Time Synchronizing Domain Controllers with NTP – HowTo

…to synchronize your DC(s) with a correct timesource and make the DCs authorative to the clients you have to follow these steps:

If you have more than one domain-controller only the PDC-Emulator should sync his time with NTP – all other DCs should sync with NT5DS against PDC-emulator – we can easily filter the PDCe with a WMI query.

Create two WMI filters in Group Policy Console:

DC with PDC emulator -> “Select * from Win32_ComputerSystem where DomainRole = 5”

all other DCs -> “Select * from Win32_ComputerSystem where DomainRole = 4”

Create two Policies (Sync with NTP for DC with PDCe and Sync with NT5DS for non PDCe DCs)

Create a Policy for non PDC-emulator Domain-controllers:

…ignore the default ntpserver entry, because not used if type is NT5DS (domain hierarchy)…

…not necessary to create a policy for workstations/desktops and non-DomainController servers (domain-joined) because they will sync automatically with DC…

Link to Domain Controller OU:

If you running your domain controllers in virtual environments like HV/Azure… – you must disable time-sync againts host on all VMs within the domain (otherwise you play ping-pong – policy set the time, host set it back, policy set time, host set it back,…..).

Change registry:

Windows Registry Editor Version 5.00



Policy Update:

gpupdate /target:computer /force

check registry settings:


force sync:

net stop w32time && net start w32time

w32tm /resync /force

check eventlog Application/time-source: