Clock Synchronisation


My Windows 2012 Servers clocks are out of synch by five minutes. I ran the following command from the main DC with Active Directory running on it.  

w32tm /config /manualpeerlist:timeserver /syncfromflags:manual /reliable:yes /update

Once done, restart W32Time service.

But the time is still out of synch,  

Anyone help?


Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brian BEE Topic Advisor, Independant Technology ProfessionalCommented:
Did you force the other servers to resynch?

w32tm /resync /computer:<computer> /rediscover
yaminz66Author Commented:

Yes I ran it with another DC.  I also have two other servers but they are not DC.

yaminz66Author Commented:

I have now run it for all the servers now. It is still out by five minutes. I am tempted to change the clock manually.

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Thomas GrassiSystems AdministratorCommented:
We use GPO to set the NTP configuration on all the network computers

What errors you seeing in the event logs?

Do you have just one server as the NTP server?
Will SzymkowskiSenior Solution ArchitectCommented:
When you run the commands above the time does not change automatically. It would skew logins during this time if this was done. What happens is that the clock will speed up (seconds) until it reaches the time of the Domain Controller (PDC).

You also need to make sure that the PDC is setup with an external time source. Also making sure that all of your DC's are setup properly.

You can also set the clients 2 ways. Using a GPO to point all clients to the PDC or do not apply any policies and your clients will point to a DC in there local site which will act as the time source.

Most people use the GPO method personally i do not like this approch as it is not necessary, to point all clients to your PDC. The NTP heirachy is as follows...

External Time Source > PDC > Additional DC's > clients

So that being said all of the DC's get their time source from the PDC and then the clients can then use the DC in the local Site to get the time source. This also take the load off of the PDC having all clients pointing to it for Time Source.

This also is good when you are working with AD sites in a location where the WAN links are not reliable.

I agree with Will (somewhat) on the GPO usage.  As Will has stated and per Microsoft TID's, by default, all member servers/workstations are configured (when the join the domain) to get their time from the domain hierarchy.
w32tm /config /syncfromflags:domhier /update

Open in new window

An AD DS forest has a predetermined time synchronization hierarchy. The Windows Time service synchronizes time between computers within the hierarchy, with the most accurate reference clocks at the top. If more than one time source is configured on a computer, Windows Time uses NTP algorithms to select the best time source from the configured sources based on the computer’s ability to synchronize with that time source. The Windows Time service does not support network synchronization from broadcast or multicast peers. For more information about these NTP features, see RFC 1305 in the IETF RFC Database.

Every computer that is running the Windows Time service uses the service to maintain the most accurate time. In most cases, it is not necessary to configure the Windows Time service. Computers that are members of a domain act as a time client by default. In addition, the Windows Time service can be configured to request time from a designated reference time source, and can also be configured to provide time to clients.

Since all DC's (save for the first one for a domain) start their life as domain members, the rules above apply to them as well.

The first server promoted to a domain controller, is given the FSMO roles (this includes the PDCe role) by default.  As such it's time service is configured a tad differently.  It is configured to use the CMOS Clock as it's reliable time source.

In order to keep the Time Service operating smoothly, I will configure GPO to configure the time service on the PDCe only by using a WMI Filter.  In this way, if I ever change the PDCe, then I do not need to worry about configuring the time service.  Nor do I need to worry about changing the time service settings on the previous PDCe.

This prior EE PAQ contains a good discussion on time services - http:/Q_28646908.html.  I should also ask the question, are your DC's VMs?  If so you will want to disable the Time Service Integration for the guest OS.

If the server is a virtual, you must run w32tm on the physical machine. All VMs will synchronize the clock with the Host-VM.

On the other hand, using /reliable:yes, the server ajust time little by little and will take a long time to be synchronized (because will advertise as a reliable source)

I would follow the procedure from bellow:

In DC with FSMO role run from cmd:

  w32tm /register /config /manualpeerlist:"external_ntp_server" /syncfromflags:MANUAL

  This will register NTP as service and will syncronize domain clock with an ntp external server (, or, etc. You can add more servers between quotes separated by space)

  On the server which are not DC's, or workstations, from cmd run:

  w32tm [/register] /config /syncfromflags:DOMAINHIER

 For more information check below

 If this will not solve your problem, it means your firewall block UDP traffic for ntp requests or ntp responses to/from external time servers (UDP port 123)

  Best regards!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
yaminz66Author Commented:

I am looking at the firewall and see if the UDP port 123 is closed.


yaminz66Author Commented:

Yes it was the firewall blocking UDP port 123. Once that was opened, all the commands worked.

Regarding  w32tm /register /config /manualpeerlist:"external_ntp_server" /syncfromflags:MANUAL, to add more than one server, its without the quotes and separated by comma.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.