This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 22%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello,
I'm experience an issue with Windows Time service on selected domain joined workstations.
All workstations are configured to sync time from Domain controllers - NT5DS
However selected group of devices which physically located in the same network segment showing CMOS clock as main time source.
Unregister W32tm service and re-configure with "w32tm /config /syncfromflags:DOMHIER /update" does not take any affect.
We also do not have any policies for these settings which might interfere.
Looking at W32time service logs I have these alert:
W32TimeHandler called: SERVICE_CONTROL_INTERROGATE
So it looks like device cannot get proper time source peer list from DC.
This was already tested without local Firewall
Does anybody encountered with similar problems ?
Many thanks in advance!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
I'd check that the domain controller and problem member both have the static ip address of DC listed for DNS and no others such as router or public DNS, also check that both got the domain network firewall profile.
--please don't forget to upvote and Accept as answer if the reply is helpful--
Just checking if there's any progress or updates?
--please don't forget to upvote and Accept as answer if the reply is helpful--
I can confirm there are no public DNS servers in use in the environment.
All DCs have static IP addresses for sure.
I also noticed that we have one healthy client (where time service works as expected showing correct time source) which sit in same subnet and configured exactly in the same way as all other clients where time source still stuck to CMOS Clock.
By same configuration I mean NIC configuration, so same subnet , same gateway, same list of DNS servers and IP address assigned from same DHCP pool.
All devices are physical machines.
That fact that we have one healthy client on subnet (out of ~15 where time source in incorrect) point to idea that we are having some local misconfiguration issue.
We running environment of 5k+ devices where time service works as expected so it doesn't look problem related to some general time service misconfiguration on DCs.
I'm currently looking for possibility to open premium support case with MS.
Ok, sounds more like problematic routing and or firewall issue.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello Aleksandr,
Thank you for posting in Q&A forum.
Based on the description, I understand the issue occurs on some of the workstations.
Please check:
1.If these workstations with the issue are physical machine or virtual machines. If they/some of the problematic workstations are virtual machines, we may need to disable Time Synchronization on Virtual platform.
2.We need to check if port 123 is open. on these problematic workstations. The Windows Time service follows the Network Time Protocol (NTP) specification, which requires the use of UDP port 123 for all time synchronization. Whenever the computer synchronizes its clock or provides time to another computer, it happens over UDP port 123.
3.On one problematic workstation, check the following registry values.
Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type
Key Name: Type
Type: REG_SZ(String Value)
Data: NT5DS
Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
Key Name: AnnounceFlags
Type: REG_DWORD (DWORD Value )
Data: 0xa
4.Check other AD ports that should open on both DC and workstation.
Active Directory and Active Directory Domain Services Port Requirements
Active Directory Replication over Firewalls
Hope the information above is helpful.
If you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou
==========================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Hello Daisy,
I can confirm required registries are in place.
Configuration itself looks ok on affected machines:
After enabling verbose logging for time service I can see that it looks like client cannot get peer list so it cannot open socket to DC from where it can sync time.
I also tested with disabled local Firewall so ports definitely not a problem here: