Configuring the Windows Time Service for Windows Server

Configuring the time service on the PDC Emulator FSMO role holder


Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer


Original Compilation 9/12/2009
Edit: 9/23/2009    – Added additional links (indicated in the Related Links section).
Edit: 10/10/2009  – Added additional section called “Client To DC Time Sync”
Edit: 2/11/2010    – Added info about finding out which DC is the time source by using the w32tm /monitor command
Edit: 8/9/2010       – Added additional info in the troubleshooting section
Edit: 10/12/2010  – Added additional info about debugging and transferred PDC roles
Edit: 1/17/2011    – Added information about the Microsoft Mr Fix It script for a sure fire way to reset the time service (scroll down to “Microsoft Mr Fix It”)
Edit: 1/19/2011    – Added information regarding virutalizing domain controllers and the Time service. Scroll to the bottom of this blog.


 


Prelude


There is absolutely NO NEED TO TOUCH THE TIME SERVICE REGISTRY ENTRIES


I just wanted to make a statement regarding the time service registry entries. There really is NO need to modify the time service registry entries. The time service works by default, out of the box. The only thing that’s recommended to do, is synchronize the PDC Emulator in the forest root domain to a reliable outside source. That’s it.


I’m stating this because based on numerous public postings regarding corrupted time service settings due to attempts at changing registry entries because it was thought that’s how it’s done, is usually the culprit that corrupted the time service settings. The time service should only be configured using the w32tm utility.


If there are any problems with corrupted settings, and it’s not working properly, I would suggest to simply reset the time service itself (stated in the “To Reset the Time service” section below), by simply running the following commands:


If you’ve experimented changing time settings to unknowlingly avert default behavior, you can set the time settings back to default:


1. On the DC that you’re experiencing issues with, run the following in a command prompt:


  •  net stop w32time
  •  w32tm /unregister
  •  w32tm /register
  •  net start w32time

2. On the Server in question (whether it’s the PDC Emulator or another server), run the following in a command prompt: 


  • “net time /setsntp: ” (Note the blank space prior to the end “)  [This tells the client (whether a DC or workstation) to delete the current registry settings for time and use default settings.]
  • Restart the time service:  Net stop w32time && net start w32time

3. On the PDC Emulator run the following in a command prompt:


  • W32tm /config /manualpeerlist:time.nrc.ca /syncfromflags:manual /reliable:yes /update
  •  W32tm /resync /rediscover
  • Restart the time service: net stop w32time && net start w32time

4. On each DC that are not holding the PDC Emulator role, run the following in a command prompt:


  • w32tm /config /syncfromflags:domhier /update
  •  W32tm /resync /rediscover
  • Restart the time service: net stop w32time && net start w32time

5. This will take out any errors in the Event Viewer, if there are any.


.


The only real time that you may have to configure it is only with the assistance of Microsoft Support.


That said, the following shows how the service works by default, the caveats, things to consider, troubleshooting, as well as a link to MIcrosoft’s MrFixIt to fix it for you!


.


.


Time Service Background


Kerberos is the authentication method in an Active Directory infrastructure. There are three parts of the the authentication method between members in an AD infrastructure: 1) Client, 2) Server, and 3) the trusted third party, which is Kerberos. Kerberos uses time as a “salt” to insure that the authentication sequence cannot be used in a “replay” scenario by a prospective attacker. One of the basis of preventing a “replay” is that Kerberos has a five (5) minute time skew, meaning that if the client and server (whatever two machines are authenticating, whether DC to DC, member server to DC or client, or client to DC), if the clocks are off more than five (5) minutes, the authentication sequence fails. To insure that all clients’ clocks are within the five (5) minute skew, the time service must be synched across the infrastructure.


Clients get their time source from the DC that logged them on. That DC will get it’s time synched from the PDC Emulator in its domain. If its in a child, that PDC Emulator will get its time synched from the PDC Emulator in the forest root, which should be configured to an external time source. This simply works out-of-the-box other than configuring the PDC Emulator in the forest root domain to sync with an external time source. No other action is truly necessary. To alter the time registry settings, is inviting trouble and should only be done under guidance by Microsoft Support.


To find the DC that logged a client on, run the following. This is also the client’s time server.
echo %logonserver%


In a multi-site scenario, as long as AD Sites have been configured properly with their respective subnet objects assigned to the site, and the servers have been moved to their respective sites, the client machine’s logonserver will always be the time source. 


This all assumes that none of the DCs are not multihomed (or it may become part of more than one site which will cause an error, besides other issues), the AD DNS domain name is not a single label name (“domain” vs domain.something), and using only the internal DNS servers in ipconfig, otherwise it’s guaranteed to expect other problems to occur.



Time Service Domain Hierarchy


Time Convergence


This section was quoted from:


Basic Operation of the Windows Time Service
http://support.microsoft.com/kb/224799


All client desktops select an authenticating domain controller (the domain controller returned by DSGetDCName()) as their time source. If this domain controller becomes unavailable, the client re-issues its request for a domain controller.


All member servers follow the same process.


All domain controllers in a domain make 3 queries for a DC:
1. A reliable time service (preferred) in the parent domain,
2. A reliable time service (required) in the current domain,
3. The PDC of the current domain. It will select one of these returned DCs as a time source.



The PDC Emulator FSMO role holder at the root of the forest is authoritative, and can be manually set to synchronize with an outside time source (such as the United States Naval Observatory).


WIndows Time Hierarchy


The following diagram shows the time hierarchy. Quoted from:


How the Windows Time Service Works, Updated: March 12, 2010
http://technet.microsoft.com/en-us/library/cc773013(WS.10).aspx



 


Time Sync


Client to DC


How to configure an authoritative time server in Windows Server 2003
http://support.microsoft.com/kb/816042


The points below were quoted from the above link:


All client desktop computers nominate the authenticating domain controller as their in-bound time partner.
All member servers follow the same process that client desktop computers follow.
All domain controllers in a domain nominate the primary domain controller (PDC) operations master as their in-bound time partner.
All PDC operations masters follow the hierarchy of domains in the selection of their in-bound time partner. In this hierarchy, the PDC operations master at the root of the forest becomes authoritative for the organization


The following quote is on the time  algorithm in Windows 2000, which I haven’t seen any evidence that it has changed:
http://www.windowsnetworking.com/articles_tutorials/Configuring-Windows-Time-Service.html
http://windowsitpro.com/article/articleid/8383/windows-time-synchronization-service.html


“When a client workstation (i.e., a Windows 2000 Professional—Win2K Pro—machine) boots, it contacts a domain controller for authentication. When the two computers exchange authentication packets, the client adjusts its local time based on the target (i.e., the domain controller’s) time. If the target time is ahead of local (i.e., the client’s) time by less than 2 minutes, the client immediately adjusts its time to match the target time. If the target time is behind the local time by less than 2 minutes, the client slows its clock over a period of 20 minutes until the two times are in synch. If the local time is off by more than 2 minutes, the client immediately sets its time to match the target time. . . . “


Due to this 2 minute conversion, an authorative time server on the domain (PDC Emulator), acts a time client to an external time source, therefore you may see a lag between the time source’s time and the time on the server.


 


DC to DC Time Service Selection:


A DC will choose a PDC Emulator to sync up time. A child PDC Emulator will choose to sync up time with a parent root domain DC, and it can choose the parent PDC or any other DC in the parent root domain.


Therefore, don’t be alarmed if you are seeing a child domain DC syncying up with a Forest root DC, that’s normal. A child domain DC’s will sync with any domain controller in the forest root domain. It’s outlined in the following article in a diagram titled “Time Synchronization in an AD DS Hierarchy:”


How the Windows Time Service Works
http://technet.microsoft.com/en-us/library/cc773013(WS.10).aspx


 


Domain Controller TIme Source Queries and Score Determination


If having problems viewing the following image, please see the full-sized image at:
http://4ufq6a.blu.livefilestore.com/y1paVf9RvrfAXlM4dVk-bZvVivi0OBbK75AcXfvnEGz0RybJIkbGbRJ8NgoHGdThaEuIz3l2Z8ZBXw1KP7IuRENQR2iQvKhyCcC/Windows%20Time%20-%20Domain%20Controller%20Time%20Source%20Queries%20and%20Score%20Determination.jpg?psid=1



 


 


To set the Time Service in an Active Directory Infrastructure


Windows 2000


On the Windows 2000 PDC Emulator, run the following four commands:


C:\>net time /setsntp:Time.nrc.ca
The command completed successfully.


C:\>net stop w32time
The Windows Time service is stopping.
The Windows Time service was stopped successfully.


C:\>w32tm -once
(W32time performs numerous commands to set the time)


C:\>net start w32time
The Windows Time service is starting.
The Windows Time service was started successfully.


 


Windows 2003


On the DC holding the PDCEmulator FSMO Role (example showing a US government time source):


w32tm /config /manualpeerlist:time-a.nist.gov /syncfromflags:manual /reliable:yes /update
net stop w32time
net start w32time


On other DCs (that are not the PDC Emulator):
w32tm /config /syncfromflags:domhier /update
net stop w32time
net start w32time


 


Windows 2008


Please follow the registry entries instructions in the following Microsoft article on how to configure the Time Service in Windows 2008:


How to configure an authoritative time server in Windows Server (2003 & 2008)
http://support.microsoft.com/kb/816042




 


 


The PDC master must not be configured to synchronize with itself


This important section was quoted from:


How to configure an authoritative time server in Windows Server
http://support.microsoft.com/kb/816042


For more information about why the PDC master must not be configured to synchronize with itself, visit the following Web site to view Request For Comment (RFC) 1305:
http://www.rfc-editor.org/ (http://www.rfc-editor.org/)


If the PDC master is configured to synchronize with itself, the following events are logged in the System log:


Event Type: Information
Event Source: W32Time
Event Category: None
Event ID: 38
Computer: ComputerName
Description: The time provider NtpClient cannot reach or is currently receiving invalid time data from NTP_server_IP_Address. For more information, see Help and Support Center at http://support.microsoft.com.


