Q: Time is a crucial security control to protect against certain attacks (e.g., replay attacks) in the Kerberos authentication protocol. How can I check my system's current time settings against the time on a domain controller (DC) in the domain? How can I check a DC's time against an external time source? And how can I synchronize the time on a Windows system?

A: To force a computer to synchronize its time with a specific DC, you can run the Net Time command:

net time \\ /set /y

In this command, you must replace with your DC's hostname or IP address.

To check your DC's current time settings against an external time server such as time.windows.com, you can run the following W32tm command:

w32tm /stripchart /computer:time.windows.com /dataonly

The output of this command will specify whether the time on your system is ahead (indicated with a + sign) or behind (indicated with a - sign).

To synchronize the DC's current system time with an external time server such as time.windows.com, you can use the W32tm command:

W32tm /resync /computer:time.windows.com /nowait