By default, a domain controller use its BIOS clock as a reference, making all computers on the domain synchronizing on this not so reliable time service.
To change that, you can use the Microsoft Fix It 50395 patch or edit the registry directly.
Using Fix It, you just need to give it a reliable NTP server. In the example below, 2 servers are listed; the ",0x1" syntax is mandatory.
time.windows.com,0x1,tock.usno.navy.mil,0x1
In the registry, it should look like:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type = "NTP"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags = 5
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer\Enabled = 1
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer = "time.windows.com,0x1,tock.usno.navy.mil,0x1"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollInterval = 900
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxPosPhaseCorrection = 3600
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxNegPhaseCorrection = 3600
Now stop and restart the Windows Time service using the following commands:
net stop w32time net start w32time w32tm /resync /rediscover
You're done!
Additionally, you can also make sure the client computers are synchronized to the domain time with the following commands:
w32tm /config /syncfromflags:domhier /update net stop w32time net start w32time
Sources (Server)
Source (Client)