When troubleshooting time synchronization issues on Windows systems, having a quick set of reliable commands can save a lot of time.
This post provides a practical cheat sheet for validating NTP configuration, identifying common issues, and quickly confirming whether a system is properly synchronized.
Essential w32tm Commands
| Purpose | Command | Expected Good Output | Bad Output / Notes |
|---|---|---|---|
| Check current time source | w32tm /query /source | NTP server (e.g. time.windows.com) | Local CMOS Clock = not synced externally |
| Check sync status & stratum | w32tm /query /status | Leap Indicator: 0, Stratum: 1–15, valid Last Successful Sync Time | Leap: 3, Stratum: 0 = not synchronized |
| Check configured peers | w32tm /query /peers | State: Active | State: Pending = never synced |
| View full configuration | w32tm /query /configuration | NtpClient Enabled: 1, valid NtpServer | Enabled: 0 = time client disabled |
| Force immediate resync | w32tm /resync | The command completed successfully | no time data was available = cannot reach server |
| Test NTP server connectivity | w32tm /stripchart /computer:time.windows.com /dataonly /samples:5 | Offset + round-trip time returned | No response or timeouts |
| Start time service (if stopped) | net start W32Time | Service started successfully | 0x80070426 = service not started |
| Set service to auto-start | sc config W32Time start=auto | SUCCESS | Requires Administrator |
| Re-register time service | w32tm /unregister → w32tm /register → net start W32Time | No errors | Fixes corrupted configuration |
| Change to different NTP server | w32tm /config /manualpeerlist:”time.google.com” /syncfromflags:manual /update → restart service → resync | New server appears in source | Requires Administrator |
Common Errors & Fixes
| Error Message / Symptom | Likely Cause | Fix |
|---|---|---|
| The service has not been started (0x80070426) | Windows Time service stopped | Start service (net start W32Time) and set auto-start |
| No time data was available | Cannot reach NTP server | Check UDP 123, run stripchart, try another server |
| Access is denied | Not running as admin | Re-run as Administrator |
| Stratum: 0 + Leap: 3 + Local CMOS Clock | Not synced externally | Force resync, check peers, verify firewall |
| State: Pending persists | NTP server unreachable | Test with stripchart, try alternate server |
| Sync falls back to CMOS | Intermittent connectivity | Add multiple NTP servers |
One-Liner Health Check
| Quick Check | Command | What to Look For |
|---|---|---|
| Combined status + peer state | w32tm /query /status | findstr “Source Stratum Leap Indicator” && echo “—” && w32tm /query /peers | findstr “State” | Source ≠Local CMOS, Stratum 1–15, Leap 0, State: Active |
Understanding NTP Stratum (and What the Numbers Mean)
When reviewing the output of w32tm /query /status, one of the most important indicators is Stratum.
Stratum tells you how far your system is from a reliable time source — and whether the time can be trusted.
What is Stratum?
Stratum represents a tier level in the NTP hierarchy:
- Lower number = closer to the authoritative time source
- Higher number = further away (more hops)
- Maximum usable value = 15
Stratum Levels Explained
| Stratum | Meaning | Example |
|---|---|---|
| 0 | Physical reference clock | GPS, atomic clock |
| 1 | Directly connected to Stratum 0 | Primary NTP server |
| 2 | Syncs from Stratum 1 | Enterprise NTP servers |
| 3–15 | Increasing distance from source | Clients / downstream systems |
| 16 | Unsynchronized (invalid) | System not synced |
What You Should Expect
- Stratum 1–3 → Ideal
- Stratum 4–10 → Normal / acceptable
- Stratum 11–15 → Still valid but further away
- Stratum 0 or 16 → 🚨 Not synchronized
Interpreting Stratum with Other Fields
Always evaluate Stratum alongside:
- Source
- Leap Indicator
Healthy Example
Source: time.windows.com
Stratum: 2
Leap Indicator: 0
Domain Controller Time Sync (Active Directory)
In Active Directory, accurate time is critical for Kerberos authentication and replication health.
| Purpose | Command | Expected Good Output | Bad Output / Notes |
|---|---|---|---|
| Identify the PDC Emulator (authoritative DC in domain) | netdom query fsmo | PDC listed and reachable | Unknown/unreachable PDC can break domain-wide time flow |
| Check current DC time source | w32tm /query /source | Upstream NTP source or domain hierarchy source | Local CMOS Clock on DC usually indicates a sync issue |
| Check DC sync status | w32tm /query /status | Leap Indicator: 0, valid Last Successful Sync Time, Stratum 1-15 | Leap: 3 or Stratum: 0 indicates unsynchronized state |
| View DC peer configuration | w32tm /query /peers | Active peers with successful responses | State: Pending or no active peers |
| Validate domain hierarchy from any domain member | w32tm /query /source | Source should be a domain DC (not internet NTP directly) | Clients bypassing hierarchy can create drift across domain |
| Monitor offsets to domain controllers | w32tm /monitor /domain | Small offsets and responsive DC list | Large offsets or unreachable DCs need investigation |
| Force rediscovery and resync on DC | w32tm /config /syncfromflags:domhier /update && w32tm /resync /rediscover | Resync succeeds and source updates correctly | no time data available or access denied |
PDC Emulator Best Practice
Configure only the PDC Emulator in the forest root domain to sync with external reliable NTP servers. Other DCs and domain members should use domain hierarchy.
w32tm /config /manualpeerlist:"time.windows.com,time.google.com" /syncfromflags:manual /reliable:yes /update
net stop W32Time && net start W32Time
w32tm /resync /force
What Healthy Looks Like by Role
| System Role | Source (w32tm /query /source) |
Status (w32tm /query /status) |
What to Watch For |
|---|---|---|---|
| Non-PDC Emulator Domain Controller | Another domain DC (often the PDC Emulator, directly or indirectly) | Leap Indicator: 0, Stratum typically one level higher than upstream DC, recent Last Successful Sync Time | If source is Local CMOS Clock, or Stratum: 0, it is not properly synchronized |
| Domain Member Server | Domain controller name (or NT5DS domain hierarchy behavior) |
Leap Indicator: 0, valid stratum (usually higher than DCs), regular successful sync time updates | If source is public internet NTP directly, time hierarchy policy may be bypassed |
Quick Validation Commands (Non-PDC DC and Member Server)
w32tm /query /source
w32tm /query /status
w32tm /query /configuration | findstr /I "Type NtpServer"
Expected patterns:
- Non-PDC DC:Â
Type: NT5DSÂ (domain hierarchy), source resolves to another DC, notÂLocal CMOS Clock - Member server:Â
Type: NT5DS, source is a DC, and Leap Indicator remainsÂ0
If either system is unhealthy, force rediscovery and resync:
w32tm /config /syncfromflags:domhier /update
net stop W32Time && net start W32Time
w32tm /resync /rediscover
Domain One-Liner Health Check
echo PDC: && netdom query fsmo | findstr /I "PDC" && echo --- && w32tm /query /source && w32tm /query /status | findstr "Stratum Leap" && echo --- && w32tm /monitor /domain
Summary
If you remember only a few things:
- Always verify the time source first
Stratum andÂLeap Indicator determine if the system is actually synchronizedstripchart is the fastest way to test connectivity- Most issues come down to:
- Service not running
- Firewall blocking UDP 123
- Unreachable or unreliable NTP servers
This checklist should help you quickly isolate and resolve most Windows NTP issues in minutes.
