Advertising new time server in domain environment
I can see on different forums that people are asking what happens when they transfer PDC Emulator Operation Master role to another Domain Controller. This is really important question as PDC Emulator is responsible for time management in domain environment. When you do not advertise new time server you might notice some time differences between your domain controllers and domain member servers.
This article shows the procedure on Windows Server 2012 R2 how to accomplish that properly but is also suitable for all earlier operating systems.
All the time when you transfer PDC Emulator role to another Domain Controller, you need to change configuration on both servers:
- on previous PDC Emulator role holder
- on the new PDC Emulator role holder
this will advertise new time server in your domain environment and you will prevent future issues because of that. The most often scenario of transferring PDC Emulator FSMO role to another DC is when you are promoting new Domain Controller based on newer operating system i.e:
- promoting new Windows Server 2008/2008R2 DC in Windows Server 2003/2008 DC environment
- promoting new Windows Server 2012/2012R2 DC in Windows Server 2003/2008/2008R2/2012 environment
in this particular case you need to do following things:
Log on directly or over Remote Desktop connection to the new PDC Emulator FSMO role holder and run elevated command prompt
Now, you need to configure external time server source from which you will synchronize time settings. This may be another device in your network (like Cisco ACS server) or any reliable external NTP server. The list of reliable NTP servers you may find on NTP Pool website
In this example I will use external NTP pool server for my region (Poland)
You need to use IP address or DNS name of NTP server during Domain Controller configuration, so if you want to use IP address then the first step is to ping DNS name and write down an IP address of the server
this is the IP address resolved from pl.pool.ntp.org
Important! Before you start reconfiguring servers, please ensure if UDP/123 port is allowed on your router/firewall because NTP is using this particular port to synchronize time settings!
Now, in elevated command-line you need to run this command
w32tm.exe /config /manualpeerlist:22.214.171.124 /syncfromflags:manual /reliable:yes /update
w32tm.exe /config /manualpeerlist:pl.pool.ntp.org /syncfromflags:manual /reliable:yes /update
where /manualpeerlist:IPAddress or /manualpeerlist:DNSServerName is an NTP server to use in your environment
and restart Windows Time service
net stop w32time
net start w32time
Now, your new PDC Emulator FSMO role holder will synchronize time with specified NTP time source.
The last step is to reconfigure the old PDC Emulator Operation Master role holder to not advertise it as time server and pull time information from new PDC Emulator. To do that log on directly or over Remote Desktop connection to the server and type in command prompt (2003)/elevated command prompt (all newer OSes)
w32tm.exe /config /syncfromflags:domhier /reliable:no /update
and you need to also restart Windows Time service to complete whole operation
net stop w32time net start w32time
That’s all! You have reconfigured your environment and advertised new time server in a domain.
Author: Krzysztof Pytko