JANAK KHADKA

Know the Technology

Windows Client Time Sync Issues with DC
AD Server, Windows Server

Windows Client Time Sync Issues with DC

Er. Janak Khadka

Time synchronization between Windows clients (workstations or member servers) and the domain controller (DC) is crucial for maintaining domain functionality. Time-related issues can affect authentication, resource access, and event logging, all of which are essential to a smooth-running network. This guide will walk you through troubleshooting steps for time sync issues and highlight network requirements.

Important Note: Run Command Prompt as Administrator

Throughout this guide, please ensure that you open Command Prompt as Administrator when running the commands. This is essential for making system-level changes to services, configurations, and network settings.

Why Time Sync Matters in Windows Domains

Time synchronization is vital for:

  • Kerberos Authentication: A time difference of more than 5 minutes between a client and the DC can cause authentication errors.
  • Resource Access: Time discrepancies may prevent access to network resources.
  • Event Logging: Accurate time is essential for system logging and troubleshooting.

Step-by-Step Troubleshooting for Time Sync Issues

  1. Verify Network Access and Windows Time Service (W32Time) on the Client:
    • Network Access: Ensure UDP port 123 is open for communication between the client and the domain controller. This port is critical for time synchronization.
    • Windows Time Service: Check if the W32Time service is running on the DC and Client:
Command Prompt
sc query w32time

 The above command will check the service status. If it was stopped, then you need to start it by running following command.

Command Prompt
net start w32time
  1. Configure the Client to Sync with the Domain Controller:
    • Make sure the client is set to synchronize time from the domain controller:
Command Prompt
w32tm /config /syncfromflags:DOMHIER /update

The above command will update the time synchronization settings forcefully with domain controller. Now, you need to run time synchronization forcefully by using following command.

Command Prompt
w32tm /resync
  • Confirm the sync status by following command:
Command Prompt
w32tm /query /status
  1. Reset Windows Time Service:
    • If the time sync issue persists, reset the time service by running following commands one by one and check the status:
Command Prompt
net stop w32time
w32tm /unregister
w32tm /register
net start w32time
w32tm /resync
  1. Verify Group Policy Settings:
    • Ensure no conflicting Group Policy Objects (GPOs) are affecting the client’s time sync. Check in:
      • Computer Configuration > Administrative Templates > System > Windows Time Service.
  2. Check Event Logs for Errors:
    • Review Event Viewer > Windows Logs > System for W32Time errors, which can provide specific clues.
  3. Troubleshoot Virtual Machines:
    • If the client is a virtual machine, ensure the hypervisor is not overriding the client’s time. Disable time sync in the hypervisor settings (Hyper-V, VMware).
  4. Test Network Access Outside the Internal Network:
    • If unsure about network access between the domain controller and the client, temporarily test the sync outside your internal network:
      • Use a test machine with full internet access.
      • Run the following command to configure the machine to sync with public NTP servers.
Command Prompt
w32tm /config /syncfromflags:manual /manualpeerlist:"0.it.pool.ntp.org 1.it.pool.ntp.org 2.it.pool.ntp.org 3.it.pool.ntp.org"
  • Stop and start the W32Time service, run the resync commands and finally check the sync status by running following commands one by one.
Command Prompt
net stop w32time
net start w32time
w32tm /resync
w32tm /query /status
  • If the time syncs correctly, it confirms that the issue is with the network access between the client and the domain controller.

Network Port Requirements for Time Sync

For successful time synchronization, ensure UDP port 123 is open in the network:

CommunicationSourceDestinationPortDirectionPurpose
Client to Domain ControllerClient (Outbound)Domain ControllerUDP 123Outgoing from Client to DCRequired for client time requests to the DC.
Domain Controller to ClientDomain Controller (Outbound)ClientUDP 123Typically, not required unless you have specific monitoring or custom sync needs. 
Domain Controller to NTP ServerDomain Controller (Outbound)External NTP ServerUDP 123Required for the DC to sync time with an external time source. 

Summary

By following these troubleshooting steps, you can identify and resolve time synchronization issues between clients and domain controllers. Key considerations include ensuring network connectivity, verifying the Windows Time service, checking Group Policies, and testing outside the internal network for potential access issues. Additionally, ensuring UDP port 123 is open in the network is essential for successful time synchronization. Once these steps are completed, your clients should sync time correctly with the domain controller, maintaining proper domain functionality.


Er. Janak Khadka

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top