Hi rainman, On a Windwos 2000/2003 environment all clients synchronize from the Active Directory Domain controller holding the PDC Emulator Role (the first server you promoted to AD domain controller) on a domain with multiple DCs. By default the PDC Emulator get his time from his own CMOS clock. In your case you should setup your DC to synchronize its time from the Firewall, and the Firewall should synchronize its time from an outside source such as tick.usno.navy.mil (126.96.36.199). In addition you will create two access rules: 1. Local Host (Firewall) accessing the external time server 2. PDC Emulator accessing the Firewall Of course as you know you need to create a user defined protocol Name:SNTP Time Primary Connections: Port Range: 123 Protocol Type: UDP Direction: SendReceive Secondary Connections: Port Range: 123 Protocol Type: UDP Direction: Receive Your Access Rules: 1. Allow Protocol SNTP Time From Local Host to tick Condition All Users 2. Allow Protocol SNTP Time From PDCEmulator to Local Host Condition All Users Remember to create two computer sets, one for the PDC and one for tick (188.8.131.52) To change the default behavior of the Windows client (they get time from PDC) you need to make changes to the registry on both the Firewall and the PDC Emulator, this article by Mitch Tulloch explain about the time hierarchy on W2K/W2K3 and how to make the registry changes: http://www.windowsnetworking.com/articles_tutorials/Configuring-Windows-Time-Service.html Good luck
Got side tracked for a while... but this still doesn't work.
For a moment, I'll forget about syncing the ISA server to an external source.
I have the system policy to allow NTP to "Internal" and "MyServers" of which the PDC Emulator is a part of. I also created a rule that NTP is allowed to and from both the ISA server and the MyServers group.
You mentioned creating a protocol for SNTP... that protocol is the same as NTP, so I just used it.
You do not want to skip external source configuration, coz the way the service is set up, it is meant to validate time accuracy with either hardware clock or external server, otherwise expect a system error log that's full of invalid time stamp and time update errors. The above article is perfect
Jus one more note, as mentioned earlier by carorieta, time update is all about the internal network, therefore if you have properly defined your internal network and and allowed direct access to your domain (assuming that your AD is humming), you need not then have any other rules and custom protocols; time update will happen for all you domain clients at log on.
Some more questions. I managed our ISA 2004 server to sync with an external ntp server. And apparently the client pc's sync with the domain (W2000 DC). But I can't seem to get my domaincontrollers sync with ISA. I've opened NTP from internal to localhost. And on DC: net time /setsntp:isaserver
Unfortunately, if I stop the w32time service on the DC and try 'w32tm -once', I read 'NTP didn't receive datagram' in the output and an error (ntp server didn't respond) in event log.