Time on servers and computers is six minutes behind

check this article please

http://superuser.com/questions/605775/how-to-sync-time-on-a-client-with-the-server-time

all the best

Perhaps this KB will be helpful for you.

http://support.microsoft.com/en-us/kb/555225

Yes, PDC is also 6 minutes behind, I put the command and restarted w32time service but nothing seems to have changed? Still 6 minutes behind..

NTP is port 123.... Is the PDC allowed to access the external time servers on port 123?

I can see some traffic from PDC are blocked by firewall, but sorce port is 55771 not port 123?

For example, 192.168.10.1:55771 -> 192.189.54.17:123 this traffic is being blocked.

Yes... Source port will be random but destination port is 123. So there's your problem - you need to open port 123 on the firewall.

is it safe to open port 123 for any destination IP addresses?

yes, unless you have a security policy that forbids it. I'd restrict it to private ip addresses i.e. 192.168.0.0/16

I would restrict the source address for the rule to the PDC so that the clients don't start setting up their own NTP settings.

So in other words: PDC IP address to Internet 123 (Outbound) allowed

We have a few servers and tens of computers syncing with PDC emulator

How is this configured? Have you manually entered NTP server settings on each workstation (which would not be in keeping with proper process) or are you allowing them to automatically seek a suitable NTP server via the domain hierarchy?

Tigermatt,

No I did not enter NTP server settings on each PC, I prefer them to get the correct time from PDC emulator within the domain hierarchy. What would be the best way for PCs to synchronize time?

The DC will synchronize from  external time source.

http://support.microsoft.com/en-us/kb/816042

The client should sync from DC

https://technet.microsoft.com/en-us/library/cc758905(v=ws.10).aspx

Manually sync w32tm /resync /rediscover check system eventviewer it will record event.