Windows Time Service Concepts and Configuration

Please read the complete article before start implementing it

How time works in Windows Environment

By default all machines in an Active Directory environment automatically find a time server to sync time with.

1-Workstations use their authenticating Domain Controller
2-DCs sync with the server holding the PDC Emulator FSMO role.
3-In a multi-domain forest, the PDC Emulator in each child domain synchronises with a DC or the PDCe in the forest root domain.

To ensure the time remains reliable across the forest, only the PDC Emulator in the forest root domain should ever sync with an external time source. this leads to only one source of time being used across the forest. below graphics also explains this (which is taken from Microsoft technet blog).

windowstimeconcept-01

Windows Time Settings. Where to Check:

You can find the settings for the Time Service in the registry, under

HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

Here is the default Registry Configuration of Windows Workstation. which is newly installed and not on domain.

windowstimeconcept-11

The most important value to note is the ‘Type’ string which is by default “NTP” .

what is mean by Type “NTP” ?

Its mean is to go at external time source  “windows.time.com”  for sync the time. this is the default behavior.

What is recommendation for Domain Node?

On any domain machine other than the “PDC Emulator” in the forest root, this should (Type) be set to “NT5DS”. it means the machine is finding a time server in the Active Directory hierarchy.

Here is different Subkeys which we defined in Type.

NoSync Does not synchronize time.
NTP Synchronizes time to the time sources specified in the Parameters\NtpServer entry.
Nt5DS Synchronizes time to the domain hierarchy.
AllSync Uses all synchronization mechanisms available

What should you do , if Type (Nt5DS) is not Set in Domain Node”

If it isn’t set to that, you should think about resetting the time service on that machine. To do that, run a Command Prompt as an Administrator and execute the following commands:

> net stop w32time
> w32tm /unregister
> w32tm /register
> net start w32time

Check the registry again, Now the “Type” should be (NT5DS) and there is no NTPServer Registry key any more.

windowstimeconcept-02

NOTE: Sometimes, you may find an NTPServer key in the registry despite the Type being set to NT5DS. NT5DS doesn’t use an NTP Server, so what gives? This setting is simply left over from prior to the machine being joined to the domain, when it was in a workgroup. Provided the Type value is set correctly, the NTPServer entry can be completely ignored or even deleted. Running the above commands on a domain-joined machine will delete it automatically.

Manually set Domain Node/Nodes (other than PDC Emulator) to Sync time with Domain Hierarchy

if some how above command did not reflect the results you expected then you can manually set the Key (NT5DS) to tell the windows node to follow domain hierarchy for time synchronization.

To tell a system’s W32Time service to get its time from the Active Directory, type

> w32tm /config /syncfromflags:domhier /update

windowstimeconcept-07

This does two things.  First, it sets that Type value to “NT5DS.”  Second, it notifies the w32time service that settings have changed

windowstimeconcept-03

Restart W32Time service

Once done restart the Windows Time Service.

>net stop w32time
>net start w32time

windowstimeconcept-08

if time is not syncing yet then wait for while or restart the machine or forcefully resync the time. which i showed at the end of this post.

Configure your Root Domain PDC Emulator to Sync Time from Outside.

The fact of the matter is the PDCe doesn’t actually need to synchronize with anything. It automatically designates itself the most reliable time server in the domain without ever talking to an external time server. for more information how it designated it self as reliable source read the following article

However, to have an easy life and keep your users from complaining, it is almost always a good idea to have some form of external time sync on the forest root PDC Emulator. There are a number of ways to do this

To configure the time sync on the PDCe, you need to execute the following commands. I’d strongly suggest you get a level playing field by resetting the time service using the instructions above before you start.

w32tm /config /manualpeerlist:”192.168.52.129,0x8″ /syncfromflags:MANUAL /reliable:yes /update

For multiple Time Sources Syntax Should looks like:

/manualpeerlist:”asia.pool.ntp.org,0x8 europe.pool.ntp.org,0x8″

Where “asia.pool.ntp” is NTPServer and (0x8) is announce Flag

NOTE: You must append ,Announce flag to the end of each DNS name. If you do not append ,the changes made in the next step will not take effect.

Following are the Announce flag values which you can set:

Announce Flag Value Meaning
0 Timeserv_Announce_No, Reliable_Timeserv_Announce_No. The domain controller does not advertise time service
1 Timeserv_Announce_Yes. The domain controller always advertises time service
2 Timeserv_Announce_Auto. The domain controller automatically determines whether it should advertise time service
4 Reliable_Timeserv_Announce_Yes. The domain controller will always advertise reliable time service
8 Reliable_Timeserv_Announce_Auto. The domain controller automatically determines whether it should advertise reliable time service
Flag 5 (1+4) means “The domain controller always advertises time service” and “The domain controller will always advertise reliable time service”

Command Syntax Explanation

All the changes are taking place in the registry at the key I posted above; using the w32tm tool to make the configuration changes is simply much easier than doing it manually yourself.

