Q: Time is a crucial security control to protect against certain attacks (e.g., replay attacks) in the Kerberos authentication protocol. How can I check my system’s current time settings against the time on a domain controller (DC) in the domain? How can I check a DC’s time against an external time source? And how can I synchronize the time on a Windows system?
A: To force a computer to synchronize its time with a specific DC, you can run the Net Time command:
net time \\<DC_name_or_IP> /set /y
In this command, you must replace <DC_name_or_IP> with your DC’s hostname or IP address.
To check your DC’s current time settings against an external time server such as time.windows.com, you can run the following W32tm command:
w32tm /stripchart /computer:time.windows.com /dataonly
The output of this command will specify whether the time on your system is ahead (indicated with a + sign) or behind (indicated with a – sign).
To synchronize the DC’s current system time with an external time server such as time.windows.com, you can use the W32tm command:
W32tm /resync /computer:time.windows.com /nowait