Due to Kerberos, the functioning of DSfW and systems joined to the domain are critically time-dependent. DSfW domain joined systems automatically synchronize their time to the domain controller that they log in to. Plan for the right time source for all the domain controllers across the enterprise, and ensure that all servers in the tree; all domain controllers; and all workstations, servers, and services that join the domain have the same time. We recommend that you build a fault-tolerant time synchronization based on NTP that also synchronizes from multiple sources that provide the correct time. Domain Controllers must have at least two time sources set.
If you are planning to install domain controllers on hypervisor, ensure that the domain controller and the VM hypervisor host time is always synchronized with the same reliable NTP time source or to a parent domain controller that is out of the hypervisor. The VM infrastructure can cause time drifts. Avoid using VM tools to synchronize Domain controller time.