Hi, Wed better refer to the following figure to understand the path of the time synchronization between computers in the domain. According to the figure above, only the computer holds the PDC role can hold the best time source of one forest. As we know, an RODC hosts read only partitions of the AD database, it cant support outbound replication. So an RODC cant hold a FSMO role. For details, please refer to the following articles. How the Windows Time Service Works http://technet.microsoft.com/en-us/library/cc773013(v=WS.10).aspx Windows Server 2008 Domain Controller Options That Are Not Supported on an RODC http://technet.microsoft.com/en-us/library/cc770916.aspx Regards, Andy

Could i set RODC server as a time source in DMZ ? or only way to allow firewall port (123 UTP) between DMZ and internal network ? Pls advice !! My configuration on below: Internal network: DC 1 - DHCP, DNS, DC, Time server DMZ: RODC 1 Application server.

Hello, the domain time source for all amchiines is the DC having the PDCEmulator FSMO NONE else, that machine must be configured to either an external time server(internet) or a Stratum 1 device which provides the time or the itnernal hardware clock. And as the RODC cannot have the FSMO roles it cannot be used as domain time source.Best regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.