I have done a lot of research but failed to find a reliable answer to our problem.
The short story is our entire Windows domain is running 35 minutes slow. I.e. servers and workstations. I think this is due to the operations master role being assigned to a Hyper-V VM. We have since moved the role over to a physical server. Unfortunately, I have inherited this from the wonderful ex-support company.
My plan (just an idea!):
Change "Maximum tolerance for computer clock synchronization" from 5 minutes to 60 minutes for the Default Domain GPO and wait a couple of hours for it to push out to the workstations? It replicates every 90 minutes by default, right?
Set an external time source on the DC with the operations master role. This should then update other servers and workstations in turn.
To ensure I am asking a straightforward question here, what is the safest and most efficient way to correct the time drift within the entire network? Obviously, immediately changing the time on the DC will cause major issues with kerberos authentication.
Upping the tolerance would probably work, however you would probably want to allow more than 90 minutes. I would wait at least a day.
Here are some additional considerations:
Disable any hardware clock synchronization for domain controllers that are virtuals/guests.
Configure the PDC Emulator role domain controller to synchronize with an external time source.
Configure the registry values using group policy for the following settings to be 48 hours (MaxNegPhaseCorrection, MaxPosPhaseCorrection decimal: 172800, hex: 0x0002A300)
Configure all other domain controllers, member servers, and workstations to use the domain hierarchy for time synchronization (NT5DS).
If you do not use the PDC Emulator role domain controller for the external time synchronization, it should not be a domain controller with any of the other infrastructure master roles.
Configuring a time source for the forest
http://technet.microsoft.com/en-us/library/cc784800%28v=ws.10%29.aspx
How the Windows Time Service Works
http://technet.microsoft.com/en-en/library/cc773013%28v=ws.10%29.aspx
AD DS: The value of MaxPosPhaseCorrection on this domain controller should be equal to 48 hours
http://technet.microsoft.com/en-us/library/dd723684%28v=ws.10%29.aspx