Time Sync for Domains, Take 2

The recommendation for this has changed over the years from Microsoft. Originally the wisdom was to disable the time sync on DCs and let them figure it out, then the idea was to enable time sync partially, and finally enable time sync entirely. These changes have come with the major revision changes, and since we’re now into the 2019 release cycle, it makes sense for it to change again.

This time, it appears that they’ve gone toward the same standard that VMWare has preached, which is setting the hosts as a valid time source and to enable the time sync guest service.

If you’re running your domain controllers on a Hyper-V host, and those hosts are part of a domain, that is as simple as setting a group policy under the Computer Configuration > Administrative Templates > System > Windows Time Service > Time Providers in the “Configure Windows NTP Client” settings. Once enabled, set the NtpServer parameter to a known good low stratum time server with the 0x9 flag (e.g. pool.example.org,0x9) to identify that you want to use the special timing interval, as well as this is the primary to sync with. That field is space delimited, so you can add a second server with the 0xa flag to give yourself an active/passive ntp setting. The only other setting that is necessary to change is Type to be “NTP” instead of NTDS5.

If they’re not running on a domain, you can configure these settings with the command line (powershell example below).

Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider -Name "Enabled" -Value 0 
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\w32time\Parameters -Name Type -Value "NTP"
w32tm /config /manualpeerlist:"primary.example.org,0x9 backup.example.org,0xa" /syncfromflags:manual /reliable:yes /update
Restart-Service W32Time
w32tm /resync /force
w32tm /query /source

There is another option as well, which is setting up dedicated time servers, which requires 2016+ domain controllers on 2016+ hosts. I’ll go into that in a later post, if I happen to run into a scenario where that’s the best option.