IBM Support

How to troubleshoot time drift, authentication issues, or failed time synchronization.

How To


Summary

Time drift occurs when a system's clock gradually deviates from the accurate time due to hardware inaccuracies, environmental factors, or lack of synchronization.

Objective

Failed time syncs happen when attempts to align the clock with a reference source (like an NTP server) don't succeed, often leading to authentication issues in protocols like Kerberos, SSL/TLS, or Active Directory, where even small time discrepancies can cause failures (e.g., token expiration or certificate validation errors). These problems can disrupt logging, security, and network operations.

Common causes include:

  • Domain Hierarchy Override: In Active Directory environments, non-PDC domain members default to syncing with the domain (NT5DS mode) rather than manual NTP servers, ignoring your custom configuration.
  • Configuration Not Applied: Changes via w32tm may not take effect without restarting the service or due to Group Policy overrides.
  • Network/Firewall Blocks: UDP port 123 (NTP) might be blocked, preventing communication with the intended server.
  • Default Fallback: Standalone machines or misconfigured DCs may revert to "Local CMOS Clock" or public servers if the configured source is unreachable.
  • VM Host Interference: If running on a hypervisor (e.g., VMware, Hyper-V), time sync with the host can override NTP.
  • Registry/Group Policy Conflicts: Settings in the registry (e.g., HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters) or GPOs might enforce the wrong source.

Environment

All versions of Windows Client and Server.

Steps

Diagnosing The Problem

To diagnose, run these commands in an elevated Command Prompt (right-click Command Prompt > Run as administrator):

  1. w32tm /query /source – Shows the current time source.
  2. w32tm /query /configuration – Displays full config, including Type (e.g., NT5DS for domain, NTP for manual) and NtpServer.
  3. w32tm /query /status – Checks sync status, last sync time, and stratum.
  4. w32tm /resync – Attempts to sync immediately (may fail if source is wrong).
  5. w32tm /stripchart /computer:<your-intended-ntp-server> /samples:5 – Tests connectivity to a specific server (replace <your-intended-ntp-server> with its IP/FQDN, e.g., pool.ntp.org).

If the source is incorrect, check Event Viewer (System log) for Microsoft-Windows-Time-Service events (e.g., Event ID 129 for discovery errors or 47 for no data available).

Resolving The Problem

1. Reset the Windows Time Service (Quick Fix for Stuck Configs)

This unregisters and re-registers the service, clearing corrupted settings. It's safe and often resolves "Local CMOS Clock" issues.

w32tm /unregister

net stop w32time

w32tm /register

net start w32time

After this, reconfigure (see below) and verify with w32tm /query /source.

2. Configure for Standalone/Workgroup Machines (Non-Domain)

If not in a domain, set a manual NTP source explicitly.

  • Use public servers like pool.ntp.org or time.nist.gov for reliability.
  • Command (replace your.ntp.server with your desired server, e.g., pool.ntp.org,0x8 – the 0x8 flag forces client mode for better compatibility with non-Windows NTP servers):

w32tm /config /manualpeerlist:"your.ntp.server,0x8" /syncfromflags:MANUAL /reliable:NO /update

  • For multiple servers (redundancy): "pool.ntp.org,0x8 time.nist.gov,0x8".
  • /reliable:NO for clients; use YES only for the authoritative server (e.g., PDC).
  • Update registry if needed (backup first via regedit): Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters.
    • Set Type to NTP (string).
    • Set NtpServer to your server (e.g., pool.ntp.org,0x8).
  • Verify: w32tm /query /source should now show your server.

3. Configure for Domain Environments

Time sync follows a hierarchy: PDC Emulator (authoritative source) → other DCs → clients/members.

a. On the PDC Emulator (find it with netdom query fsmo on any DC):
  • This should sync externally to avoid domain-wide issues. Never use domain hierarchy here.

w32tm /config /manualpeerlist:"your.ntp.server,0x8" /syncfromflags:MANUAL /reliable:YES /update

  • Set registry: AnnounceFlags to 10 or 5 (DWORD) under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config for reliable source announcement.
b. On Other DCs and Member Servers/Clients:
  • Use domain hierarchy (default) to sync with PDC: w32tm /config /syncfromflags:DOMHIER /update.
  • If you want manual NTP (e.g., for remote laptops), use ALLSYNC mode (domain first, NTP fallback): w32tm /config /syncfromflags:ALLSYNC /manualpeerlist:"your.ntp.server,0x8" /update.
  • Avoid manual NTP on non-PDC machines unless necessary, as it breaks the hierarchy.
  • Propagate: Run w32tm /config /update on clients after PDC fix. Sync may take 15-30 minutes; force with /resync.

If GPOs override (e.g., "Configure Windows NTP Client" policy sets wrong server), edit via Group Policy Editor (gpedit.msc or domain GPO):

  • Computer Configuration > Administrative Templates > System > Windows Time Service > Time Providers.
  • Enable "Configure Windows NTP Client" and set your server with ,0x8.
  • Run gpupdate /force.

4. Check and Fix Connectivity Issues
  • Firewall/Network: Ensure UDP 123 is open outbound to your NTP server. Test with telnet your.ntp.server 123 (if telnet enabled) or Wireshark capture on port 123 during w32tm /resync.
    • Windows Firewall: Allow "Windows Time" rule or add exception.
  • DNS Resolution: If using FQDN (e.g., pool.ntp.org), run nslookup your.ntp.server. Flush DNS: ipconfig /flushdns.
  • NTP Server Compatibility: Non-Windows servers (e.g., Meinberg, ntpd) require client mode (0x8 flag). Without it, requests may fail silently.
  • Large Time Offset: If drift >15 minutes (default max), manually set correct time first (Settings > Time & Language > Set time automatically off > Change), then sync.
  • VM-Specific:
    • VMware: Edit VM > VM Options > VMware Tools > Synchronize guest time with host = Disabled.
    • Hyper-V: Disable integration services time sync in VM settings.
    • Restart VM after changes.

5. Monitor and Maintain
  • Check status regularly: w32tm /monitor (shows all DCs in domain).
  • Set poll intervals if needed (registry: MinPollInterval/MaxPollInterval under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config; default 6-10 for 64-1024 seconds).
    • For high accuracy (e.g., <1ms), use Windows Server 2016+ with hardware timestamping, but that's advanced.
    • If issues persist (e.g., "no time data available"), review Event Logs for specifics like DNS errors or port blocks.

If this is a domain PDC using the wrong external server, prioritize fixing it to avoid cascading issues.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB66","label":"Technology Lifecycle Services"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SSTIPK","label":"Microsoft Windows"},"ARM Category":[{"code":"a8mKe000000004NIAQ","label":"Windows"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":""}]

Document Information

Modified date:
26 September 2025

UID

ibm17246299

Page Feedback