Getting ready

Before a Windows Server installation can synchronize time, the Network Time Protocol (NTP) should be available. By default, NTP is allowed toward domain controllers through their Windows Firewalls. However, NTP traffic toward the internet might not be available. 

When an organization has deployed a reliable time source within the network, with, for instance, a GPS-enabled network time appliance, than the IP address or the hostname for this appliance can be used to configure the domain controller holding the PDCe FSMO role to synchronize time with a reliable source.

In other scenarios, synchronizing time with a reliable source will depend on the availability of a reliable internet-based time source. In this case, my recommendation is to use a list of sources, some denoted as DNS names and others denoted as IPv4 or IPv6 addresses. This way, the domain controller holding the PDCe FSMO role can synchronize time, even in the case of missing DNS resolution. 

For a list of available servers, refer to http://support.ntp.org/bin/view/Servers/WebHome.

UDP port 123 should be allowed from the domain controller to NTP servers on the internet, except for networking infrastructures, where dedicated NTP appliances are deployed and the domain controller holding the PDCe role synchronizes with these hosts.