Event Type: Warning
Event Source: W32Time
Event Category: None
Event ID: 47
Computer: ComputerName
Description: Time Provider NtpClient: No valid response has been received from manually configured peer NTP_server_IP_Address after 8 attempts to contact it. This peer will be discarded as a time source and NtpClient will attempt to discover a new peer with this DNS name. For more information, see Help and Support Center at http://support.microsoft.com.


Event Type: Error
Event Source: W32Time
Event Category: None
Event ID: 29
Computer: ComputerName
Description: The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 15 minutes. NtpClient has no source of accurate time. For more information, see Help and Support Center at http://support.microsoft.com.


 



Transferring the PDC Emulator Role


If you have moved the Windows 2003 PDC Emulator role to another DC, or if you seized the role to another DC because the original PDC Emulator is no longer available, reset the time source and hierarchy:


On the new PDCEmulator (where ‘peers’ is an Internet time source such as time-a.nist.gov):
w32tm /config /manualpeerlist:peers /syncfromflags:manual /reliable:yes /update


On the old PDCEmulator:
w32tm /config /syncfromflags:domhier /update


After that run the following on both DCs:
net stop w32time
net start w32time


The “peers” can be a text file, or direct input, allowing you to set the time source, either DNS name such as (time.windows.com, or an ip address for a reliable time source. I normally use 192.5.41.41.


On your edge firewall, make sure UDP port 123 traffic is allowed inbound from the time source.


FYI, you need a reliable external time source, read the following link for a complete list of them around the internet:


The pool.ntp.org project is a big virtual cluster of timeservers striving to provide reliable and easy to use NTP service for millions of clients without putting  strain on the big popular timeservers.
http://www.pool.ntp.org


 

The Net Time Command is Weak and Inaccurate with Certain Functions


DO NOT USE the “net time” command on Windows 2003 and later. It will create confusion with the time service. This command was meant for use with stand alone machines, and basically is a DOS command, and is pretty much useless in an AD environment.


The net time command is weak. It is a foreground application and is not reliable. It does not query what the local machine’s time service is set to use with the domain hierarchy. The net time command is similar to the nslookup command, where it uses its own query methods independent of the local machine.


For example, the following was quoted from:


Overview\Windows Time Service Issues Information
http://www.greyware.com/software/DomainTime/Product/w32time.asp


“When you run NET TIME without the /domain option, the workstation will iterate through the list of time sources on the network, and contact the first one encountered. By default on an NT or 2000 network, only the PDC is a time source.


However, if Domain Time Server is installed on any machine, that machine also becomes a time source. Notice that the NET TIME client won’t use the nearest time source — it will use the first one found in the browser list. It also will not move on to the next source if the first one fails.”


Read more on the net time command and its limitations, in the following link. Scroll down to the heading “Problems with NET TIME”


Overview\Windows Time Service Issues Information
http://www.greyware.com/software/DomainTime/Product/w32time.asp





Which server is my time source?


On a non-DC, you can run the following to see which DC logged you in. That DC wll be YOUR time source.


To confirm which server is being used as a time source, you can also run the following command:


w32tm /monitor


For example, I ran this on a non-PDC emulator DC, dc02.domain.local, in a domain with two DCs. You can see that it grabbed time from the PDC Emulator, which in this case is dc01.domain.local. It also states that dc01.domain.local got it’s time source from 192.5.41.41. You can see the offset between the two DCs is 0.0000651s (seconds), so no sync is required since it is under the 2 minute time sync tolerance.


c:\Documents and Settings\administrator>w32tm /monitor
dc01.domain.local *** PDC *** [192.168.80.10]:
    ICMP: 0ms delay.
    NTP: +0.0000000s offset from dc01.domain.local
        RefID: ntp1.usno.navy.mil [192.5.41.41]
dc02.domain.local [192.168.80.11]:
    ICMP: 0ms delay.
    NTP: +0.0000651s offset from dc01.domain.local
        RefID: dc01.domain.local [192.168.80.10]


 


 


Time Service skew: The Windows W32Time service is not as accurate or reliable as one thinks


Yes, this is true, and this statement is according to Microsoft (KB939322). The reason is the Windows time service is not reliable to synch time down to 1 or 2 seconds and such tolerances are beyond the design of the Windows time service. . It was primarily designed for loose synchronization to support Active Directory’s use of the Kerberos v5 protocol for authentication, which uses and relies on a maximum time skew of 5 minutes for it authentication ‘salt.’ However the Windows Time services is sufficient for this reason, however if you have apps that require sensitive transactional processing with timing down to the second (possibly SEC, banking, or other reasons), it is suggested to use a third party time service.


The Windows 2000 and 2003 time service skew and algorithm is pretty much the same.


Regarding high accuracy, the following Microsoft’s position on this was quoted from:


Support boundary to configure the Windows Time service for high accuracy environments:
http://support.microsoft.com/kb/939322:


“We do not guarantee and we do not support the accuracy of the W32Time service between nodes on a network. The W32Time service is not a full-featured NTP solution that meets time-sensitive application needs. The W32Time service is primarily designed to do the following:


  • Make the Kerberos version 5 authentication protocol work.
  • Provide loose sync time for client computers.
  • The W32Time service cannot reliably maintain sync time to the range of 1 to 2 seconds. Such tolerances are outside the design specification of the W32Time service.”


 


The following passage was quoted from page 9 in the following Microsoft document.


The Windows 2000 Time Service
http://download.microsoft.com/download/2/0/f/20f61625-7b2a-4531-b007-1c714f1e51b7/wintimeserv.doc


“When the local clock offset has been determined, the following algorithm is used to adjust the time:  


  • If the local clock time of the client is behind the current time received from the server, W32Time will change the local clock time immediately.
  • If the local clock time of the client is more than three minutes ahead of the time on the server, W32Time will change the local clock time immediately.
  • If the local clock time of the client is less than three minutes ahead of the time on the server, W32Time will quarter or halve the clock frequency for long enough to bring the clocks into sync. If the client is less that 15 seconds ahead, it will halve the frequency; otherwise, it will quarter the frequency. The amount of time the clock spends running at an unusual frequency depends on the size of the offset that is being corrected. “

High Accuracy W32time Requirements
http://blogs.technet.com/b/askds/archive/2007/10/23/high-accuracy-w32time-requirements.aspx


“This entry specifies the largest interval, in log2 seconds, allowed for the system polling interval. Note that while a system must poll according to the scheduled interval, a provider can refuse to produce samples when requested to do so. The default value for domain controllers is 10. The default value for domain members is 15. The default value for stand-alone clients and servers is 15. “


Based on the article below, “If you change the MaxPollInterval and MinPollInterval local polling values for the Microsoft Windows Time service (W32time), the values are ignored. The service always polls at 17-minute intervals.”


Settings for minimizing periodic WAN traffic
http://support.microsoft.com/kb/819108



Configuring the MaxPollInterval


The passage below was quoted from:

Config\MaxPollInterval
http://technet.microsoft.com/en-us/library/cc739293(WS.10).aspx

“Specifies the longest interval (in units of 2n seconds, where n is the value of this entry) that is allowed for system polling. While the system does not request samples less frequently than this, a provider may refuse to produce samples when requested to do so.”

“Note: The time service itself is considered unsynchronized after 1.5 times the number of seconds specified by this entry have elapsed. The Network Time Protocol specifies that the maximum clock age is 86,400 seconds, so if the value of this entry is greater than 15, then peers will eventually ignore this server.”

So if changing it from the default of 15 to 14, the longest time interval is changed from 32,768 seconds (546.13 hours or 22.75 days), to 16,384 seconds (273 hours or 11.37 days).

 


 



Read more on this in the following links.


Overview\Windows Time Service Issues Information
http://www.greyware.com/software/DomainTime/Product/w32time.asp


Support boundary to configure the Windows Time service for high accuracy environments
http://support.microsoft.com/kb/939322


 


Additional info regarding accuracy:


The W32Time service cannot reliably maintain sync time to the range of 1 to 2 seconds. Such tolerances are outside the design specification of the W32Time service.” But Microsoft does give reference on third-party publishers of time and frequency software that can assist with those extreme high accuracy needs (NOTE: These are not Microsoft related or endorsed- just referenced)


http://tf.nist.gov/general/softwarelist.htm  (for software )
http://tf.nist.gov/timefreq/general/receiverlist.htm   (for hardware )


The following quoted from Windows Time Service Technical Reference (http://technet.microsoft.com/en-us/library/cc773061(WS.10).aspx):
“The W32Time service is not a full-featured NTP solution that meets time-sensitive application needs and is not supported by Microsoft as such. For more information, see


Microsoft Knowledge Base article 939322, Support boundary to configure the Windows Time service for high-accuracy environments (http://go.microsoft.com/fwlink/?LinkID=179459).”


High Accuracy W32time Requirements
http://blogs.technet.com/b/askds/archive/2007/10/23/high-accuracy-w32time-requirements.aspx


 



Third Party Time Solutions


LANTIME M900 NTP Server : NTP Timeserver Platform for Customized Time and Frequency Synchronization Systems (hardware and software based solutions)
http://www.meinberg.de/english/sw/index.htm



What some folks have tried to reduce the skew based on the understanding that the Windows W32Time service does not have tight tolerances:


Time codes and testing the W32time service skew:
http://www.geisswerks.com/ryan/FAQS/timing.html


[ntp:questions] Re: Ntpd time offset threshold
Question: > The offset threhold is 128ms by default. I think it is a so large value.
> I want 1ms accuracy among all clients over LAN. So, do I have to set it to a
> smaller value? As for 1ms accuracy, set it to 0.5ms.
https://lists.ntp.org/pipermail/questions/2005-June/005711.html



Interesting third party forum and newsgroup thread quotes:


======
Following from:
Thread: Can time sync occur every 30 mins?
http://fixunix.com/ntp/67725-can-time-sync-occur-every-30-mins.html


> What is the maximum period value for:
> HKEY LOCAL
> MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\ Parameters\period
>
> I set it to 2880 for the time sync to occur ever 30mins (24x60x2), but
> the time only synchronises every 8 hours in event logs.
> Is it possible for it to sync more often than every 8 hours?
>
> SBS2000, NTP.
> Thanks
> Nick
>


You will have to ask Microsoft that question. It’s a Microsoft product.


There are two Windows builds of the reference implementation of ntpd;
either one should give you much better synchronization than W32TIME.
Ntpd will query its servers at intervals ranging between 64 seconds and
1024 seconds. The daemon adjusts the interval automatically to the best
value for current conditions.


See http://norloff.org/ntp/ or http://www.meinberg.de/english/sw/ntp.htm
The latter version comes with a Windows installer. I have not used
either version and so can’t tell you much about them except that either
should perform better than W32TIME!!!!


If you decide to try one of these, your should plan on configuring at
least four timeservers for best performance.


See http://ntp.isc.org/bin/view/Servers/WebHome for lists of publicly
available time servers and “rules of engagement”.


=>
Does anyone know whether Windows 2000 or Server 2003 is capable of
synchronising more often than every 8 hours, using w32time?


Thanks
Nick


===============



Typical performance is shown in the bottom 5 graphs here:
http://www.david-taylor.myby.co.uk/mrtg/daily_ntp.html


You can click on a graph to see weekly, monthly and yearly data


=>


> Does anyone know whether Windows 2000 or Server 2003 is capable of
> synchronising more often than every 8 hours, using w32time?


It is, but it is not simple to configure. Look in the list archives for
examples of conifguring the windows time service for use on public NTP
networks. Included there are links to Microsoft’s detailed
documentation on the Windows Time Service.


What are your requirements? Just to keep better time? Why once every
1/2 hour?


Generally, you’ll want to use a configuration command like this:


w32tm /config /manualpeerlist:”0.us.pool.ntp.org,0x8
1.us.pool.ntp.org,0x8 2.us.pool.ntp.org,0x8″ /syncfromflags:MANUAL
/update


That “,0x8″ after each server tells Windows Time Service to choose the
best synchronization interval itself, based on the performance of your
clock and/orn network connection.


Also, please note that the windows time service only makes event log
entries when a new time srouce is selected, plus an informational entry
once every X hours. It will not make a log entry for “small
corrections”, even if they are more frequent. This logging behavior can
also be changed with registry entries or group policies (see Microsoft
documentation).,


============


 


 



Time Service Troubleshooting


Basic support issues I’ve seen usually regard if you’ve moved the PDC Emulator role in the forest root domain to another DC, possibly due to retiring an old DC or DC failure. In this case, all you really have to do is reset the time service on the new PDC Emulator so it is authorative for the domain/forest.


Other than that, the numerous other time service tech support issues I’ve seen are due to the administrators changing registry settings to tweak the service, however they’ve found that something is amiss, and now begin back tracking, asking what the registry entries do and their results if set to this setting or that setting, etc. IMHO, I don’t believe this is necessary. Basically the Time service works out-of-the-box. The PDC Emulator in the forest root domain is the ultimate time server source for the whole forest, and all other DCs, whether in the forest root or in child domains, or additional trees in the forest, will follow the hierarchy to sync time. Why does it work out-of-the-box? Because  the time services is extremely important for Kerberos. If the time clocks between a machine and a DC are skewed beyond the 5 minute tolerance, the authentication fails, so Microsoft made sure to make the time service work without any changes required. All you have to do is configure the PDC Emulator in the forest root domain to an outside time source, and you are DONE. That’s it. Altering the time service registry, unless directed by Microsoft support, are not required.


To reset the Time Service to use the new PDC Emulator


By default, all DCs that are not PDC Emulators, should be syncing time from the PDC Emulator.  If that isn’t the case then reset time on the DC in question using the following steps (which applies to workstations, as well).


In a command prompt. I know I said not to use this command, but this is the ONLY exception to run this command on a machine to reset the time service on a machine:


“net time /setsntp: ”   (Note the blank space prior to the end “)
Tells the client (whether a DC or workstation) to delete the current registry settings for time and use default settings.


Then run the following:
net stop w32time && net start w32time


Client should now be part of the time domain heirarchy


One more possibility if the above procedure doesn’t work to reset it, you can run the following on the non-PDC Emulator:


w32tm /config /syncfromflags:domhier /reliable:no /update  –  (notice the “no” switch)
net stop w32time && net start w32time


The above is explained in:


Change the Windows Time service configuration on the previous PDC emulator
http://technet.microsoft.com/en-us/library/cc738042.aspx


Or you can run Mr FixIt:


To Fix it, Run the “Microsoft Mr. Fixit” on each DC. It will recognize and download the correct “FixIt Script” to run on the PDC Emulator and non-PDC Emulators.
How to configure an authoritative time server in Windows Server
http://support.microsoft.com/kb/816042


 


Debug Logging and more


If the dc is already pointing at the PDCe the PDCe should be getting its time externally (Although this won’t cause your problem).  You can run debug logging to track down the error. 


How to turn on debug logging in the Windows Time Service
http://support.microsoft.com/kb/816043/en-us


 


“Microsoft Mr. Fix It” Time Service Script


This script can be found in:


How to configure an authoritative time server in Windows Server
http://support.microsoft.com/kb/816042


 To run Mr Fix It:


Keep in mind, all DCs in a domain will get their time source from its domain’s PDC Emulator. If you can’t straighten it out manually, let’s perform the following procedure, which includes running the Mr Fix It script:


1. Run a Fsmo Query  –  To find which DCs hold which FSMO roles and to determine which DC is the PDC Emulator
 netdom query fsmo


2. Run the  “Microsoft Mr Fix It” script in the above link by visiting it from each DC. You must visit it from each DC, or you can download the respective Mr Fix It Number whether for a PDC or non-PDC.


Run the “Microsoft Mr. Fixit” on each DC. It will recognize and download the correct “FixIt Script” to run on the PDC Emulator and non-PDC Emulators.
How to configure an authoritative time server in Windows Server
http://support.microsoft.com/kb/816042


The procedure is as follows:


On the new PDC Emulator AND on the non-PDC Emulators, go to http://support.microsoft.com/kb/816042. You will notice the “Microsoft Fix It” link. When you visit the link from the DC holding the PDC Emulator FSMO Role, it will show up as “Microsoft Fix It 50394,” and on the non-PDC Emulators, it will show up as “Microsoft Fix It 50395.”


Therefore:
On the PDC, go to http://support.microsoft.com/fixit/ and download Fixit 50394 (this is for the PDC)
On the BDC, go to http://support.microsoft.com/fixit/ and download Fixit 50395 (this is for non-PDCs)


When you run it will show:
Server1, 0x1 Server2, 0x1
Replace with
Time.nrc.ca, 0x1 time.nist.gov, 0x1


 


Or based on the script process, you can simply do it manually:


On the PDC Emulator, run the following in a command prompt:
W32tm /config /manualpeerlist:time.nrc.ca /syncfromflags:manual /reliable:yes /update
W32tm /resync /rediscover


This will take the errors out of Event Viewer. Then restart the time service:
Net stop w32time && net start w32time


On the non-PDC Emulator, run the following in a command prompt:
w32tm /config /syncfromflags:domhier /update
W32tm /resync /rediscover


This will take out any errors in the Event Viewer, if there are any. Then restart the time service:
Net stop w32time && net start w32time


 Registry Entries


You can query the registry keys with the following method:


c:\>reg query hklm\system\currentcontrolset\services\w32time\parameters
C:\> w32tm /dumpreg /subkey:parameters


 


To resync the service on a client machine:


 w32tm /resync
 w32tm /resync /rediscover


 


If some domain machines have problems


w32tm /config /syncfromflags:domhier /update


After that run:
net stop w32time
net start w32time


 


To Reset the Time Service:


If you’ve experimented changing time settings to unknowlingly avert default behavior, you can set the time settings back to default:


net stop w32time
w32tm /unregister
w32tm /register
net start w32time


You should only have one server in the forest set as a reliable time source, so using the /reliable:yes command on anything other than the Forest Root PDC is not a good idea.


 


If getting EventID 1307 time:


A possible cause is that the “Authenticated Users” does not have read permission on the W32Time and Netlogon registry keys. Please check and correct the permission settings on the keys.


The keys are under:


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32Time
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon


 


Related Troubleshooting links:


To Assist in troubleshooting time service issues on the PDC Emulator and other machines, use the following link:
Troubleshooting Windows Time Service Problems
http://technet.microsoft.com/en-us/library/bb727060.aspx


 


 


 


SNTP vs NTP


NTP and SNTP are both supported. Quoted from the Microsoft Technet Article, Windows Time Service and Internet Communications article, it states:


“Windows 2003 by default use NTP, whereas Windows 2000 used SNTP. SNTP isa  simplfied version of NTP. Windows 2003 and newer by default is set to NT5DS, which uses NTP. If SNTP is required on Windows 2003 or newer, the default NT5DS type must be changed to AllSync to accept NTP and SNTP time sources.”


Additonal Links referencing SNTP vs NTP:


Windows Time Service and Internet Communication
http://technet.microsoft.com/en-us/library/cc779145(WS.10).aspx


What is the difference between NTP and SNTP?
http://www.spectracomcorp.com/portals/0/support/pdf/NTP_vs_SNTP.pdf


[PDF] NTP vs SNTP – What is the difference between NTP and SNTP?File Format: PDF/Adobe Acrobat – Quick View
whether NTP (i.e. full implementation NTP) is being used, or if SNTP is being used. The difference between NTP and SNTP is in the time synchronization …
www.spectracomcorp.com/portals/0/support/pdf/NTP_vs_SNTP.pdf


What is NTP?
SNTP (Simple Network Time Protocol) is basically also NTP , but lacks some … HP-UX, Irix, Linux, NetBSD, SCO UNIX, OpenBSD, OSF/1, Solaris, System V.4. …
http://www.ntp.org/ntpfaq/NTP-s-def.htm



