In a Windows domain, correct time is essential for services using Kerberos and your should therefore consider configure the the time service to synchronize against an external time source.


All Windows clients synchronize against a domain controller. All domain controllers synchronize against the domain’s PDC Operation Master. You should therefore only configure the domain controller hosting the PDC Operation Master role to synchronize against an external time source.

In a virtual environment where the domain controller hosting the PDC role is a virtual machine and the virtual machine host server synchronize against the PDC - time can really get out of sync.

Locate the domains PDC Operation Master role by running this command

netdom /query fsmo

Ensure that UDP port 123 (in- and outbound) is open in your firewall, then execute the following commands to configure the Windows Time Service to synchronize against the’s time server pool.

net stop w32time
w32tm /config /syncfromflags:manual /manualpeerlist:",,"
w32tm /config /reliable:yes
net start w32time 

If your in the situation that your servers are faulty configured, and you need to reset them to synchronize against the domain again, run the following commands:

Windows 2003/2008/2012:

w32tm /config /syncfromflags:DOMHIER /Update
w32tm /resync /nowait /rediscover 

Windows 2000:

w32tm /config /syncfromflags:DOMHIER
sc stop w32time
sc start w32time

External time source: