Windows Time Service (W32Time)

Born to Learn-Failure count as late success 0

Windows Time Service (W32Time)

Md Shaifullah Mozide Palash

Time Service

12/13/18

Windows Time Service (W32Time)

Born to Learn-Failure count as late success 1

Table of Contents Overview ..........................................................................................................................................2

Time Provider ...................................................................................................................................2

How does Windows Time Service work? ...........................................................................................2

Windows Time Service Architecture .................................................................................................4

Windows Time Service Time Protocols ..............................................................................................5

Network Time Protocol .................................................................................................................5

NTP Algorithms .............................................................................................................................6

NTP Time Provider .........................................................................................................................6

NTP Security ..................................................................................................................................6

Hardware Devices That Are Supported by the Windows Time Service ...........................................7

Simple Network Time Protocol ......................................................................................................8

Domain Hierarchy-Based Synchronization .....................................................................................8

Domain Controller Time Source Queries ........................................................................................9

Network Ports Used by Windows Time Service ........................................................................... 10

Cumulative one-way network latency .......................................................................................... 10

Event ID .......................................................................................................................................... 11

Configure Windows Time Service.................................................................................................... 13

Summary......................................................................................................................................... 17

Windows Time Service (W32Time)

Born to Learn-Failure count as late success 2

Overview

The Windows Time service (W32Time) synchronizes the date and time for all computers running in

Active Directory Domain Services (AD DS). Time synchronization is critical for the proper operation of

many Windows services and line-of-business (LOB) applications. The Windows Time service uses the

Network Time Protocol (NTP) to synchronize computer clocks on the network. NTP ensures that an

accurate clock value, or timestamp, can be assigned to network validation and resource access

requests.

Although the Windows Time service is not an exact implementation of the Network Time Protocol (NTP), it uses the complex suite of algorithms that is defined in the NTP specifications to ensure that clocks on computers throughout a network are as accurate as possible. Ideally, all computer clocks in an AD DS domain are synchronized with the time of an authoritative computer. Many factors can affect time synchronization on a network. The following factors often affect the accuracy of synchronization in AD DS:

1. Network conditions 2. The accuracy of the computer's hardware clock 3. The amount of CPU and network resources available to the Windows Time service

Applies to: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows 10 or later

Note: I will try to cover a new topic surrounding Windows Time Service (w32time for short). If anyone has any

requests/suggestions for topics, please feel free to let me know.

Time Provider

The Microsoft Windows operating system provides support for a variety of hardware devices and network time protocols using the time provider architecture. Input time providers retrieve accurate time stamps from hardware or the network, and output time providers provide time stamps to other clients on the network.

Time providers are managed by the time provider manager. It is responsible for loading, starting, and stopping time providers as directed by the service control manager. This interface makes writing a time provider easier than writing a full service.

1. Creating a Time Provider: https://docs.microsoft.com/en-us/windows/desktop/SysInfo/creating-a-time-provider

2. Registering a Time Provider: https://docs.microsoft.com/en-us/windows/desktop/SysInfo/registering-a-time-provider

3. Sample Time Provider: https://docs.microsoft.com/en-us/windows/desktop/SysInfo/sample-time-provider

4. Time Improvements in Windows Server 2016: https://channel9.msdn.com/Blogs/windowsserver/Time-Improvements-in-Windows-Server-2016

How does Windows Time Service work?

Well, without getting into some of the messy details, w32time communicates with other computers in your network to keep the time on your local computer accurate. The overreaching goal is to keep your local clock in step with a remote clock. In this way, w32time is synchronizing your computer's clock to

Windows Time Service (W32Time)

Born to Learn-Failure count as late success 3

that of your time source. (Keep in mind that most of this information can also found in the NTP v3.0 RFC, which w32time is based on). This is done by sampling the time on a remote system (known as the time source). The communication between a time client and a time source looks something like this:

1. The time client makes a request for a timestamp at time t1 2. The time source receives the request a time t2 3. The time source sends back a response a time t3 4. The time client receives the response a time t4

This is the fundamental interaction between a time client and a time source. The astute reader would first ask the following question:

Well, if the 2 computers are not currently synchronized (which is the point of this communication in the first place), then how can those time values (t1 - t4) be useful at all?

This is a great question because it demonstrates the ingenious design of NTP to be computer independent. Without making assumptions about the relationship of the time source and time client, we can make these initial observations:

1. (t4 - t1) is the total time that is took for the time source to send out a request and get back a response (transit time)

2. (t3 - t2) is the total time that the time source spent processing the request (processing time) 3. ((t4 - t1) - (t3 - t2)) is the total transit time of the request (transit time - processing time)

Using this, we can make the following additional observation:

((t2 - t1) + (t3 - t4)) / 2 is the clock offset between the two computers

Now that we have the clock offset, we can start to correct the clock on the local computer (the time client). Correcting the time on a computer can be done in two ways: skewing and setting. If the time difference is small enough*, we can adjust the clock gradually over time. However, if the time difference is too large* (such as hours or days), it is better to simply set the local clock to the desired time.

The concept of "too large" or "too small" is relative. These values are adjustable in the registry so that you can control when w32time skews, sets or does nothing at all.

The relationship between w32time and local clock (yes, they are two distinct entities) is complicated and will be explained in a later.

Time source selection

Aside from how the service determines the time difference, the next most common question is:

How does w32time choose a time source (known as a peer)? The service can operate in one of two possible modes:

1. NTP (as defined in the original RFC) 2. NT5DS (using domain lookup mechanisms)

Windows Time Service (W32Time)

Born to Learn-Failure count as late success 4

The NTP mode is straight-forward: Try to sync with the peer specified. If you can't, wait until you can. This is the mode that non-domain joined computers use. The DNS name or IP address of the peer can be changed in the registry, but it comes as 'time.windows.com' by default. Microsoft hosts its own NTP server, which is how your computer gets correct time "out of the box".

Domain joined computers utilize the NT5DS mode. This mode uses netlogon API calls to find an eligible peer to sync with. Because domains can become both large and deep, and w32time needs to operate in an optimal fashion either way, there is a complex algorithm that is used to find a peer. I will be covering this later in a separate post (since it is such a large and involved topic), but you can find a reasonable explanation at TechNet for Windows Server 2003. Here is the quick overview:

▪ Computers sync with DCs, preferably from their own site/domain ▪ DC sync with local PDC, but will go out of site/domain if needed ▪ PDCs sync with other PDC, but possible DCs higher up in the forest if needed

At the top of the forest (at the root domain), there needs to be either a local time source or a link to an external peer that provides reliable time data. Again, this really needs a long discussion to make proper sense, but the domain needs to get its time data from somewhere. The w32time service is responsible for distributing the time throughout the domain, but it needs to go to another source to get the data to distribute in the first place.

Windows Time Service Architecture

The Windows Time service consists of the following components:

1. Service Control Manager 2. Windows Time Service Manager 3. Clock Discipline 4. Time providers

The following figure shows the architecture of the Windows Time service.

Windows Time Service (W32Time)

Born to Learn-Failure count as late success 5

The Service Control Manager is responsible for starting and stopping the Windows Time service. The Windows Time Service Manager is responsible for initiating the action of the NTP time providers included with the operating system. The Windows Time Service Manager controls all functions of the Windows Time service and the coalescing of all time samples. In addition to providing information about the current system state, such as the current time source or the last time the system clock was updated, the Windows Time Service Manager is also responsible for creating events in the event log.

The time synchronization process involves the following steps:

▪ Input providers request and receive time samples from configured NTP time sources. ▪ These time samples are then passed to the Windows Time Service Manager, which collects

all the samples and passes them to the clock discipline subcomponent. ▪ The clock discipline subcomponent applies the NTP algorithms which results in the

selection of the best time sample. ▪ The clock discipline subcomponent adjusts the time of the system clock to the most

accurate time by either adjusting the clock rate or directly changing the time.

If a computer has been designated as a time server, it can send the time on to any computer requesting time synchronization at any point in this process.

Windows Time Service Time Protocols

Time protocols determine how closely two computers' clocks are synchronized. A time protocol is responsible for determining the best available time information and converging the clocks to ensure that a consistent time is maintained on separate systems.

The Windows Time service uses the Network Time Protocol (NTP) to help synchronize time across a network. NTP is an Internet time protocol that includes the discipline algorithms necessary for synchronizing clocks. NTP is a more accurate time protocol than the Simple Network Time Protocol (SNTP) that is used in some versions of Windows. However, W32Time continues to support SNTP to enable backward compatibility with computers running SNTP-based time services, such as Windows 2000.

Network Time Protocol

Network Time Protocol (NTP) is the default time synchronization protocol used by the Windows Time service in the operating system. NTP is a fault-tolerant, highly scalable time protocol and is the protocol used most often for synchronizing computer clocks by using a designated time reference.

NTP time synchronization takes place over a period and involves the transfer of NTP packets over a network. NTP packets contain time stamps that include a time sample from both the client and the server participating in time synchronization.

NTP relies on a reference clock to define the most accurate time to be used and synchronizes all clocks on a network to that reference clock. NTP uses Coordinated Universal Time (UTC) as the universal standard for current time. UTC is independent of time zones and enables NTP to be used anywhere in the world regardless of time zone settings.

Windows Time Service (W32Time)

Born to Learn-Failure count as late success 6

NTP Algorithms

NTP includes two algorithms, a clock-filtering algorithm and a clock-selection algorithm, to assist the Windows Time service in determining the best time sample. The clock-filtering algorithm is designed to sift through time samples that are received from queried time sources and determine the best time samples from each source. The clock-selection algorithm then determines the most accurate time server on the network. This information is then passed to the clock discipline algorithm, which uses the information gathered to correct the local clock of the computer, while compensating for errors due to network latency and computer clock inaccuracy.

The NTP algorithms are most accurate under conditions of light-to-moderate network and server loads. As with any algorithm that takes network transit time into account, NTP algorithms might perform poorly under conditions of extreme network congestion.

NTP Time Provider

The Windows Time service is a complete time synchronization package that can support a variety of hardware devices and time protocols. To enable this support, the service uses pluggable time providers. A time provider is responsible for either obtaining accurate time stamps (from the network or from hardware) or for providing those time stamps to other computers over the network.

The NTP provider is the standard time provider included with the operating system. The NTP provider follows the standards specified by NTP version 3 for a client and server and can interact with SNTP clients and servers for backward compatibility with Windows 2000 and other SNTP clients. The NTP provider in the Windows Time service consists of the following two parts:

• NtpServer output provider. This is a time server that responds to client time requests on the network.

• NtpClient input provider. This is a time client that obtains time information from another source, either a hardware device or an NTP server, and can return time samples that are useful for synchronizing the local clock.

Although the actual operations of these two providers are closely related, they appear independent to the time service. Starting with Windows 2000 Server, when a Windows computer is connected to a network, it is configured as an NTP client. Also, computers running the Windows Time service only attempt to synchronize time with a domain controller or a manually specified time source by default. These are the preferred time providers because they are automatically available, secure sources of time.

NTP Security

Within an AD DS forest, the Windows Time service relies on standard domain security features to enforce the authentication of time data. The security of NTP packets that are sent between a domain member computer and a local domain controller that is acting as a time server is based on shared key authentication. The Windows Time service uses the computer's Kerberos session key to create authenticated signatures on NTP packets that are sent across the network. NTP packets are not transmitted inside the Net Logon secure channel. Instead, when a computer requests the time from a

Windows Time Service (W32Time)

Born to Learn-Failure count as late success 7

domain controller in the domain hierarchy, the Windows Time service requires that the time be authenticated. The domain controller then returns the required information in the form of a 64-bit value that has been authenticated with the session key from the Net Logon service. If the returned NTP packet is not signed with the computer's session key or is signed incorrectly, the time is rejected. All such authentication failures are logged in the Event Log. In this way, the Windows Time service provides security for NTP data in an AD DS forest.

Generally, Windows time clients automatically obtain accurate time for synchronization from domain controllers in the same domain. In a forest, the domain controllers of a child domain synchronize time with domain controllers in their parent domains. When a time server returns an authenticated NTP packet to a client that requests the time, the packet is signed by means of a Kerberos session key defined by an interdomain trust account. The interdomain trust account is created when a new AD DS domain joins a forest, and the Net Logon service manages the session key. In this way, the domain controller that is configured as reliable in the forest root domain becomes the authenticated time source for all of the domain controllers in both the parent and child domains, and indirectly for all computers located in the domain tree.

The Windows Time service can be configured to work between forests, but it is important to note that this configuration is not secure. For example, an NTP server might be available in a different forest. However, because that computer is in a different forest, there is no Kerberos session key with which to sign and authenticate NTP packets. To obtain accurate time synchronization from a computer in a different forest, the client needs network access to that computer and the time service must be configured to use a specific time source located in the other forest. If a client is manually configured to access time from an NTP server outside of its own domain hierarchy, the NTP packets sent between the client and the time server are not authenticated, and therefore are not secure. Even with the implementation of forest trusts, the Windows Time service is not secure across forests. Although the Net Logon secure channel is the authentication mechanism for the Windows Time service, authentication across forests is not supported.

Hardware Devices That Are Supported by the Windows Time Service

Hardware-based clocks such as GPS or radio clocks are often used as highly accurate reference clock devices. By default, the Windows Time service NTP time provider does not support the direct connection of a hardware device to a computer, although it is possible to create a software-based independent time provider that supports this type of connection. This type of provider, in conjunction with the Windows Time service, can provide a reliable, stable time reference.

Hardware devices, such as a cesium clock or a Global Positioning System (GPS) receiver, provide accurate current time by following a standard to obtain an accurate definition of time. Cesium clocks are extremely stable and are unaffected by factors such as temperature, pressure, or humidity, but are also very expensive. A GPS receiver is much less expensive to operate and is also an accurate reference clock. GPS receivers obtain their time from satellites that obtain their time from a cesium clock. Without the use of an independent time provider, Windows time servers can acquire their time by connecting to an external NTP server, which is connected to a hardware device by means of a telephone or the Internet. Organizations such as the United States Naval Observatory provide NTP servers that are connected to extremely reliable reference clocks.

Windows Time Service (W32Time)

Born to Learn-Failure count as late success 8

Many GPS receivers and other time devices can function as NTP servers on a network. You can configure your AD DS forest to synchronize time from these external hardware devices only if they are also acting as NTP servers on your network. To do so, configure the domain controller functioning as the primary domain controller (PDC) emulator in your forest root to synchronize with the NTP server provided by the GPS device.

Configure the Windows Time service on the PDC emulator in the Forest Root Domain: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731191(v=ws.10)

Simple Network Time Protocol

The Simple Network Time Protocol (SNTP) is a simplified time protocol that is intended for servers and

clients that do not require the degree of accuracy that NTP provides. SNTP, a more rudimentary

version of NTP, is the primary time protocol that is used in Windows 2000. Because the network packet

formats of SNTP and NTP are identical, the two protocols are interoperable. The primary difference

between the two is that SNTP does not have the error management and complex filtering systems

that NTP provides.

Domain Hierarchy-Based Synchronization Synchronization that is based on a domain hierarchy uses the AD DS domain hierarchy to find a reliable

source with which to synchronize time. Based on domain hierarchy, the Windows Time service

determines the accuracy of each time server. In a Windows Server 2003 forest, the computer that

holds the primary domain controller (PDC) emulator operations master role, located in the forest root

domain, holds the position of best time source, unless another reliable time source has been

configured. The following figure illustrates a path of time synchronization between computers in a

domain hierarchy.

Windows Time Service (W32Time)

Born to Learn-Failure count as late success 9

Domain Controller Time Source Queries Query Number Domain Controller Location Reliability of Time Source

1 Parent domain controller In-site Prefers a reliable time source but it can synchronize with a non-reliable time source if that is all that is available.

2 Local domain controller In-site Only synchronizes with a reliable time source.

3 Local PDC emulator In-site Does not apply. A domain controller does not attempt to synchronize with itself.

4 Parent domain controller Out-of-site Prefers a reliable time source but it can synchronize with a non-reliable time source if that is all that is available.

5 Local domain controller Out-of-site Only synchronizes with a reliable time source.

6 Local PDC emulator Out-of-site Does not apply. A domain controller does not attempt to synchronize with itself.

Windows Time Service (W32Time)

Born to Learn-Failure count as late success 10

Network Ports Used by Windows Time Service

The Windows Time service communicates on a network to identify reliable time sources, obtain time information, and provide time information to other computers. Port Assignments for the Windows Time Service

Service name UDP TCP

NTP 123 N/A

SNTP 123 N/A

Cumulative one-way network latency

Measurement uncertainty and "noise" creeps in as network latency increases. As such, it is imperative that a network latency be within a reasonable boundary. The specific requirements are dependent on your target accuracy and are outlined in the Support boundary to configure the Windows Time service for high-accuracy environments article.

To calculate the cumulative one-way network latency, add the individual one-way delays between pairs of NTP client-server nodes in the time topology, starting with the target and ending at the high-accuracy stratum 1-time source.

For example: Consider a time sync hierarchy with a highly accurate source, two intermediary NTP servers A and B, and the target machine in that order. To obtain the cumulative network latency between the target and source, measure the average individual NTP roundtrip times (RTTs) between:

▪ The target and time server B ▪ Time server B and time server A ▪ Time server A and the Source

This measurement can be obtained using the inbox w32tm.exe tool. To do this: 1. Perform the calculation from the target and time server B.

w32tm /stripchart /computer:TimeServerB /rdtsc /samples:450 > c:\temp\Target_TsB.csv 2. Perform the calculation from time server b against (pointed at) time server a.

w32tm /stripchart /computer:TimeServerA /rdtsc /samples:450 > c:\temp\Target_TsA.csv 3. Perform the calculation from time server a against the source. 4. Next, add the average RoundTripDelay measured in the previous step and divide by 2 to obtain

the cumulative network delay between target and source.

Registry Settings: https://docs.microsoft.com/en-us/windows-server/networking/windows-time-service/configuring-systems-for-high-accuracy?tabs=UpdateInterval Windows Time Service Tools and Settings: https://docs.microsoft.com/en-us/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings

Windows Time Service (W32Time)

Born to Learn-Failure count as late success 11

Event ID

I had a user contact me saying that her computer clock is 8 or 9 minutes faster than her cell phone clock. That concerned me because cell phone clocks are always synced. I looked at my computer's clock, and it was the same, about 8 minutes ahead of my phone. Eight minutes is a lot of time to be off. So, I looked at my two DC's. The one that serves as the AD PDC Emulator is only 1 minute faster than my phone; that seems more reasonable. But workstations aren't syncing with it. So, I looked at my other DC, which has none of the master roles. It is the same as the workstations, about 8 minutes fast.

So, there are a couple of big problems here. First, my DC's don't have the same time. Second, my workstations have the same time as the faster DC (are they syncing to it?). I looked in the error logs of both DC's and filtered for the Time-Service. The PDC Emulator DC has Warning Event ID 144: The time service has stopped advertising as a good time source. The other DC has Warning Event ID 142: The time service has stopped advertising as a time source because the local clock is not synchronized. I am getting other Event ID warnings as well. On the primary DC: Event IDs 12, 36, 144 (mentioned above), 131. On the secondary DC: Event IDs 131, 24, 142 (mentioned above), 50, 129. I will give more info on these at the bottom.

From what I'm seeing, it looks like my PDCs is not pointing to an external source. Should I use the instructions here (http://support.microsoft.com/kb/816042) under "Configuring the time service to use an external time source" to set it up? says to use a script to automate it (w32tm /config /manualpeerlist:”bd.pool.ntp.org,0×8 asia.pool.ntp.org,0×8¿ /syncfromflags:MANUAL /reliable:yes /update). But I'm not sure if they're doing the same thing. Even if they did, I'm not sure which address I use. If I look at my secondary DC, it has an NtpServer entry of time.windows.com,0x9. The PDCe had it as well, until I did the reset that the article recommended; now it does not have an NtpServer entry.

So which method is the right one to use, and what address do I use? Does it matter if I'm running Server 2008 R2/2012/2012 R2 and 2016?

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc756435(v=ws.10)

Event ID 12: Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine

its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.

net stop w32time w32tm /config /syncfromflags:manual /manualpeerlist:bd.pool.ntp.org w32tm /config /reliable:yes net start w32time

Event ID 36: The time service has not synchronized the system time for 86400 seconds because none of

the time service providers provided a usable time stamp. The time service will not update the local system time until it is able to synchronize with a time source. If the local system is configured to act as a time server for clients, it will stop advertising as a time source to clients. The time service will continue to retry and sync time with its time sources. Check system event log for other W32time events for more details. Run 'w32tm /resync' to force an instant time synchronization.

w32tm.exe /config /manualpeerlist: bd.pool.ntp.org /syncfromflags:manual /reliable:YES /update

Windows Time Service (W32Time)

Born to Learn-Failure count as late success 12

w32tm.exe /config /update Restart-Service w32time

Event ID 144: The time service has stopped advertising as a good time source.

https://support.microsoft.com/hr-ba/help/2468336/w32time-event-142-the-time-service-has-stopped-advertising-as-a-time-s

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc756500(v=ws.10)

https://social.technet.microsoft.com/Forums/en-US/5841b517-5da3-4bea-9daa-4735e32c60f3/timeservice-error-144-on-my-pdc?forum=winserverDS

Event ID 131: NtpClient was unable to set a domain peer to use as a time source because of DNS resolution

error on ''. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter. The error was: The requested name is valid, but no data of the requested type was found. (0x80072AFC).

this may be caused by the fact that the Windows Time service client cannot locate the time source peer in DNS.

Event ID 24: Time Provider NtpClient: No valid response has been received from domain controller DC-

DNS.domain.org [this is our primary DC] after 8 attempts to contact it. This domain controller will be discarded as a time source and NtpClient will attempt to discover a new domain controller from which to synchronize. The error was: The peer is unreachable.

If you are having time sync problems, try the following: net time \\10.10.10.1 /set /y w32tm /stripchart /computer:time.windows.com /dataonly W32tm /resync /computer:time.windows.com /nowait NET TIME /RTSDOMAIN:domainname /SET w32tm /config /syncfromflags:domhier /update net stop w32time net start w32time This member should now be part of the time domain heirarchy w32tm /config /manualpeerlist:NTP_server_IP_Address, 0x8 syncfromflags:MANUAL net stop w32time net start w32time w32tm /resync

Event ID 142: The time service has stopped advertising as a time source because the local clock is not

synchronized.

nltest /dsgetdc:<dns domain> /timeserver /force nltest /dsgetdc:<dns domain> /gtimeserv /force w32tm /query /source net stop vmictimesync sc config vmictimesync start= disabled reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider"

Windows Time Service (W32Time)

Born to Learn-Failure count as late success 13

/f w32tm /config /manualpeerlist:ntdev-dc-05.ntdev.corp.microsoft.com /syncfromflags:MANUAL /update net stop w32time & net start w32time w32tm /query /source w32tm /resync /force

https://support.microsoft.com/en-nz/help/2468336/w32time-event-142-the-time-service-has-stopped-advertising-as-a-time-s

Event ID 50: The time service detected a time difference of greater than 5000 milliseconds for 900

seconds. The time difference might be caused by synchronization with low-accuracy time sources or by suboptimal network conditions. The time service is no longer synchronized and cannot provide the time to other clients or update the system clock. When a valid time stamp is received from a time service provider, the time service will correct itself.

https://blogs.msmvps.com/mweber/2010/06/27/time-configuration-in-a-windows-domain/

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-

2008/cc794937(v=ws.10)

https://www.petenetlive.com/KB/Article/0000112

Event ID 129: NtpClient was unable to set a domain peer to use as a time source because of discovery

error. NtpClient will try again in 3145779 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)

https://social.technet.microsoft.com/wiki/contents/articles/1374.event-id-129-microsoft-windows-time-service.aspx

Configure Windows Time Service

• https://www.server-world.info/en/note?os=Windows_Server_2016&p=ntp&f=1

• https://support.microsoft.com/en-us/help/816042/how-to-configure-an-authoritative-time-server-in-windows-server

• http://www.checkyourlogs.net/?p=19391

• https://docs.microsoft.com/en-us/windows-server/networking/windows-time-service/accurate-time

• https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-simple-time-configuration-in-active-directory/

• http://www.blog.creativform.com/synchronize-computer-time-domain-controller/

• https://www.greyware.com/software/domaintime/v5/overview/w32time.asp

One of the most fundamental tasks in a network is to keep the clocks on all computers (and network devices) synchronized with world time. This is essential for domain controllers, member servers, and client computers of an Active Directory (AD) domain, so one of the first tasks after deploying a forest root domain should be to configure an external authoritative time source. By default, all domain-joined computers (including domain controllers) must be accurate to within five minutes of one another. This is a requirement of Kerberos authentication. The domain controller holding the primary domain controller (PDC) emulator role (in the forest root domain) is considered the default authoritative time source for the whole forest. Only this specific domain controller should have an external time source set.

Windows Time Service (W32Time)

Born to Learn-Failure count as late success 14

Configure The following examples were tested on Windows Server 2008 R2 (domain/forest functional level). They should work on previously (and later) versions, but it is highly recommended to test thoroughly before changes are made in production. # PDC emulator operations master role Identify the domain controller, with the PDC emulator operations master role, in the forest root domain. Run the following commands from a PowerShell prompt: PS> $forest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest() PS> $forest.RootDomain.PdcRoleOwner.Name dc01.example.com # Link the domain controller to an external time source After the specific domain controller has been identified, it is time (pun intended) to configure the Windows Time service on that computer. In this example, the following command will set the external time source to the US pool.ntp.org virtual cluster. Run the following commands from an elevated PowerShell prompt: PS> w32tm.exe /config /manualpeerlist:"0.us.pool.ntp.org 1.us.pool.ntp.org 2.us.pool.ntp.org 3.us.pool.ntp.org" /syncfromflags:manual /reliable:YES /update PS> w32tm.exe /config /update Restart the Windows Time service for the changes to take effect. Run the following command from an elevated PowerShell prompt: PS> Restart-Service w32time # Switch roles (optional) You may encounter a requirement to revert the time server computer back as a normal member in the time synchronization domain hierarchy. For example, this may be required if you migrate the PDC emulator operations master role to another domain controller. Once you configure another authoritative time server and confirm this designation, you can remove the designation from the local computer. Run the following commands from an elevated PowerShell prompt: PS> w32tm.exe /config /syncfromflags:Domhier /reliable:NO /update PS> w32tm.exe /config /update Restart the Windows Time service for the changes to take effect. Run the following command from an elevated PowerShell prompt: PS> Restart-Service w32time # VMware Guests It is recommended to disable the VMware Tools periodic time synchronization feature for AD domain-joined virtual machine computers. This can be accomplished with at least two different methods: 1. Set tools.syncTime = "FALSE" (or "0" for some VMware versions) in the configuration file ( .vmx file) of the virtual machine. Or...

2. Deselect Time synchronization between the virtual machine and the host operating system in the VMware Tools toolbox GUI of the guest operating system.

Windows Time Service (W32Time)

Born to Learn-Failure count as late success 15

Verify and Troubleshoot The w32tm command-line tool is your primary resource to verify and troubleshoot the time synchronization software configuration. # Determine the time difference between the local computer and a remote time server Run this command from a PowerShell prompt: PS> w32tm /stripchart /computer:dc01 /dataonly /samples:5 Tracking dc01 [10.10.1.60:123]. Collecting 5 samples. The current time is 4/14/2012 10:49:28 AM. 10:49:28, +00.3586386s 10:49:30, +00.3586515s 10:49:32, +00.3586644s 10:49:34, +00.3586773s 10:49:36, +00.3586902s # Determine whether the computer is configured to synchronize time from the domain or manual list of time servers This command should be run from a member computer to verify it’s getting its time source from the domain hierarchy. The Type attribute should be NT5DS if it is using the domain hierarchy for time synchronization. Run this command from an elevated PowerShell prompt: PS> w32tm /query /configuration | Select-String ‘type’ Type: NT5DS (Local) # Display a list of peers and their status This first example displays output from a member computer. Run this command from an PowerShell prompt: PS> w32tm /query /peers #Peers: 1

