October 17, 2017

Replacing an Active Directory Forest NTP server

There should only be one time source in your forest and by default it would be on the first Domain Controller you bring up.  At some point you will need to replace that server with newer hardware.  Just make sure you remember to add the authoritative time source to the new server or another Domain Controller in your forest.  A best practice is to keep the NTP server on a PDC emulator (or if you have a multi domain forest the root domain on the PDC emulator) .

The following MS article (kb816042) explains the proces -> http://support.microsoft.com/kb/816042

To check which server is PDC role holder run netdom query fsmo.

Make sure that below parameters are set correctly on PDC Server.

  1. Change the server type to NTP
    HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type (default is NT5DS) should be changed to NTP
  2. Specify the time sources.eg time.windows.com,0x1
    HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer (default is time.windows.com,0x1) should be set to a time source you trust the default should be fine.
  3. Set AnnounceFlags to 5
    HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags (default is 10) should be changed to 5
  4. Enable NTPServer
    HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer\Enabled (default is 0) should be changed to 1
  5. Restart the windows time service.
    net stop w32time && net start w32time
  6. Run w32tm /resync /rediscover command, which should complete successfully.

Once again please remember there should only be one server in the forest which is marked as a reliable time source.  Please make sure only one Domain Controller has there w32time type set to NTP.


Related Posts:

DaGint Computer Support