Based on the KB223184, since Type Nt5DS uses SNTP by default in Windows 2000, to force it to NTP, you can change a Windows 2000 server Type from SNTP to NTP by changing the time service “Type” in the reg from Nt5DS to NTP. However, I remember there were issues with that syncing up years ago. The reg entries are located in the following registry key and options for the “Type:”


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters


Type : REG_SZ
Used to control how a computer synchronizes.
Nt5DS = synchronize to domain hierarchy [default]
NTP = synchronize to manually configured source
NoSync = do not synchronize time


Time Sync Frequency:


The following registry key controls how frequently the Windows Time service synchronizes:
The HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Period


65531, “DailySpecialSkew” – Sets synchronization to one time every 45 minutes until successful one time, then one time every day.
65532, “SpecialSkew” – Sets synchronization to one time every 45 minutes until successful three times, then one time every eight hours. This is the default setting.
65533, “Weekly” – Sets synchronization to one time every seven days.
65534, “Tridaily” – Sets synchronization to one time every three days.
65535, “BiDaily” – Sets synchronization to one time every two days.
0 – For NT5DS, the synchronization is one time every 45 minutes until successful three times, then one time every eight hours. For NTP, the synchronization is one time every 8 hours.
freq – freq stands for the number of times per day you want Windows Time service to synchronize. If want to use a value other than any one of those specified earlier, you must use this option.


 


Related links to the W32Time service registry entries:


Time Registry settings: Windows Time Service Tools and Settings
http://technet.microsoft.com/en-us/library/cc773263(WS.10).aspx


Registry entries for the W32Time service on Window 2000:
http://support.microsoft.com/kb/223184


Windows Time Service Tools and Settings using the w32time command. Includes Windows 2003 & 2003 R2 Time Service Registry Settings
http://technet.microsoft.com/en-us/library/cc773263(WS.10).aspx


How to configure the Windows Time service against a large time offset
Basically this talks about the time service and how it keeps all machines in a domain hierarchy within 2 minutes of sync so Kerberos works.
http://support.microsoft.com/kb/884776


Configuring the Windows Time Service
http://www.windowsnetworking.com/articles_tutorials/Configuring-Windows-Time-Service.html


 



 


Failover Time Service


As for failover time source, the way it works, the time service will loop through each one starting with the first listed in the order they are listed until a time service response is received. It is suggested to use the actual IP addresses, or at least I suggest it, which is an old school thing I have because years ago, Windows 2000 had an issue with FQDNs, which was fixed with a hotfix, but I still use the IP address method.


Here’a an older KB that explains this (disregard the part about Windows 2000, because the service still operates in the same behavior:


W32Time client does not fail over to secondary NTP servers by FQDN
http://support.microsoft.com/kb/285641


w32tm /config /manualpeerlist:”MeinbergNTPdeviceIpAddressorFQDN  time-nw.nist.gov  0.pool.ntp.org ” /reliable:yes /update


Multiple Manualpeers configured


It’s recommended to use a first-level time source – Quoted from the link above (http://support.microsoft.com/kb/285641):


“There are two levels, or tiers, of Network Time Protocol (NTP) time servers that are available on the Internet. The NTP is defined in Request for Comments (RFC) 1305. The first-level time servers are primarily intended to act as source time servers for second-level time servers. The first-level time servers may also be capable of providing mission-critical time services. Some first-level time servers may have a restricted access policy.


Second-level time servers are intended for general SNTP time service needs. Second-level time servers usually enable public access. It is recommended that you use second-level time servers for normal SNTP time server configuration because they are usually located on a closer network that can produce faster updates.


It is recommended that you research any time server selection to ensure that it can meet your specific time server requirements.”


 


Domain Controllers HyperV and virtualization, and the Time Service


Regarding DC virtualization, please closely adhere to the following best practices:


    1) Do not use imaging software to take an image of the DC.
    2) Do not take or apply snapshots of the DC.
    3) Do not shut the Virtual Machine down and simply copy the virtual disk as a backup.
    4) If you have the ability to “discard changes” as you do if you are running “Virtual Server 2005 R2”, do not enable this type of setting on a DC Virtual Machine.
    5) Use NTBACKUP.EXE, WBADMIN.EXE, or any third party software that is available as long as it is certified to be AD-compatible to take system state backups.
    6) Only restore a system state to the DC or restore a full backup.
    7) Make at least one DC, the PDC Emulator in the forest root domain, a physical DC. The PDC is the default time service in the hierarchy and should not be virtualized.


For more information, please refer to:


DC’s and VM’s – Avoiding the Do-Over
http://blogs.technet.com/b/askds/archive/2009/06/05/dc-s-and-vm-s-avoiding-the-do-over.aspx



In addition, basically, running Domain Controllers in virtual machines requires special considerations (Time synch configuration included). I recommend reading the articles below. You will also want one Physical DC in the environment, but you can have the remaining DCs virtualized. It’s recommended to have the PDC as the physical DC.


