What time is it? – Using Windows NTP Servers


This is a quick post to go over how to use a Windows Server as a NTP server for your network devices and then I’ll probably circle back and cover how to do it with a Linux server if I have the time

In a Windows Domain, the Domain Controller with the PDC emulator role sets the time for everything in the domain, this is because Kerberos gets very upset if time is off by even a little bit.

The time synchronization is controlled by the W32Time service, this service also supports acting as a NTP server, this behavior is default in Windows 2012 and above but you need to add a registry key if you are running a lower version of Windows Server.

You can do this by adding the following key “Enabled”=dword:00000001 to your DC’s registry under



Now on your DC open an admin command prompt and use the following command to configure your external NTP peers, if you want to add multiple servers just put a space between in the quoted section.

w32tm /config /manualpeerlist:”<server1> <server2> <…>” /syncfromflags:MANUAL

C:\>w32tm /config /syncfromflags:manual /manualpeerlist:0.us.pool.ntp.org /reliable:yes
The command completed successfully.

Then restart the w32time service

 C:\>net stop w32time && net start w32time
The Windows Time service is stopping.
The Windows Time service was stopped successfully.

The Windows Time service is starting.
The Windows Time service was started successfully.

Give it a couple some time and then check the peer status.
The state should be Active and the stratum set.

C:\>w32tm /query /peers
#Peers: 1

Peer: 0.us.pool.ntp.org
State: Active
Time Remaining: 39.8904914s
Mode: 1 (Symmetric Active)
Stratum: 2 (secondary reference - syncd by (S)NTP)
PeerPoll Interval: 6 (64s)
HostPoll Interval: 6 (64s)

C:\>w32tm /query /status
Leap Indicator: 0(no warning)
Stratum: 3 (secondary reference - syncd by (S)NTP)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0684391s
Root Dispersion: 0.8315897s
ReferenceId: 0xADE6906D (source IP:
Last Successful Sync Time: 2/13/2015 12:33:55 PM
Source: 0.us.pool.ntp.org
Poll Interval: 7 (128s)

Don’t forget to allow NTP through your firewall! (Your server firewall is enabled right guys???)
You can quickly do it with something like:

C:\>netsh advfirewall firewall add rule name="Allow NTP" dir=in action=allow protocol=udp localport=123

Now hop on to your network device and setup NTP to point to your DC (My DC’s IP is

Cisco-R01(config)#ntp server
Cisco-R01(config)#clock timezone MNT -7

Give it a few minutes to sync and then NTP should be happy!

Cisco-R01(config)#do sh ntp ass
address ref clock st when poll reach delay offset disp
 *~ 3 0 64 1 1.000 -30.615 3949.9
 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

On a Juniper the process is pretty much the same logic, set your timezone and define your NTP server

the-packet-thrower@Juniper-R01# set system time-zone America/Edmonton 

the-packet-thrower@Juniper-R01# set system ntp server 

the-packet-thrower@Juniper-R01# commit

Then check your NTP association and time

the-packet-thrower@Juniper-R01# run show ntp associations 
 remote refid st t when poll reach delay offset jitter
* 3 - 1 64 17 5.184 -5.816 2.831

the-packet-thrower@Juniper-R01# run show system uptime 
Current time: 2015-03-25 10:23:38 MDT
System booted: 2015-03-23 20:27:30 MDT (1d 13:56 ago)
Protocols started: 2015-03-23 20:27:51 MDT (1d 13:55 ago)
Last configured: 2015-03-25 10:20:50 MDT (00:02:48 ago) by the-packet-thrower
10:23AM up 1 day, 13:56, 1 user, load averages: 0.00, 0.01, 0.00

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s