Source: http://technet.microsoft.com/en-us/library/cc773013%28v=ws.10%29.aspx#w2k3tr_times_how_izcr

As you can see, the PDC
Emulator of the Forest Root Domain
is considered as the best time source in an Active Directory forest.
Other domain
controllers in the Forest Root Domain use it for time synchronization
while domain controllers in child domains use the PDC Emulator or any domain
controller from parent domain for time synchronization. Member servers and
Workstation use domain controllers in their domain for time synchronization.
With this hierarchy, we can maintain a reliable time synchronization system
that allows avoiding Kerberos failure issues in an Active Directory domain.
This configuration is by default in an Active Directory forest and does not
need to be changed.
As the PDC Emulator of the Forest Root Domain is
considered as the best time source in an Active Directory forest, it needs to
have its time as accurate as possible. That is why, it is highly recommended
to configure this server to synchronize its time with at least two (2)
reliable external NTP servers.
List of reliable NTP servers: http://www.pool.ntp.org/ 
PDC Emulator
downtimes:
A weakness for the default time synchronization
in Active Directory Domain Services hierarchy is that the PDC Emulator of the
Root Domain is considered as a single point of failure (This is not the case
for other PDC Emulators as if one is down, other domain controllers can still
be used). If this domain controller is down or experiencing failures for a
long period, the other domain controllers in the Forest Root domain will
start to run out of sync and you may start experiencing time synchronization
issues. That is why it is important to have this domain controller up and
running in a healthy state.
In case of major failures where it is no longer
possible to recover the PDC Emulator of the Root domain or if you are not
able to recover it quickly, you need to proceed like the following:
Configuration of
time synchronization in an Active Directory forest:
There is multiple ways to configure time
synchronization in an Active Directory forest:
To maintain the default time synchronization
setup in an Active Directory forest, I would recommend using group policies.
This is because it allows overwriting manually done updates by automatic
corrections.
Below is how you can proceed for:
The PDC Emulator:
You need to create a Group Policy in which you
will enable and configure the following parameters:
|