W32time problem. NTP port 123 not opened

Discussion in 'Windows Small Business Server' started by GeraldF, Feb 25, 2007.

  1. GeraldF

    GeraldF Guest

    My SBS2003 server cannot acquire time from an outside source.
    While the Server is configured to run as a PDC and has it's own
    DOMAIN, it takes its DNS address from a SERVER in the larger

    No matter which NTP server I attempt to connect to
    (Tick.usno.navy.mil or any other) it fails to find the time.
    If I ping the NTP server addresses it fails (not found).
    If I run portqry.exe for port 123 it tells me the port has no
    service running.

    Is this a problem on my Server with the w32tm service, or is it
    likely port 123 has been disabled on the outside firewall that
    connects to the organization.

    GeraldF, Feb 25, 2007
    1. Advertisements

  2. Hi GeraldF,

    Thanks for posting here.

    From the description, I understand the issue is that you can not sync time
    from outside time source, If I am off base, please don't hesitate to let me

    Firstly, let me describe something regarding the Windows time service. In
    Windows environment, we can use the Windows Time service to synchronize the
    time of workstations and servers. The reason why the time needs to be
    synchronized is because the default Kerberos ticket lifetime is within 5
    minutes. If the time difference between the workstation and the server is
    more than 5 minutes, the authentication will fail.

    Basically speaking, there are two levels of time synchronization in a
    domain environment. The first level is the internal time synchronization.
    In a domain environment, the workstations synch the time with the domain
    controller. This can keep the time consistency internally. The second level
    is the external time synchronization. This means that the domain controller
    synchronizes the time with an external time source. When we join a
    workstation into a domain, the workstations are configured to synchronize
    the time with the domain controller by default so that it is not necessary
    to configure the time settings on the internal workstations.

    Let us refer to the following steps to troubleshoot the issue:

    1. checking the registry key on SBS server, make sure that W32time start
    key is set to 2.


    Start=2 indicates that windows time service is automatic.


    Double-click ''Type'' value in the right panel. Change the value data from
    NoSync to NT5DS

    Restart the server

    2. If ISA is installed on the SBS server, please enable the outgoing UDP
    123 packet filter. Can I assume that you have already run CEICW to
    configure the SBS internet connections? <825763 How to configure Internet
    access in Windows Small Business Server 2003
    http://support.microsoft.com/?id=825763 >
    If so, If you are using ISA 2000, open ISA Management console, navigate to
    ServerName\Access Policy\IP Packet Filters. In the right panel,
    double-click ''SBS NTP 123 Out CustomFilter''. In Filter Type tab, change
    the IP protocol from TCP to UDP. Click ''OK'' to close the dialog box.If
    you are using ISA 2004, you can manually create an access rule to allow
    outgoing 123 UDP traffic from localhost to internet(outside time source).
    If there is a hardware router installed in front of the SBS server, please
    make sure that the outgoing 123 UDP request is allowed.

    More information,

    816042 How to configure an authoritative time server in Windows Server 2003
    224799 Basic Operation of the Windows Time Service

    262680 A List of the Simple Network Time Protocol Time Servers That Are
    Available on the Internet

    Using Windows Server 2003 in a Managed Environment Windows Time Service

    Thanks for your time, Please try the suggestions above and let me know the
    results at your earliest convenience. I look forward to hearing from you

    Best regards,

    Jacky Luo (MSFT)
    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security
    PLEASE NOTE: The partner managed newsgroups are provided to
    assist with break/fix issues and simple how to questions.
    We also love to hear your product feedback! Let us know what you think by

    from the web interface: Partner Feedback
    from your newsreader: microsoft.private.directaccess.partnerfeedback.

    We look forward to hearing from you!
    When responding to posts, please "Reply to Group" via your newsreader
    so that others may learn and benefit from this issue.
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Jacky Luo [MSFT], Feb 26, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.