I have just taken over admin for a network and have noticed that time is running 4 minutes fast. I have checked the group policy settings and it seems that Windows Time Server has been configured in the Default Domain Policy with the following settings: System/Windows Time Service Global Configuration Settings Enabled Clock Discipline Parameters FrequencyCorrectRate 4 HoldPeriod 5 LargePhaseOffset 50000000 MaxAllowedPhaseOffset 300 MaxNegPhaseCorrection 172800 MaxPosPhaseCorrection 172800 PhaseCorrectRate 1 PollAdjustFactor 5 SpikeWatchPeriod 900 UpdateInterval 100 General Parameters AnnounceFlags 10 EventLogFlags 2 LocalClockDispersion 10 MaxPollInterval 10 MinPollInterval 6 ChainEntryTimeout 16 ChainMaxEntries 128 ChainMaxHostEntries 4 ChainDisable 0 ChainLoggingRate 30 Configure Windows NTP Client Enabled NtpServer time.windows.com,0x9 Type NT5DS CrossSiteSyncFlags 2 ResolvePeerBackoffMinutes 15 ResolvePeerBackoffMaxTimes 7 SpecialPollInterval 3600 EventLogFlags 0 Enable Windows NTP Client Enabled And then our Firewall has been configured to allow anything out to time.windows.com. Would this setting be better configured on just the Default Domain Controllers Policy and not for every PC on the network and allow the clients to just get their settings through the Domain? Also im not sure if this Policy is working because if i run the following command on a client: w32tm /query /status it returns that the source is one of our DCs and not time.windows.com. If i then run the same command on that DC i get Source: Free-running System Clock, so i assume that that DC isn't using an external time source either. If i ping time.windows.com i don't get a reply would it be btter to use another NTP server such as time.nist.gov. If i do make these changes is there anything i should watch out for? Thanks

Its better that The default settings should not be changed and please make it sure that your server is able to resolve the external dns name, to do that your should enable the dns forwarders to the external DNS servers like your ISP'S dns servers. http://support.microsoft.com/kb/816042 http://richardnwilliams.articlesbase.com/operating-systems-articles/how-to-configure-an-authoritative-time-server-in-windows-server-2008-461336.html http://www.virmansec.com/blogs/skhairuddin

Hello, normally there is no need to configure the time with GPO settings. The default mechanism of the domain is sufficient, if configured correct. http://msmvps.com/blogs/mweber/archive/2010/06/27/time-configuration-in-a-windows-domain.aspx In your case i would remove the time sync with GPO, if you do NOT have some specific requirements that exact this settings are needed, and start from scratch with the PDCEmulator and then going on with the other DCs to reest them and then the clients which can be done with startup scripts. All domain machine MUST have port 123 UDP open so that time sync can work correct.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Thanks for the reply. Yes i was confussed when i saw the GPOS settings. If i remove the GPOs (which i don't think are working anyway as the time server used can't be reached via ping) and then follow the instructions to configure the PDCEmulator to use an external NTP server, will this cause problems as the domain is ahead of time by about 4 minutes, and making this change will move the clock back on this DC. ie will i need to do anything on the clients or will they just look to the DC and change their time accordingly? If i do need to do something on the clients what would that be? Also would my ISP usually provide an NTP server or would that usually be an extra option that would have to be paid for? Thanks

Hello, important is the DC having the PDCEmulator FSMO. For others i would create a startup script that resets the domain machines to the default and on DCs and member servers i would run the command manualy if not too much servers are involved. In my blog is also a link included where you'll find some time service providers.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Thanks Meinolf, So in the script i would need the following commands at an elevated cmd: net stop w32time w32tm /unregister w32tm /register net start w32time If ran on clients at start up this would then move the time back to the correct value and not affect the user of the PC in anyway? Yes i have seen the list of time servers which is great but is it best to use your ISP for this? Thanks

Hello, that one will reset the complete time service. I assume that the following should be enough, just check with some machines and run the command manual: w32tm /config /syncfromflags:domhier /update After that you have to run: net stop w32time net start w32timeBest regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

i have been testing this on a test server and using the command to setup the NTP server settings: w32tm /config /manualpeerlist:PEERS /syncfromflags:manual /reliable:yes /update with PEERS changed to my NTP server. This works great and i get the correct time form the NTP server however i have found that when rebooting the server the settings are not held and it reverts back to the CMOS config? To fix i have to run the above command again and then stop and start the w32time service before it will take the settings. Any ideas why? I have been testing this on WIndows server 2008 x32 however it isnt a Domain Controller. Thanks

Hello, the command "w32tm /config /manualpeerlist:PEERS /syncfromflags:manual /reliable:yes /update" is for the DC having the PDCEmulator FSMO and NONE else. Please see my blog which command is to use on which domain machine.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Ok so if that command is run on the DC having the PDCEmulator FSMO it will keep the setting in place if the server is restarted? I was only testing this on a normal server just to see the results as i can't recreate a test domain as we don't have the resource. Thanks