Question / Problem
We are currently running a Microsoft Windows Server 2012R2 Active Directory domain with three Domain Controllers and multiple sites. We have approximately 50+ servers and thousands of Windows 10 client desktops and laptops in the network.
Recently, we have noticed some of our client desktops are not synchronizing their time with the Domain Controller, which holds the PDCEmulator (Primary Domain Controller Emulator) role.
These desktops are located at various sites and these issues are occurring across all sites.
To combat this issue, we have set up the Domain Controller to synchronize with the Internet time server pool.ntp.org and it has been verified that the time is indeed in sync without any issue. We can confirm that the Domain Controller is synchronizing with this server without issue.
Are there any specific firewall ports, such as UDP 123, that need to be opened in order to resolve this issue? What other possible causes and solutions can be explored to resolve this issue?
Answer / Solution
Typically, client desktop will synchronize with the nearest DC first. As you have systems in each location encountering this problem, it is possible that there is something in common among the systems experiencing this issue. Make sure your other Domain Controllers are syncing their time to the PDC emulator.
Use GPO to deploy NTP settings to clients:
Computer Configuration > Policies > Administrative Templates > System > Windows Time Service > Time Providers > Enable the Configure Windows NTP Client policy and set your DC as the NTP Server
Or you can create a bat file to deploy it to clients:
w32tm /config /syncfromflags:domhier /update net stop w32time && net start w32time
Execute the following commands in all client workstation for once only:
w32tm /config /syncfromflags:DOMHIER /update w32tm /resync /nowait /rediscover net stop w32time net start w32time
You can use GPO > Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown) to execute those command as batch file in the GPO.
Additional reference: Microsoft Learn > Using Startup, Shutdown, Logon, and Logoff Scripts in Group Policy
The solution steps outlined above may be used to address the following issues:
- Windows time not syncing with Domain Controller
- How to fix time synchronization issues in Microsoft Active Directory Domain
- Troubleshooting time sync problems in Windows client desktops
- Windows clock not synchronizing with Domain Controller
- Fixing time discrepancies in Windows domain environments
- Configuring time settings for Windows domain clients
- Time synchronization errors in Microsoft Active Directory Domain
- Windows domain clients not updating time automatically
- Setting up time synchronization in Microsoft Active Directory Domain
- Correcting time drift in Windows domain environments