W32Time (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> General


Rainman13 -> W32Time (3.Jan.2006 8:16:32 PM)

I want my ISA 2004 (on Win2003) server to be the time server.  I used the command

net time /setsntp:isa.domain.com

to set it as the time server.  I have allowed NTP to internal on the system policy and even created a rule to allow port 123 to and from the isa server. 

On a server I can do run
net time \\isa.domain.com

and get a valid response.  However I still see errors in the system logs of the servers that there isn't an NTP server available.  How can I make these errors go away?

tshinder -> RE: W32Time (4.Jan.2006 3:51:53 AM)

Hi Netman,

There's a big difference between Net time and the Windows Time Service.

Make sure the clients are resolving the name of the ISA firewall correctly and that you have allowed NTP access to the ISA firewall's Local Host Network.


Rainman13 -> RE: W32Time (4.Jan.2006 4:52:24 AM)

Access Rule as follows

From:  Internal, Local Host
To:  Internal, Local Host
All Users
All Content Types

System Policy
Applies to traffic sent to Local Host, Internal

Other Servers can ping by NetBIOS name or FQDN

carorieta -> RE: W32Time (5.Jan.2006 12:49:38 AM)

Hi rainman,
On a Windwos 2000/2003 environment all clients synchronize from the Active Directory Domain controller holding the PDC Emulator Role (the first server you promoted to AD domain controller) on a domain with multiple DCs.
By default the PDC Emulator get his time from his own CMOS clock.
In your case you should setup your DC to synchronize its time from the Firewall, and the Firewall should synchronize its time from an outside source such as tick.usno.navy.mil (
In addition you will create two access rules:
1. Local Host (Firewall) accessing the external time server 
2. PDC Emulator accessing the Firewall
Of course as you know you need to create a user defined protocol
Name:SNTP Time
Primary Connections: Port Range: 123  Protocol Type: UDP  Direction: SendReceive
Secondary Connections: Port Range: 123  Protocol Type: UDP  Direction: Receive
Your Access Rules:
1. Allow Protocol SNTP Time From Local Host to tick Condition All Users
2. Allow Protocol SNTP Time From PDCEmulator to Local Host Condition All Users
Remember to create two computer sets, one for the PDC and one for tick (
To change the default behavior of the Windows client (they get time from PDC) you need to make changes to the registry on both the Firewall and the PDC Emulator, this article by Mitch Tulloch explain about the time hierarchy on W2K/W2K3 and how to make the registry changes:
Good luck

Rainman13 -> RE: W32Time (1.Feb.2006 10:43:24 PM)

Got side tracked for a while... but this still doesn't work.

For a moment, I'll forget about syncing the ISA server to an external source.

I have the system policy to allow NTP to "Internal" and "MyServers" of which the PDC Emulator is a part of.  I also created a rule that NTP is allowed to and from both the ISA server and the MyServers group.

You mentioned creating a protocol for SNTP... that protocol is the same as NTP, so I just used it.

hantahipi -> RE: W32Time (10.Feb.2006 2:57:32 PM)

Hi RM,

This article by Microsoft is step-by-step straightfwd http://support.microsoft.com/kb/816042

You do not want to skip external source configuration, coz the way the service is set up, it is meant to validate time accuracy with either hardware clock or external server, otherwise expect a system error log that's full of invalid time stamp and time update errors. The above article is perfect

hantahipi -> RE: W32Time (10.Feb.2006 3:02:54 PM)


Jus one more note, as mentioned earlier by carorieta, time update is all about the internal network, therefore if you have properly defined your internal network and and allowed direct access to your domain (assuming that your AD is humming), you need not then have any other rules and custom protocols; time update will happen for all you domain clients at log on.


tdsm -> RE: W32Time (15.Jun.2006 5:03:02 PM)


Some more questions. I managed our ISA 2004 server to sync with an external ntp server. And apparently the client pc's sync with the domain (W2000 DC).
But I can't seem to get my domaincontrollers sync with ISA.
I've opened NTP from internal to localhost.
And on DC: net time /setsntp:isaserver

Unfortunately, if I stop the w32time service on the DC and try 'w32tm -once', I read 'NTP didn't receive datagram' in the output and an error (ntp server didn't respond) in event log.

Any ideas?

Page: [1]