Hi all.  Recently after switching to using a Cisco router (891W, IOS 15.2) instead of a different vendor's router at our site, I began to notice that the time sync on the Windows domain is off.  This is causing major domain functionality problems.  This is a small business so there is a single domain controller, and it is configured to get time from a source on the Internet. 

It's been a while since I set this up on the server so I forget offhand the Internet time server, but the current firewall config for the router matches what I had on the previous non-Cisco router.  I'll check into if the Internet time server is th eproblem but those don't tend to go down a lot to my knowledge.  The only thing that changed was this router and immediately after is when the problems began. 

However in retrospect I wonder if the firewall is even correctly set up.  Currently I have udp port 123 open from the outside going to the inside IP of the domain controller on the LAN (using static NAT).  But as I think about this, I'm sure that time update traffic is not initiated from the time source (Internet-based time server) but rather by the time client (the domain controller).  Please correct me if I'm wrong. 

So then with a stateful firewall and provided there are no restrictions from inside to outside for NTP, I should not have to open udp 123 from the outside at all, but instead just allow the inside server to request time from the outside, using whatever dynamic port the firewall allocates. 

Is this right?  Again, ever since we switched to using the Cisco router, time sync is not working. 

Thanks very much.