I have a issue with time sync that client can't sync time correctly. it always 2 to 4 minutes different. When i run w32tm /resync /computer:mydc "The computer did not resync because no time data was available" What does that mean? Thanks for any input...

Hello, are you sure that port 123 is not blocked? Does your client computer sync time with your PDC? Please make sure that HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type is set to NT5DS? Have a look to these Microsoft articles: http://technet.microsoft.com/en-us/library/bb490845.aspx http://support.microsoft.com/kb/223184 What I recommand is that your client computers sync time with the PDC and that the PDC sync time with an external NTP server. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration

I am not sure wthether the port 123 is blocked or not. i tried telnet myDCname 123 and it failed to connect. I even set firewall turned off. I can't verify whether the client is sync time with my pdc correctly or not. when i tried to manually sync as following w32tm /resync /computer:myPDCname got same error. however, the net time myPDCname /set /y worked fine and sync the time. I checked the regstry and confirmed that is set to NT5DS. I read those articles and tried few doesn't help.. Any idea?

To check the port, use PortQry v2. Please check that the PDC is reachable. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration

PortQuery came with following result: Starting portqry.exe -n myDCname -e 123 -p BOTH ... Querying target system called: myDCname Attempting to resolve name to IP address... Name resolved to 10.12.2.6 querying... TCP port 123 (unknown service): NOT LISTENING UDP port 123 (ntp service): LISTENING or FILTERED portqry.exe -n myDCname -e 123 -p BOTH exits with return code 0x00000002. it seems open on udp port... Thanks

UDP port 123 (ntp service): LISTENING or FILTERED I can not confirm that port 123 is opened. It will be better to check manually your firewalls/routers and make sure that there is nothing blocking traffic. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration

PortQuery came with following result: Starting portqry.exe -n myDCname -e 123 -p BOTH ... Querying target system called: myDCname Attempting to resolve name to IP address... Name resolved to 10.12.2.6 querying... TCP port 123 (unknown service): NOT LISTENING UDP port 123 (ntp service): LISTENING or FILTERED portqry.exe -n myDCname -e 123 -p BOTH exits with return code 0x00000002. it seems open on udp port... Thanks Configuring your DCs as NTP Servers Go into your Domain Controllers GPO in GPMC Nav Path: Computer Configuration \ Policies \ Administrative Templates \ System \ Windows Time Service \ Time Providers \ Enable "Configure NTP Client" Time.Windows.Com defaults should be ok. Enable "Windows NTP Client" Enable "Windows NTP Server" This will make your server a client of time.windows.com and provide server services for your client systems. Now you need to setup your Client Time Policy Then you configure Group Policy object for your client time policy. Configure the policy with "Confiure Client Services" and "Windows NTP Client" Configure: NTPServer to point to your primary to your domain name. If you left round-robin enabled, it should be able to point to all the Domain Servers in your organization for reference... Alternatively, you can create a same-name A(HOST) record for each Domain Controller. Round robin will use a mild load balance to hit the next server in line. In my example below, I'm using "dctime" as my Round-Robin DNS name. So you would put that in your Client Time policy. dctime.mydomain.local,0x9 dctime = dc1 dctime = dc2 dctime = dc3 Once completed with that, run repadmin to sync this new policy to all your domain controllers. Leave default permissions and link to the computer OU, not the DC OU. Try that... see if it meets what you need. The end result is... Client maintains time from DCs which maintain time from time.windows.com which maintain time via time.gov probably. Steve Kline Microsoft Certified IT Professional: Server Administrator Microsoft Certified Technology Specialist: Active Directory, Network Infrastructure, Application Platform, Windows 7 Microsoft Certified Product Specialist & Network Product Specialist Red Hat Certified System Administrator This posting is "as is" without warranties and confers no rights.

Hello, up to 5 minutes is not a problem in a domain. On the client please run in an elevated command prompt: w32tm /config /syncfromflags:domhier /update After that control the machines event viewer for the w32time event log entries. It should list up to 3 different ones, can take some minutes, which contains details about errors and also if the domain DCs are used, which is default in a domain.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Steve, I just want to clarfy this. Is that mean i need to create two Group Policy? One for server that apply to DC and one for clients that apply for all the member station. When you state "Then you configure Group Policy object for your client time policy. Configure the policy with "Confiure Client Services" and "Windows NTP Client"" Is that mean Configure Windows NTP Client and Windows NTP Client under same path as this, Computer Configuration \ Policies \ Administrative Templates \ System \ Windows Time Service \ Time Providers \? Thanks for your help.

Meinolf, I tried that and seems doesn't work. We have a time sensitive application that requires accurate time. Thanks

Meinolf, I tried that and seems doesn't work. We have a time sensitive application that requires accurate time. Thanks Hello, Windows time service is NOT made for high accuracy time service, see the link http://blogs.technet.com/b/askds/archive/2007/10/23/high-accuracy-w32time-requirements.aspx, also mentioned in my article. For high accuracy time use a stratum1 device.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Steve, I just want to clarfy this. Is that mean i need to create two Group Policy? One for server that apply to DC and one for clients that apply for all the member station. When you state "Then you configure Group Policy object for your client time policy. Configure the policy with "Confiure Client Services" and "Windows NTP Client"" Is that mean Configure Windows NTP Client and Windows NTP Client under same path as this, Computer Configuration \ Policies \ Administrative Templates \ System \ Windows Time Service \ Time Providers \? Thanks for your help. Hello, there is no need to use GPOs to configure the time service, normally the domain time is configured complete automatically. The DC having the PDCEmulator FSMO is the time source of the domain and should be configured to another, not domain, device or an external time server. All DCs sync with the PDCEmulator and all domain machines use an available DC. If you transfer FSMO roles the time settings on the old/new PDCEmulator must be reconfigured.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.