Overview
Starting with Windows 2000, the operating system installs a time synchronization service by default, no external apps are required. The display name on English systems is "Windows Time Service" and the short service name is "W32Time". This service should be set to Automatic startup via Group Policy. If any firewalls are between the time source and the client, UDP port 123 must be allowed. The default configuration for the time service is to act as both a client and a server (to sync with a parent source and provide a time source to other clients).
Typically the only server that should be manually configured with an external time source is the DC that holds the PDC Emulator Operations Master role in the forest root domain (details below). All other DCs should use the defaults, so they sync time with the PDC of their domain, and the PDCs sync time with the PDC in the parent domain. All other member servers and workstations in the domain should also use the defaults, so they sync time with the DC that last authenticated the computer (which is usually determined at boot up, unless that DC becomes unavailable for an extended period).
If the PDC Emulator role for the forest root domain is moved to a different DC, the DC that previously held the role needs to be reset to defaults, and the DC that now holds the role needs to be manually configured with an external time source (details below).
The "net.exe time" command was replaced by w32tm.exe, "net time" should not be used to make changes. It is safe to run "net time \\computername" to check the time of a specific machine, or run "net time" to check the time source for the domain (which by default is the PDC emulator for the computer’s domain but depends on your configuration).
Finding the PDC Emulator Role
These commands can be used to find which DCs currently hold the FSMO roles. Run these from a command prompt on a DC in the forest root domain.
Option A: (only works on Windows Server 2008, or Server 2003 if the Support Tools are installed)
netdom.exe /query fsmo
or
dcdiag.exe /test:knowsofroleholders /v | find.exe "Owner = "
Option B: (should work on any DC)
ntdsutil.exe
roles
connections
connect to server %computername%
quit
select operation target
list roles for connected server
Option C:
Use three different MMC snap-ins:
– Active Directory Users & Computers
– Active Directory Domains and Trusts
– Active Directory Schema
External Time Sources
The PDC Emulator should not be configured to use time.windows.com because it goes down too often, sometimes for days at a time. Many organizations use a combination of NCAR and NIST government servers, but even those go down quite often. On the PDC for the forest root domain, open the System event log and filter on the source "W32Time", if you see more than one or two errors a month, it may be time to change the time sources. A reliable alternative is to use this pool of public NTP servers:
0.us.pool.ntp.org
1.us.pool.ntp.org
2.us.pool.ntp.org
3.us.pool.ntp.org
Details about the project are located here: http://support.ntp.org/bin/view/Servers/NTPPoolServers. When the PDC’s System event log is filtered on the "W32Time" source, you should not see more than 1 or 2 errors a month (assuming the internet connection has been stable).
Configuration For An External Time Source
Here are some examples of the commands to use on the PDC emulator in the forest root domain:
w32tm.exe /config /manualpeerlist:"0.us.pool.ntp.org 1.us.pool.ntp.org 2.us.pool.ntp.org 3.us.pool.ntp.org,0x8" /syncfromflags:MANUAL /reliable:YES /update
w32tm.exe /resync /rediscover
Here are some examples of similar commands to check the existing config, change the config, then monitor the results:
: Check the existing config:
w32tm.exe /dumpreg /subkey:parameters|find.exe /i "ntpserver"
: Change the config:
w32tm.exe /config /manualpeerlist:"0.us.pool.ntp.org 1.us.pool.ntp.org 2.us.pool.ntp.org 3.us.pool.ntp.org,0x8" /syncfromflags:MANUAL /reliable:YES
: Check the new config:
w32tm.exe /dumpreg /subkey:parameters|find.exe /i "ntpserver"
Ntpserver REG_SZ 0.us.pool.ntp.org 1.us.pool.ntp.org 2.us.pool.ntp.org 3.us.pool.ntp.org,0x8
: Update the config – similar to restarting the service:
w32tm.exe /config /update
The command completed successfully.
: Resynchronize the clock as soon as possible:
w32tm.exe /resync /rediscover
The command completed successfully.
: Check the time offset:
w32tm.exe /monitor /computers:0.us.pool.ntp.org,1.us.pool.ntp.org,2.us.pool.ntp.org,3.us.pool.ntp.org
Note: The "delay" is normal network latency, and accounted for by the time service. The "offset" should always be less than a tenth of a second ("0.0######"):
0.us.pool.ntp.org [155.101.3.115]:
ICMP: 22ms delay.
NTP: +0.0024571s offset from local clock
RefID: time-b.nist.gov [129.6.15.29]
1.us.pool.ntp.org [208.75.85.61]:
ICMP: 29ms delay.
NTP: –0.0088156s offset from local clock
RefID: fiordland.ubuntu.com [82.211.81.145]
2.us.pool.ntp.org [155.97.17.169]:
ICMP: 34ms delay.
NTP: –0.0091929s offset from local clock
RefID: time-b.utah.edu [155.97.154.154]
3.us.pool.ntp.org [66.36.239.104]:
ICMP: 49ms delay.
