Group Policy Based Windows Time Synchronization Issues.

Posted on 2007-10-08
Last Modified: 2012-01-06
I am trying to get a windows domain to all play happily together as far as time synchroniation goes.  It isn't going well.

Here is what I have done so far:

Default Domain Policy --> Administrative Templates --> System --> Windows Time Service --> Time Providers.

Enabled Windows NTP Client and Configured Windows NTP client to use the following settings:

Type: NT5DS
CrossSiteSyncFlags: 2
ResolvePeerBackoffMaxTimes: 7
SpecialPollInterval: 3600
EventLogFlags: 0

Seems simple enough.  Synch with the given time provider every 3600 seconds.  Does NOT work.

All PCs on the domain have identical time, including comain controllers.  But they are all almost 10 minutes fast.

Even entering the following command at a command prompt shows an offset of 568+ seconds.
w32tm /monitor /

So, I am checking local PC time against the time server I have configured the network to use, and still get an offset of almost 10 minutes.

So, here is what I want to eventually accomplish:

1) Get Domain Controllers to synch CORRECTLY with an external NTP server (don't care which) through the default Domain Controllers Policy in the group policy editor.
2) Get all client PCs to synch from one of the Domain Controllers through the Default domain policy.  I have a simple single windows domain (vs-us.local) with only 13 clients.  This shouldn't be a big deal.
3) Avoid running manual sntp configuration from a command line on each individual PC.

What am I doing wrong, or better yet, where should I start over.  I have played with nearly every tutorial online to no avail.  I am looking for walkthrough steps from beginning to end at this point.

Thanks so much!
Question by:climberboy
    LVL 6

    Expert Comment

    Have you checked the your firewall is leting udp/123 thru ? Do you see anything in the firewall log ?

    You just need to sync up your DC, the rest will follow as long as you are dealing with W2K and above.

    I hope this helps
    LVL 19

    Expert Comment

    The only DC that needs to sync externally is the PDC emulator; every other machine on your domain will automatically sync with this DC without intervention. Here's the quick process to find pdc emulator:

    You can set the ntp provider on this server with:

    net time /setntp:<ntp server(s)>

    Or 'net time /querysntp' to see the current config

    Author Comment

    OK, I found out my PDC Emulator is dc1.vs-us.local, and used "net time /,0x1" to set the time server to

    I have made no changes on any other PCs in my network.

    Sounds like I should undo what I did in the group policy manager?  Yes or no?

    I'll wait a few hours, check things out, and report back.
    LVL 30

    Expert Comment

    aissim is unfortunately -incorrect-, however, in how to configure the PDCe to hit an authoritative time source - 'net time' is a deprecated method and should no longer be used in XP and 2003.  

    To configure a 2K3 server to obtain its time from an external time source, follow the steps listed in this KB:


    Author Comment

    Using "w32tm /monitor /" shows the following. []:
        ICMP: 59ms delay.
        NTP: -567.7277603s offset from local clock
            RefID: 'CHU2' []

    Leading me to believe that there is no firewall problem whatsoever. is the timeserver my PDC emulator is now set to synch with, according to the /querysntp switch.  However, I am STILL 567 seconds off.  Any ideas?

    Also, running "w32tm /resync" returns the following error:

    Sending resync command to local computer...
    The computer did not resync because no time data was available.

    WTF?  If the server is set to use, and manually querying returns the results of a connection, then why doesn't that command have "no time data" available?

    Any other ideas?
    LVL 6

    Expert Comment


    Yes, firewall seems ok. The entry posted event identify the offset (567.7s).
    At my knowledge, the time should not be set on the PDC emulator but on the Infrastructure Master.

    Can you make sure that that guys is sync'ed. You can find it in AD Usersand Computers, Operations Masters of the domain.

    I hope this helps
    LVL 30

    Accepted Solution

    I was working with someone on EE on what sounds like an identical issue last week, and the fix ended up being this:

    Author Comment

    I went through the instructions located at "" like you suggested.  No luck there, at least not yet, allthough I am still getting errors from w32time when I try to sync manually.  I have no idea why, but the firewall test is fine.  I suppose I need to let it go through the poll interval of 15 minutes before I will know for sure.

    PDC and Operations Master are both dc2.vs-us.local.  That server (and the other domain controller) are BOTH 10 minutes fast, and will not correct themselves for anything.

    I have manually set both domain controllers (including the PDC / Operations Master) to the correct time, within a few seconds anyway.  Last time I did that they went BACK to being 10 minutes fast.  We'll see what happens this time around.
    LVL 30

    Expert Comment

    Please check my most recent comment - have you confirmed whether there are GPO settings in effect that are conflicting with the default time synchronization?
    LVL 70

    Expert Comment

    Sorry - looks like I pushed the admin comment button - THIS WAS AN ERROR - I hold my hands up  - please accept it as a normal comment :-0
    LVL 1

    Expert Comment

    Forced accept.

    Community Support Moderator

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Suggested Solutions

    Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
    I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now