europe.pool.ntp.org,0x8 nist.expertssmi.com,0x8" /syncfromflags:manual /reliable:yes /update
# Force immediate resync
w32tm /resync /rediscover
# On clients (run as admin):
net stop w32time
w32tm /unregister
w32tm /register
net start w32time
w32tm /config /syncfromflags:domhier /update
w32tm /resync /rediscover
For particularly stubborn systems, direct registry modification may be required:
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters /v Type /t REG_SZ /d NTP /f
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient /v SpecialPollInterval /t REG_DWORD /d 900 /f
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient /v SpecialPollTimeRemaining /t REG_MULTI_SZ /d "europe.pool.ntp.org,0x8 nist.expertssmi.com,0x8" /f
Check event logs for W32Time errors:
Get-WinEvent -FilterHashtable @{LogName='System'; ID='29, 36, 37, 144'} | Format-List
Common fixes for specific error conditions:
# For error 0x800705B4 (timeout):
netsh int tcp set global timestamps=enabled
# For error 0x80072746 (firewall blocking):
netsh advfirewall firewall add rule name="NTP" dir=in action=allow protocol=UDP localport=123
For enterprise deployments, create a GPO with these settings:
Computer Configuration → Policies → Administrative Templates → System → Windows Time Service:
- Enable Windows NTP Client = Enabled
- Configure Windows NTP Client = Enabled
NTP Server = yourDC.domain.com
Type = NTP
SpecialPollInterval = 3600 (seconds)
CrossSiteSyncFlags = 2
After changes, verify with these commands:
w32tm /monitor /computers:yourDC.domain.com
w32tm /stripchart /computer:yourDC.domain.com /dataonly /samples:5
In Active Directory environments, time synchronization is crucial for Kerberos authentication and various domain operations. While the domain controller typically syncs with external NTP sources, some clients stubbornly maintain their Local CMOS Clock as the time source despite Group Policy and manual configuration attempts.
First, check the current time source on both DC and client machines:
w32tm /query /statusFor domain controller:
w32tm /query /configurationOn your domain controller, ensure proper NTP configuration:
w32tm /config /manualpeerlist:"europe.pool.ntp.org,0x8 nist.expertssmi.com,0x8" /syncfromflags:manual /reliable:yes /update
net stop w32time && net start w32time
w32tm /resync /rediscoverFor stubborn clients still using Local CMOS Clock, try this comprehensive approach:
w32tm /unregister
w32tm /register
net start w32time
w32tm /config /syncfromflags:domhier /update
net stop w32time && net start w32time
w32tm /resync /rediscoverCreate a GPO with these settings:
Computer Configuration -> Administrative Templates -> System -> Windows Time Service:
- Enable "Configure Windows NTP Client"
- Set NTP server to your DC (e.g., "domaincontroller.yourdomain.com,0x8")
- Set Type to "NTP"
- SpecialPollInterval to 900 (15 minutes)Check time source hierarchy:
w32tm /monitor /computers:domaincontroller.yourdomain.comForce immediate sync:
w32tm /resync /computer:domaincontroller.yourdomain.com /nowaitEnsure UDP port 123 is open between clients and DCs. Test connectivity:
Test-NetConnection -ComputerName domaincontroller -Port 123Check these registry keys on clients:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
- Type should be "NT5DS" for domain hierarchy sync
- NtpServer should be empty (inherited from AD)