I have medium-sized Windows network of 60 workstations and 10 servers (2 of which are Domain Controllers). One DC holds the FSMO roles including the PDC Emulator. This the DC with PDC does not sync external time and the time is about 5 minutes behind, causing all the workstations to be behind.
Not sure if I should sync the PDC with an external internet source or just bump the time up manually on this server for now. Right now it's not set to use an external source.
Any suggestions? Is it safe to bump the time up a few minutes manually?
Best Answer
Bumping forward in time is usually safe for most applications, but going backwards is bad.
That said, you should be using NTP on at least the PDC to sync with four (yes 4!) external NTP servers. The reasons are complex, but basically you need to ensure that good time servers can "outvote" bad ones. I would suggest using the public NTP pool, which has Geo DNS set up to give you time servers in your own country. Use 0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org, 3.pool.ntp.org.
Assimung Windows 2003 or later, you can run this command on the PDC emulator to synchronize it:
The hex numbers after each server name tell windows time service to use NTP client mode associations with adaptive poll intervals (which is the right way). You should also consider adding the same to at least one other domain controller, but use "/syncfromflags:ALL" instead so that it talks to the external NTP servers as well as your local domain controllers.
You will need UDP port 123 open outbound on your firewall for any system that talks NTP to the internet. See here for full documentation from MSFT (note you can configure via Group Policy instead of using the command line tools).