Because timedatectl says that the NTP service is active but the clock is still not synchronized, that means the NTP service is failing to contact any NTP servers, possibly because the service is not fully configured or because a firewall is blocking NTP packets.
The first task would be to figure out the actual name of the synchronization service.
You can find the details in man systemd-timedated.service, but basically check directories /usr/lib/systemd/ntp-units.d/, /usr/local/lib/systemd/ntp-units.d/ or /etc/systemd/ntp-units.d for files with names with a .list extension. Those files will define the name(s) of potential NTP services timedatectl could use, and the alphanumerical sorting of the .list files will determine their order of preference if there is more than one.
Alternatively, the preference order of services could be defined by an environment variable for the systemd-timedated.service. If you run systemd cat systemd-timedated.service | grep Environment, you might find a line like
Environment=SYSTEMD_TIMEDATED_NTP_SERVICES=<primary NTP service>.service:<1st alternative NTP service>.service:<2nd alternative NTP service>.service
or you might find an EnvironmentFile reference indicating a file that could define such a variable for the service.
The most common NTP synchronization services would be chronyd.service, ntp.service (or ntpd.service in some distributions) and systemd-timesyncd.service, so even if you fail to find anything indicating the order of preference, it's most likely going to be one of those three.
If the service being used for NTP synchronization is chronyd.service, then the command for querying its connection status would be chronyc sources -a -v.
For ntp[d].service, you could use ntpq -np.
The outputs of chronyc sources and ntpq -np are somewhat similar to each other: when NTP synchronization is working correctly, there should be an asterisk in the left-most column of the listing indicating the server this system is currently synchronized to. The Reach column will indicate the status of the latest 8 NTP requests as an octal number: if all of those have been responded to by the NTP server, the value in this column will be 377. A Reach value of 0 indicates the server is not reachable.
To query the status of the systemd-timesyncd.service, you can use timedatectl timesync-status.
Once you know which NTP server(s) the synchronization server is trying to use, you can start troubleshooting connectivity to them. If the list of NTP servers to use is empty or wrong, you should correct it first and restart the synchronization service (or reboot the system).
For chronyd, the NTP servers will be listed in /etc/chrony/chrony.conf or in /etc/chrony/sources.d/*.source files.
For ntp[d].service, the configuration file will be /etc/ntp.conf.
systemd-timesyncd.service has its configuration in /etc/systemd/timesyncd.conf and/or /etc/systemd/timesyncd.conf.d/*.conf files, but it can also be configured via /etc/systemd/network/*.network files or by DHCP configuration information.
If you have the ntpdate command installed, its debug mode can be useful in testing connectivity to a NTP server. Run ntpdate -d <NTP server name or IP address> and look at the output. If the last line of the output says no server suitable for synchronization found, the command failed to contact the NTP server you specified. If the command gets a valid response from the NTP server, the last line of its output will indicate how much the command would have adjusted the local system clock if it wasn't in debug mode.
