How to configure Windows 2012R2 NTP Server

By | 12/06/2017

Windows Time  is a built-in time synchronization service in Microsoft Windows Server Operating System. Its first release was in Microsoft Windows Server 2000. Today we will show you how to configure the latest Microsoft Windows Server 2012R2 time service. This instruction shows how to modify registry entries to configure the Microsoft Windows Time Service to allow a Windows network to provide synchronization of all machines within a domain network.

Windows Server 2012R2 Configuration

Windows 2012R2 has expanded on the previous time service by providing a true NTP implementation. The time service, installed by default, can synchronize to a NTP Server.

All we need to do is to following PowerShell commands as administrator:

Virtual Server

If the machine is a VM inside Hyper-V, you have to disable time sync. Open VM settings -> Management -> Integration Services and uncheck Time Synchronization.

Troubleshooting

A conventional method is mentioning “net time”, but we should use W32tm. Furthermore, editing the registry directly is not recommended by Microsoft as mentioned in this article: It is recommended that you do not directly edit the registry unless there is no other alternative. But if you really want to check the registry, it’s here: HKLM\System\CurrentControlSet\Services\W32Time. Bear in mind that make a backup before modifying any registry entries. The registry can then be restored in the event of problems being encountered.

External NTP server

The pool.ntp.org is a round-robin of random selected NTP servers. As they say “This is usually good enough for end-users”. But you might want to add several NTP-servers yourself for redundancy?

To be (reliable) or not to be (reliable)

Thanks to CSG Systemhaus GmbH’s comments. Microsoft recommends electing a machine in the root domain as a GTIMESERV, and configuring it to synchronize to your external time source. This will allow the PDC (both the old one and the new one) to correctly pick the GTIMESERV as their time source, keeping the domain always on time.

For details, please check https://blogs.msdn.microsoft.com/w32time/2008/05/30/to-be-reliable-or-not-to-be-reliable/

Update firewall

If there is firewall between server and the Internet, it might drop udp/123 which is the NTP protocol. Please Make sure UDP 123 is allowed through firewall.

Debug logging

The following commands are quite useful which lists the current source, when it last sync’ed etc.

Eventually, when the server can’t get time from the NTP server it will add an event to the event log:

Log Name: System
Source: Microsoft-Windows-Time-Service
Event ID: 47
Level: Warning
Description: Time Provider NtpClient: No valid response has been received from manually configured peer pool.ntp.org after 8 attempts to contact it. This peer will be discarded as a time source and NtpClient will attempt to discover a new peer with this DNS name. The error was: The peer is unreachable.
Otherwise, when it’s working, you will get:
Log Name: System

Source: Microsoft-Windows-Time-Service
Event ID: 35
Level: Information
Description: The time service is now synchronizing the system time with the time source pool.ntp.org (ntp.m|0x0|0.0.0.0:123->202.112.29.82:123).

Leave a Reply

Your email address will not be published. Required fields are marked *