Q: Time is a crucial security control to protect against certain attacks (e.g., replay attacks) in the Kerberos authentication protocol. How can I check my system’s current time settings against the time on a domain controller (DC) in the domain? How can I check a DC’s time against an external time source? And how can I synchronize the time on a Windows system?

A: To force a computer to synchronize its time with a specific DC, you can run the Net Time command:

In this command, you must replace <DC_name_or_IP> with your DC’s hostname or IP address.

To check your DC’s current time settings against an external time server such as time.windows.com, you can run the following W32tm command:

The output of this command will specify whether the time on your system is ahead (indicated with a + sign) or behind (indicated with a – sign).

To synchronize the DC’s current system time with an external time server such as time.windows.com, you can use the W32tm command: