Skip navigation
white letters QA on red background

Checking and Synchronizing Domain Controllers' Time Settings

Q: Time is a crucial security control to protect against certain attacks (e.g., replay attacks) in the Kerberos authentication protocol. How can I check my system's current time settings against the time on a domain controller (DC) in the domain? How can I check a DC's time against an external time source? And how can I synchronize the time on a Windows system?

A: To force a computer to synchronize its time with a specific DC, you can run the Net Time command:

net time \\<DC_name_or_IP> /set /y

In this command, you must replace <DC_name_or_IP> with your DC's hostname or IP address.

To check your DC's current time settings against an external time server such as, you can run the following W32tm command:

w32tm /stripchart / /dataonly

The output of this command will specify whether the time on your system is ahead (indicated with a + sign) or behind (indicated with a - sign).

To synchronize the DC's current system time with an external time server such as, you can use the W32tm command:

W32tm /resync / /nowait
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.