Active Directory provides a time synchronization hierarchy that ensures that time dependent protocols such as Kerberos will work correctly. The PDC emulator in the forest root domain must be configured to synchronize with an authoritative external source – either a hardware clock, government time source, or another NTP server. As a matter of best practice, consider configuring a domain controller that has been identified as an alternate PDC emulator role holder to also synchronize with an external source. This way, if you transfer the PDCe FSMO role, you won’t need to reconfigure the time service on the new domain controller. Figure 2-5 from my book, Active Directory, 5th Edition shows how the time synchronization hierarchy works in a multi-domain forest:


To configure the forest root PDCe role holder to synchronize with the NTP Pool Project’s NTP servers, execute the following commands from an elevated command prompt:

w32tm /config /update /manualpeerlist:",," /syncfromflags:manual /reliable:YES
w32tm /resync /rediscover /nowait