/config causes the tool to enter configuration mode. There are a number of other modes it supports which you can find by running w32tm /?.

/manualpeerlist allows you to specify the NTP server or servers you wish to synchronize time with. In this instance, each server’s DNS name or IP address should have a comma followed by the string 0x8. This instructs Windows to send requests to this external server in client mode. If you enter multiple servers, which I suggest, put the servers in quotation marks and separate each entry with a space. The value you specify here is written back to the NTPServer value in the time service’s registry key.

/syncfromflags tells the time service where it should sync time from. You can specify two entries for this either “DOMHIER or MANUAL”.The former causes the time service to synchronize with the Domain Hierarchy (sets NT5DS in the Type key in the registry) whereas the latter tells the time service to sync with the server(s) you specified in the Manual Peer List. MANUAL sets Type to NTP.

/reliable sets the server to be a reliable source of time for the domain. Strictly it isn’t required, because the PDC Emulator in the forest root is always the most reliable time server, but I like to include it anyway.

Finally, /update notifies the time service the values have changed, so the new settings are used with immediate effect. If this isn’t included, the registry is updated but the new values will only be used by the time service when its service or the server itself is restarted.

After you’ve run that command, you might want to take a look in the registry to see what changes have been made, and whether they are as you expected.

windowstimeconcept-04

Check the time Synchronization

You may be intrigued to know whether the time sync is working correctly. You can do this in one of two ways.

Safest Way:

The safest is to wait for a scheduled time sync to take place, or restart the machine. Either will trigger Event ID 35 to be logged in the System log. This event’s description shows the time server the machine is synchronising with. This will be logged on both the PDC Emulator and all DCs, member servers and workstations.

windowstimeconcept-05

You can check for this on member machines to ensure a DC in the domain hierarchy is being found and used correctly – and to ensure your custom NTP servers configured on the PDC Emulator are being used as intended.

Forcefully Synchronize

Alternatively, you can force a time synchronization. Set the time a minute or two out from what it should be, then return to the command prompt and run

w32tm /resync /rediscover.

After a few moments, if every thing is correct. you should see successfully message at command prompt and event should be logged, and a healthy time service should cause the time on the system to be set back to normal.

windowstimeconcept-06

NOTE: It its not successfully then check the your firewall , internet connectivity.

Addition Usefully Command

Check the time Existing Time Source

To check the exiting time source which are windows using. You can find the settings for the Time Service in the below registry, under “NTPServer”

HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

From command you also find the time source which is windows using.

> net time /querysntp

windowstimeconcept-09

NOTE:  As you can see the result of above command its showing it has NTP server configured 192.168.52.129. it does not mean it is syncing time from that source. this only happen, if the Registry Key “Type” under 

HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

is set to “NTP” as explained above other wise this setting has no effect at all.

Other Useful Registry Keys.

Select the poll interval

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollInterval

Set to 384 (900 in dec)

Interval in seconds when server will poll time from the source. If set to 384 (900) server will poll time every 900sec (15 min)

Configure maximum allowed positive time correction

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxPosPhaseCorrection

Set to e10 (3600 in dec)

Time in seconds. Maximum positive time correction server will accept from remote time server. Recommended 1 hour (3600sec).

Configure maximum allowed negative time correction

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxNegPhaseCorrection

Set to e10 (3600 in dec)

Time in seconds. Maximum negative time correction server will accept from remote time server. Recommended 1 hour (3600sec)

My Testing:

In my Testing. First, i installed a windows server 2003 Node as client and one as DC. second, i joined the client node with domain and restart after joining it .when machine comes back it synced time automatically with domain controller.

when I check the registry settings. Time servers remain the same. But (Type) is change from “NTP” to “AllSync”.

windowstimeconcept-10

NOTE: i tested the time synchronization by changing the domain Controller time and client node automatically sync it with out any problem.

The “AllSync” Type mean “Uses all synchronization mechanisms available”. which i mentioned in above table.

Sources:

https://technet.microsoft.com/en-us/library/cc737179(v=ws.10).aspx
http://blogs.msdn.com/b/w32time/archive/2007/09/04/keeping-the-domain-on-time.aspx
https://tigermatt.wordpress.com/2009/08/01/windows-time-for-active-directory/
http://www.mysysadmintips.com/windows/servers/29-configure-ntp-time-service-on-windows-server-dc

Advertisements

One response to “Windows Time Service Concepts and Configuration

  1. Pingback: Windows Time Service Concepts and Configuration | Yogesh·

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s