How to time-sync Windows systems

The recent U.S. daylight saving time change reminded me of a key element in security and computing: time. Setting computers to the proper time is key to authentication and to keeping systems updated and secure. When you are dealing with forensics, you need to know the exact time to which each device is set to correlate events in a timeline.

In the native operating of Windows, it’s important to have a system synchronize your device’s time with either a domain controller set to the proper time or to an external time source. Computers use time to determine if SSL certificates are valid and can be trusted and to check with the Windows update servers to determine if the digital signature of the patch is valid.

If you’ve ever turned a computer on and the CMOS battery no longer keeps it in proper time, you know the machine won’t get online, react to websites or install updates. Once you reset the time, the machine suddenly works properly. You will not be able to log into domain-joined machines that rely on Kerberos authentication that are out of sync by more than five minutes. Keeping time accurate is also mandated for credit card (PCI) transactions, as well as other financial transactions.

How to sync time in Windows environments

I’ve relied on a series of commands to ensure that my primary domain controller keeps in synchronization. The sample below uses pool.ntp.org, a volunteer group that maintains time-keeping servers, but you can also use nist.gov time servers to be your primary time keeper. 

w32tm /config /syncfromflags:manual "/manualpeerlist:0.pool.ntp.org,0x1 1.pool.ntp.org,0x1 2.pool.ntp.org,0x1 3.pool.ntp.org,0x1" /reliable:yes

w32tm /config /update

net stop w32time && net start w32time

w32tm /resync /force

w32tm /query /source

If you enter the above in an elevated command prompt, then enter the commands below on each other domain controller, also in an elevated command prompt:

w32tm /config /syncfromflags:domhier /reliable:no /update

net stop w32time && net start w32time

w32tm /resync /force

w32tm /query /source

You can set the skew time in Group Policy, but it’s wise to not let machines skew too much in time from each other. For Server 2019, use PowerShell to perform the synchronization:

w32tm /config /manualpeerlist:pool.ntp.org /syncfromflags:MANUAL

Stop-Service w32time

Start-Service w32time

Susan Bradley

If you rely on Azure Stack, time is important there as well. In Azure stack, use the command Get-AzSTimeSource to determine the time information.

For those with mixtures of Server 2016 and later that participate in domains that include Server 2012 R2 and earlier, pay close attention to disabling HyperV time provider as an option in mixed networks. Server 2016 and later will attempt to sync their time from the most accurate provider rather than syncing with the host it’s connected to. Because that may not be ideal, you can override that behavior.