Server 2025 domain controller time sync issues when set as reliable

Hi DJX,

This is expected behaviour.

Can I ask what you're hoping to achieve by changing the default settings?

Under a default configuration, your PDC FSMO role holder is your domain's authoritative time server, and all domain controllers will synchronise time with this host. It is also marked as "reliable" by default.

Domain-joined clients will - by default - automatically select a domain controller from their Active Directory site as their time source, meaning so long as your sites-and-services topology is appropriately configured, you have no reason to set the local site's domain controller(s) to be "reliable".

If your network is configured such that full mesh routing is precluded (specifically, where any domain controllers cannot communicate with the PDC FSMO role holder) then things begin to get a little more complicated, however, I'm assuming this isn't the case for your environment.

A "normal" configuration for reliable time synchronisation domain-wide (assuming the environment is fully-routable) would simply be:

• Disable virtualisation time synchronisation if applicable;
• Configure the PDC FSMO role holder to perform external synchronisation.

Have a read of the following Microsoft documentation to get a grasp on the time synchronisation process for domain controllers and clients:

• How the Windows Time Service Works | Microsoft Learn

You can check if a given Windows system (domain controller or client) has been configured to act as a "reliable" time source by running:

w32tm /query /configuration

If you see the following line then it's configured (perhaps incorrectly) as a reliable time source:

AnnounceFlags: 5 (Local)

Here's a reference for what AnnounceFlags translates to:

• [MS-SNTP]: Abstract Data Model | Microsoft Learn

Again, under normal circumstances, you'd only expect to see a value of 5 on the PDC FSMO role holder.

Cheers,

Lain