Why time synchronization is important

In a Microsoft Windows Active Directory domain, Time Synchronization is critical for all servers and workstations to be functioning properly under the hood or it could cause a variety of issues.  It is important that computers time sync stay, by default, within 5 minutes of each other, for Kerberos to be authenticating properly.  

Time Synchronization best practice

It is best to think about time synchronization as a hierarchy in your domain.  Your domain controller with the Primary Domain Controller Emulator (PDCe) FSMO role, should be configured to synchronize with an external time source such as time.windows.com or time.nist.gov.  After this is setup properly, the rest of your domain controllers would then be configured to sync from your PDCe.  Lastly, workstations and other member servers will obtain their time from any of these domain controllers.

Issues that may occur when time is out of sync

  • Kerberos no longer functioning
  • Access issues to shared files
  • Failing to log into the domain
  • Losing domain trust relationship
  • Issues tying out time stamps in log files
  • Issues in virtualization where VMs get time form the hypervisor host rather than the domain

Get more technical information about Time Synchronization from Microsoft here.