Windows Time Service (W32Time)

Born to Learn-Failure count as late success 16

Peer: dc01.example.com State: Active Time Remaining: 28765.7593447s Mode: 3 (Client) Stratum: 3 (secondary reference - syncd by (S)NTP) PeerPoll Interval: 15 (32768s) HostPoll Interval: 15 (32768s) This specific example displays output from the domain controller holding the PDC emulator operations master role (if configured to sync with the US pool.ntp.org virtual cluster). Run this command from an PowerShell prompt: PS> w32tm /query /peers #Peers: 4 Peer: 0.us.pool.ntp.org State: Active Time Remaining: 904.5625720s Mode: 1 (Symmetric Active) Stratum: 2 (secondary reference - syncd by (S)NTP) PeerPoll Interval: 10 (1024s) HostPoll Interval: 10 (1024s) Peer: 1.us.pool.ntp.org State: Active Time Remaining: 487.6398725s Mode: 1 (Symmetric Active) Stratum: 3 (secondary reference - syncd by (S)NTP) PeerPoll Interval: 10 (1024s) HostPoll Interval: 10 (1024s) Peer: 2.us.pool.ntp.org State: Active Time Remaining: 36.4734125s Mode: 1 (Symmetric Active) Stratum: 2 (secondary reference - syncd by (S)NTP) PeerPoll Interval: 10 (1024s) HostPoll Interval: 10 (1024s) Peer: 3.us.pool.ntp.org State: Active Time Remaining: 547.1089785s Mode: 1 (Symmetric Active) Stratum: 2 (secondary reference - syncd by (S)NTP) PeerPoll Interval: 10 (1024s) HostPoll Interval: 10 (1024s) # Display the specific time source of the local computer This first example displays output from a member computer. Run this command from an elevated PowerShell prompt: PS> w32tm /query /source dc01.example.com

Windows Time Service (W32Time)

Born to Learn-Failure count as late success 17

This example displays output from the domain controller holding the PDC emulator operations master role (if configured to sync with the US pool.ntp.org virtual cluster). You will notice from this output the DC is currently syncing with the 0.us.pool.ntp.org node in the cluster. Run this command from an elevated PowerShell prompt: PS> w32tm /query /source 0.us.pool.ntp.org # Perform a manual resync Sometimes you may need to manually resynchronize the local clock with its time source. Run this command from an elevated PowerShell prompt: PS> w32tm /resync /rediscover /nowait Sending resync command to local computer The command completed successfully.

1. [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().RootDomain.PdcRoleOwner.Name 2. w32tm.exe /config /manualpeerlist:"bd.pool.ntp.org" /syncfromflags:manual /reliable:YES /update 3. w32tm.exe /config /update 4. Restart-Service w32time 5. w32tm /resync /rediscover 6. w32tm /query /status 7. w32tm /query /configuration | Select-String ‘type’ 8. w32tm /query /peers 9. w32tm /query /source 10. w32tm /stripchart /computer:bsti1.time.gov.bd /samples:5 /dataonly 11. net stop w32time 12. net start w32time 13. Select * from Win32_ComputerSystem where DomainRole = 5

Summary

Always make sure that you use the same time-server in your network and that all your clients are syncing with it. If you have time differences inside of your Active Directory Domain, you will run into major issues. For further understanding please follow the below key notes:

• Please note that we recommend using w32tm command-line utility instead of "net time" command (why?),

• We recommend using w32tm or GPO tools to configure time services instead of registry tool,

• The PDC should not synchronize with itself (RFC 1305),

• More details on the WMI filter here and GPO time settings here.

• About NtpServer value syntax and server flags here and here.