How to Configure an Authoritative Time Server on a Windows Domain

Prepared by Ian Matthews Written April 21, 2010, Last Updated April 22, 2010

NOTE: This is MY cookbook for ForeFront 2010 installs and you should use with caution. 
As usual my instructions are provided without warrenty or guarentee of any sort.

Since NT4 I have had troubles setting a Windows Domain to sync with an external time source.  I have blown hours trying get this configured and even worked with Microsoft support a few times.  Microsoft has revised a Knowledge Base article on this topic and I was able to get this to function in about 10 minutes.  I have further simplified the process to about 30 seconds.

OK, lets get to it:

  1: Find your Domain Contoller with the PDC Emulator FSMO role.  If you need help just look:

  2: Download and "run" THIS registry file on the DC which has the PDC FSMO.

  3: Stop and Start the Windows Time Service

Your domain time will complete its first sync almost right away.

The KBase article says that it relates to Windows 2003, 2003 R2, and 2008, but I have successfully run this on R2 of 2008

Note that if you are running a your Domain Contoller with the PDC FSMO inside a Hyper-V Virtual Machine, you NEED to disable the Time Syncing to the Host PC's clock.  If you don't your time can vary wildly and you will be in Hell.  See the screen shot if you don't know how to do this.

In case you did not know, time syncing is a critical part of domain security.  Your PC's sync to the domain in an effort to stop replay attacks (i.e. someone records your network packets at 1pm and replays them back into the LAN, toward your DC, at 4pm).  If your Domain Controller's time is wrong, this will be a major problem as all of your PC's will be wrong, email time stamps will be wrong and you will look like an idiot.  Also, computers which are on your domain but do not sync their clocks with the domain (i.e. Mac's) will not be able to authenicate if their time is more than 15 minutes out.  It can get ugly.