NTP: –0.0027594s offset from local clock
RefID: avi-lis.gw.lightning.net [209.51.161.238]
Reset The Default Configuration
These w32tm commands can be ran on every workstation, member server, and domain controller except the DC with the PDC Emulator role in the forest root domain. If the defaults have not been changed, then these commands are not necessary. If the settings have been changed, or you’re not sure, these commands will configure the default settings:
w32tm.exe /config /manualpeerlist: /syncfromflags:DOMHIER /update
w32tm.exe /resync /rediscover
w32tm.exe /monitor (this is only to monitor the results, should not be used from a script)
Note: The "delay" is normal network latency, and accounted for by the time service. The "offset" should always be less than a tenth of a second ("0.0######"):
dc01.domain.com [10.10.10.11:123]:
ICMP: 22ms delay.
NTP: +0.0000000s offset from dc01.domain.com
RefID: dc02.domain.com [10.10.10.12]
Stratum: 4
dc02.domain.com *** PDC *** [10.10.10.12:123]:
ICMP: 29ms delay.
NTP: –0.0028156s offset from dc02.domain.com
RefID: 0.us.pool.ntp.org [155.101.3.115]
Stratum: 3
dc03.domain.com [10.10.10.13:123]:
ICMP: 34ms delay.
NTP: –0.0031929s offset from dc03.domain.com
RefID: dc02.domain.com [10.10.10.12]
Stratum: 4
Maintaining The Configuration
Group Policy is recommended for managing and enforcing these settings on member servers, workstations, and domain controllers in child domains. Using Group Policy for domain controllers in the forest root domain is not as straightforward since the PDC Emulator needs unique settings. This could be done with Security Filtering, but since the role could periodically move from one DC to another, setting a recurring task with a reminder is recommended rather than using group policy.
Time Skew, Intervals And Accuracy
When the time service detects a change is needed to the system clock, sometimes it makes the change immediately, but sometimes it slowly makes small corrections over time using a skew algorithm. This algorithm may be different between versions of Windows, but basically:
- If the local clock is behind the server’s time, or more than 3 minutes ahead, W32Time will change the local clock time immediately.
- If the local clock is less than 3 minutes ahead of the server’s time, W32Time will quarter or halve the clock frequency as long necessary to bring the clocks into sync.
Changing the values of this algorithm is complicated, see this blog post. This example shows the local clock is 78 seconds different from a server named DC01, and the clock is slowly adjusted over 20 minutes:
w32tm.exe /stripchart /computer:DC01
Tracking DC01 [10.10.10.11:123].
The current time is 3/22/2011 8:33:11 AM.
08:33:11 d:+00.0664544s o:-78.5655853s [@ | ]
08:33:13 d:+00.0332272s o:-78.2384937s [@ | ]
08:33:15 d:+00.0332272s o:-77.8864817s [@ | ]
08:33:17 d:+00.0332272s o:-77.5344697s [@ | ]
08:33:18 d:+00.0249204s o:-77.1783043s [@ | ]
<snip>
08:47:27 d:+00.0393744s o:-04.0053162s [ * | ]
08:47:29 d:+00.0295308s o:-03.9743844s [ * | ]
<snip>
08:53:43 d:+00.0295308s o:-00.5462154s [ * | ]
According to KB819108, the default interval for 2003/XP is 17 minutes, but the default is not the same for DCs, members servers and workstations. According to TechNet the max interval is 32,768 seconds (22 days). Changing this interval can be complicated, search on: MaxPollInterval MinPollInterval
According to KB939322, the W32Time service only reliably maintains time within 1 to 2 seconds. Microsoft does not guarantee the accuracy of the W32Time service between nodes on a network, and the W32Time service is not a full-featured NTP solution that meets time-sensitive application needs. The W32Time service is primarily designed to do the following:
- Make the Kerberos version 5 authentication protocol work (which by default allows a maximum time skew of 5 minutes)
- Provide loose time sync for client computers
If transactional processing that is very time-sensitive requires accuracy down to the second (i.e. cryptography, banking), the Windows Time Service may need to be disabled and replaced with a third party time service.
Configuration For Virtual Machines
If the VM settings are configured to allow guest time synchronization with a Hyper-V host (which is the default), you may want to disable the Windows Time service from using the Hyper-V host as a source while the OS is running, but still allow the Integration Services to sync with the host during bootup and standby resume. This is not required for all VMs, usually the default settings work fine. But for some VMs where time is critical (like domain controllers), if the system clock is off by 3 minutes when the OS starts, it may take a long time for the Windows Time service to correct it if the skewing algorithm is used. To make this change, open an elevated command prompt and run this command:
reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider /v Enabled /t reg_dword /d 0
Note: This will not take effect until the service is restarted, but the next reboot is usually fine.
Troubleshooting
If the time service is not functioning correctly or the registry settings have been changed, you can uninstall/reinstall the service with these steps:
net.exe stop w32time
w32tm.exe /unregister
Note: Verify this registry key was deleted: HKLM\System\CurrentControlSet\Services\W32Time
w32tm.exe /register
net.exe start w32time
Links
Configuring the Windows Time Service for Windows Server (Ace Fekav’s Blog with lots of links)
Support boundary to configure the Windows Time service for high accuracy environments