In a Windows Domain environment the time is always working in a hierarchical manner. Server that holds the PDC emulator role holds the NTP Server and the other DCs will sync time from it and the members will sync time from those domain controllers.
At times you have to change the FSMO Roles to a differnt DC and most oftenly that server can be a VM sitting in Azure.
In most cases the VMs spinning up in the Azure environment must adhear to security policies and a well known benchmarking framework is the CIS Benchmarking images (Center for Internet Security). This has the policies defined and vetted into the server images and will be activated once the server is up and running.
So as I mentioned above, if you by any chance move the PDC role in to a server as explained, chances are the other servers will stop syncing time and instead, it will refer to the Local CMOS Clock or to the Hypervisor’s time. This will potentially break the hierarchy and you will run in to various issues.
Tip: Make sure the UDP port 123 is opened for communication.
How to resolve?
Before transferring the PDC role to the Azure VM DC, the best way to quickly check if all the DCs are working correctly when it comes to syncing time is to run below on an elevated command prompt.
This will analyze all the DCs and return the results. In my case I got all the DCs syncing with the current PDC except the Azure VM DC.
dc01.domain.local *** PDC *** [xx.xx.xx.xx]:123
ICMP: 0ms delay
NTP: error ERROR_TIMEOUT – no response from server in 1000ms
Once you figured out the server which is we can test the rest
Go to the server which has the issue. In an elevated command prompt, run below
W32TM /query /configuration
Ideally if you don’t have any GPOs setup, you should see the below options as (Local).
However Enabled will be changed to 0 and NtpServer will become (Policy)
These options will be overwritten by the values once a GPO is set.
To find out if the above are correct,
1st check your GPOs, specially default domain policy to investigate if there are NTP related polices setup.
If not, run gpedit.msc in your DC to find out the local policies.
Go to Computer Configueration >Administrative Templates > System > Windows Time Service > Time Providers
Make sure the below options set to “Not configured”
- Configure Windows NTP Client: Not Configured
- Enable Windows NTP Client: Not Configured
- Enable Windows NTP Server: Not Configured
Important! If you are using a CIS Benchmarking Image in Azure, these settings will be different and will show as below
This is because the CIS Benchmark automation script is setting these policies to comply with the standards. However to work the Time Servers properly, we need the DC to be a NTP server.
Change the policy to “Not Configured” and then run below on the server
net stop w32time & net start w32time
Once this is done, run below to identify the status
Now perform the PDC Emulator transfer to this server and other DCs will start syncing time from this server and everything will reinstate as expected.