Running Domain Controllers in Hyper-V
http://technet.microsoft.com/en-us/library/virtual_active_directory_domain_controller_virtualization_hyperv(WS.10).aspx


Deployment Considerations for Virtualized Domain Controllers
http://technet.microsoft.com/en-us/library/dd348449(WS.10).aspx


 


Virtualized DC Time service


For virtual machines that are configured as domain controllers, disable time synchronization with the host through Integration Services. Instead, accept the default Windows Time service (W32time) domain hierarchy time synchronization.


Host time synchronization makes it possible for guest operating systems to synchronize their system clocks with the system clock of the host operating system. Because domain controllers have their own time synchronization mechanism, host time synchronization must be disabled on virtual machines that are configured as domain controllers. If domain controllers synchronize time from their own source and also synchronize time from the host, the domain controller time can change frequently. Because many domain controller tasks are tied to the system time, a jump in the system time could cause lingering objects to be left in the directory and replication to be stopped.


W32Time, Windows Time, should run as LocalService in 2K8 R2 Domain Controllers. You can see the account used in Services.msc -> Windows Time -> Properties.


You can disable host time synchronization in the virtual machine settings in the Integration Services section of the Hyper-V Manager by clearing the Time Synchronization check box.


How to configure your virtual Domain Controllers and avoid simple mistakes with resulting big problems


How to configure your virtual Domain Controllers and avoid simple mistakes with resulting big problems
http://www.sole.dk/post/how-to-configure-your-virtual-domain-controllers-and-avoid-simple-mistakes-with-resulting-big-problems/?p=387


 


 


 




Windows Time Service Related General Links


A list of the Simple Network Time Protocol (SNTP) time servers that are available on the Internet
http://support.microsoft.com/kb/262680


Time Registry settings: Windows Time Service Tools and Settings
http://technet.microsoft.com/en-us/library/cc773263(WS.10).aspx


How to configure an authoritative time server in Windows Server
http://support.microsoft.com/kb/816042


Jorge’s Time Service blogs:
Configuring and Managing the Windows Time Service, Parts 1 to 4:
http://blogs.dirteam.com/blogs/jorge/archive/2010/09/26/configuring-and-managing-the-windows-time-service-part-1.aspx
http://blogs.dirteam.com/blogs/jorge/archive/2010/09/26/configuring-and-managing-the-windows-time-service-part-2.aspx
http://blogs.dirteam.com/blogs/jorge/archive/2010/09/26/configuring-and-managing-the-windows-time-service-part-3.aspx
http://blogs.dirteam.com/blogs/jorge/archive/2010/09/26/configuring-and-managing-the-windows-time-service-part-4.aspx


Support boundary to configure the Windows Time service for high accuracy environments
http://support.micorosoft.com/kb/939322


Basic Operation of the Windows Time Service
http://support.microsoft.com/kb/224799


Time Service:
http://support.microsoft.com/kb/216734


How to configure an authoritative time server in Windows Server (2003 & 2008)
http://support.microsoft.com/kb/816042


How to Configure an Authoritative Time Server in Windows Server 2008 (This article is based on Microsoft KB8164042, link provided above.)
http://www.articlesbase.com/operating-systems-articles/how-to-configure-an-authoritative-time-server-in-windows-server-2008-461336.html


Change the Windows Time service configuration on the previous PDC emulator
http://technet.microsoft.com/en-us/library/cc738042.aspx


A comprehensive list of the Simple Network Time Protocol (SNTP) time servers:
http://support.microsoft.com/kb/262680


Windows Time Service Tools and Settings (including w32time service, w32time registry entries), and how to use the w32tm commands)
http://technet.microsoft.com/en-us/library/cc773263(WS.10).aspx


How Windows Time Service Works. This article provides a good overall graphical and explanation of the Time Service in Windows
http://technet.microsoft.com/en-us/library/cc773013(WS.10).aspx


Network Time is off, not sure how to fix it
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/652e8200-fc4b-40c7-b579-a88d934df04d/


The Windows 2000 and 2003 time service skew and algorithm is pretty much the same.
The following is quoted from page 9 in the following Microsoft document. The Windows 2000 Time Service
http://download.microsoft.com/download/2/0/f/20f61625-7b2a-4531-b007-1c714f1e51b7/wintimeserv.doc


How the Windows Time Service Works, Updated: March 12, 2010
http://technet.microsoft.com/en-us/library/cc773013(WS.10).aspx


Configure a client computer for automatic domain time synchronization
Applies to Windows 7 & Windows 2008 R2 Time Service
http://technet.microsoft.com/en-us/library/cc758905(WS.10).aspx


Microsoft Videos on the Time Service
http://www.microsoft.com/showcase/en/us/search?phrase=w32time


Configuring the Time Service: Enabling the Debug Log
http://blogs.msdn.com/b/w32time/archive/2008/02/28/configuring-the-time-service-enabling-the-debug-log.aspx


Windows Time Service – The official Microsoft blog site for the Windows Time Service
By Ryan Sizemore,  7 Aug 2009 12:10 PM
http://blogs.msdn.com/b/w32time/archive/2009/08/07/net-time-and-w32time.aspx

==================================================================


Ace Fekay

Leave a Reply