This is what worked for me:
Open Registry Editor (regedit.exe) and configure the following registry entries:
This registry entry determines which peers W32Time will accept synchronization from. Change this REG_SZ value from NT5DS to NTP so the PDC Emulator synchronizes from the list of reliable time servers specified in the NtpServer registry entry described below.
This registry entry controls whether the local computer is marked as a reliable time server (which is only possible if the previous registry entry is set to NTP as described above). Change this REG_DWORD value from 10 to 5 here.
This registry entry specifies a space-delimited list of stratum 1 time servers from which the local computer can obtain reliable time stamps. The list may consist of one or more DNS names or IP addresses (if DNS names are used then you must append , 0x1 to the end of each DNS name). For example, to synchronize the PDC Emulator in your forest root domain with tock.usno.navy.mil, an open-access SNTP time server run by the United States Naval Observatory, change the value of the NtpServer registry entry from time.windows.com, 0x1 to tock.usno.navy.mil, 0x1 here. Alternatively, you can specify the IP address of this time server, which is 126.96.36.199 instead.
Now stop and restart the Windows Time service using the following commands:
net stop w32time
net start w32time
And, at the end, in a Dos console, type:
See also the Configuring the Windows Time Service link.
To solve this problem I changed the value of the registry key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NTpServer] to time.windows.com, 0x1.
The Windows XP firewall blocks the updates as well. Make an exception for UDP port 123. We made an exception using Group policy. This is located under Administrative Templates -> Network -> Network Connections -> Windows Firewall -> Domain Profile -> Windows Firewall -> Define Port Exceptions. Use the Show button and then add 123:UDP:xxx.xxx.xxx.xxx/xx, xxx.xxx.xxx.xxx/xx:enabled:W32TM. Where the x's are your IP range, i.e.: 10.10.1.0/24, 10.10.10.0/24. You only need to set this for the Domain profile. The standard profile controls the firewall when not connected to your domain, so they could not synchronize with your DCs anyway.
From a newsgroup post: "If W32Time is failing, that means your computer can't reach "time.windows.com" nor "time.nist.gov". If that is the case, I suspect you are not connected directly to the Internet, or you have some kind of network problem. If you want to set up an alternative time server, run regedit and drill down to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\Servers. Add a new "String Value" and rename it to "3". Change its value to another time server. If you are at work behind a firewall, you'll have to use a local server
within your intranet. I use "time.esec.com.au" because it's a little faster than the US ones. Finally, open "Date and Time Properties" and click the "Internet Time" tab. Select your new server from the "Server" drop down list and "Update Now".
and "How to fix time synchronization errors" for additional information on this problem.
This happens on Windows XP. To fix: go to "Date and Time Properties" and under "Internet Time" uncheck "Automatically synchonize with an Internet timeserver".