each windows PDC emulator is the domains time server. If the domains are all in the same forest, you just need to sync the root domains PFC with an atomic external time source. If domains are in separate forests (dmz domain for ex) each PDC emulator needs to be set to look the same set of external atomic clocks. off the top of my head, I use these two in my pool of 5 or so.

Time-a.nist.gov
Time-b.nist.gov

On your PDC run the following:

net time /setsntp time-a.nist.gov time-b.nist.gov

You need to make sure udp port 123 is allowed outbound from PDC.

all other servers, workstations should have windows time service started.

If you run the following query on a box having trouble and see it set to windows.Time.com or maybe time.windows.com you need to reset it to use domain time. Run the same as above with NO time source:

net time /setsntp

an invaluable reskit tool to check domain time is w32tm. Run

W32tm /monitor

Lastly, if running VMWare esx , you need to make sure all host esx servers are setup to sync to the same external tim servers as your windows boxes, using their NTP.conf file. Make sure all vm's are running the latest VM tools and set the tools to sync their time with the esx host. I believe you also stop the windows time service so they do not compete but I'd have to verify. This is true for all VM's but the pdc emulator if running it in a VM. It will not sync with the esx host and should be setup exactly as stated above. Good luck. Let me know.

Good chatting with you