Windows Clients not Picking Up NTP Time from PDC

Question

I have a single Windows domain with a single domain controller hosting DHCP and DNS. The DHCP scope is configured with NTP pointed at the DC. The NTP Server on the DC was configured to pick up time from us.pool.ntp.org leaving the time on the DC incorrect. However, I updated the NTP source to be us.pool.ntp.org,0x8 and now the DC has the correct time.

The problem I'm facing is that the clients are not picking up the correct time even though DHCP is telling them to point to the DC for NTP. I went a step further to try to correct this by configuring group policy for both the Domain Controller Policy and the Default Domain Policy. I made the following NTP related GP changes. If not otherwise stated, settings are default.

GP SERVER SIDE

Domain Controller Policy

Global Configuration Settings

MaxAllowedPhaseOffset = 60 (1 minute off)

Enable NTP Server = Enabled

GP CLIENT SIDE

Default Domain Policy

Global Configuration Settings

MaxAllowedPhaseOffset = 60 (1 minute off)

Configure Windows NTP Client

Enabled = Selected

NtpServer = DC IP,0x8

Type = NTP

Enable NTP Client = Enabled

A "gpupdate /force", reboots and even a day of waiting have not allowed the clients to come in line with the DC's 3 minute time difference (DC is ahead of clients). Network communication works great. I can access all resources. Other group policies are applying fine. I'd appreciate any input/education on what I'm doing wrong here. Thank you!

Answer 1

Hello Nathon Dalton1，

Thank you for posting in Microsoft Community forum.

Below is how you can proceed for:

The PDC Emulator:

You need to create a Group Policy in which you will enable and configure the following parameters:

• Computer Configuration\Policies\Administration Templates\System\Windows Time Service\Time Providers\Enable Windows NTP Client should be enabled

• Computer Configuration\Policies\Administration Templates\System\Windows Time Service\Time Providers\Configure Windows NTP Client should be enabled with “NTP” as Type and the NTP server(s) to use set as NtpServer (You can add multiple NTP servers by separating them with a white space)

 

Other domain controllers, member servers and Workstation:

You need to create a Group Policy in which you will enable and configure the following parameters:

• Computer Configuration\Policies\Administration Templates\System\Windows Time Service\Time Providers\Configure Windows NTP Client should be enabled with “NT5DS” as Type

NT5DS is domain hierarchy-based time synchronization.

For more information, please read link below.

Time Synchronization in Active Directory Forests | Microsoft Learn

I hope the information above is helpful.

If you have any question or concern, please feel free to let us know.

Best Regards,

Daisy Zhou

Answer 2

Thank you for the detailed reply. I have applied these settings. The NTP client settings are applied in the Default Domain Policy as I want those to apply to all devices (e.g. IoT). I created an NT5DS policy for the Workstations OU that will cover the Windows computers. The Default Domain Controller Policy is configured as the NTP Server. However, even after forcing a gpupdate on my Windows 11 computer inside the Workstations OU, it remains "Leap Indicator 3(not synchronized)" and "Source: Free-running System Clock". I also can't run a "w32tm /query /configuration" or I get an access denied despite being a domain admin, local admin and running it in an administrative command prompt.

Answer 3

I had to follow up. I needed to reboot. No amount of forcing GP to update, restarting or reregistering services was going to make time correct under Windows 11. After I rebooted everything immediately sync'd up and I'm good now. The only problem that remains is when I run the following commands I receive access denied errors.

w32tm /query /configuration

w32tm /query /source

Answer 4

Hello

Good day!

Thank you for your update.

You can try to open CMD by selecting run as Administrator and then run the two commands.

Best Regards,

Daisy Zhou