Windows Time Service and Internet Communication (Windows Server 2003)

Applies To: Windows Server 2003 with SP1

The following sections provide information about:

  • The benefits of Windows Time Service

  • How Windows Time Service communicates with sites on the Internet

  • How to control Windows Time Service to limit the flow of information to and from the Internet

  • How to monitor and troubleshoot Windows Time Service after configuration is complete

Benefits and Purposes of Windows Time Service

Many components of operating systems in the Microsoft Windows Server 2003 family rely on accurate and synchronized time to function correctly. For example, without clocks that are synchronized to the correct time on all computers, Windows Server 2003 family authentication might falsely interpret logon requests as intrusion attempts and consequently deny access to users.

With time synchronization, you can correlate events on different computers in an enterprise. With synchronized clocks on all of your computers, you ensure that you can correctly analyze events that happen in sequence on multiple computers. Windows Time Service automatically synchronizes a local computer’s time with other computers on a network to improve security and performance in your organization.

Overview: Using Windows Time Service in a Managed Environment

Computers keep the time on their internal clocks, which allows them to perform any function that requires the date or time. For scheduling purposes, however, the clocks must be set to the correct date and time, and they must be synchronized with the other clocks in the network. Without some other method in place, these clocks must be set manually.

With time synchronization, computers set their clocks automatically to match another computer's clock. One computer maintains very accurate time, and then all other computers set their clocks to match that computer. In this way, you can set accurate time on all computers.

Windows Time Service is installed by default on all computers running Windows 2000, Windows XP, and products in the Windows Server 2003 family. Windows Time Service uses Coordinated Universal Time (UTC), which is based on an atomic time scale and is therefore independent of time zone. Time zone information is stored in the computer's registry and is added to the system time just before it is displayed to the user.

Windows Time Service starts automatically on computers that are joined to a domain. (For computers that are not joined to a domain, you can start the time service manually.) In a domain, time synchronization takes place when Windows Time Service turns on during system startup. In the default configuration, the Net Logon service looks for a domain controller that can authenticate and synchronize time with the client. When a domain controller is found, the client sends a request for time and waits for a reply from the domain controller. This communication is an exchange of Network Time Protocol (NTP) packets intended to calculate the time offset and roundtrip delay between the two computers.

How Windows Time Service Communicates with Sites on the Internet

In the Windows Server 2003 family, Windows Time Service automatically synchronizes the local computer's time with other computers on the network. The time source for this synchronization varies, depending on whether the computer is joined to a domain in the Active Directory directory service or to a workgroup.

When a server running a product in the Windows Server 2003 family is part of a workgroup

In this scenario, the default setting for the time synchronization frequency is set to "once per week," and this default setting uses the time.windows.com site as the trusted time synchronization source. This setting will remain until you manually set it otherwise. One or more computers might be identified as a locally reliable time source by configuring Windows Time Service on those computers to use a known accurate time source, either by using special hardware or a time source available on the Internet. All other workgroup computers can be configured manually to synchronize their time with these local time sources.

When a server running a product in the Windows Server 2003 family is a member of a domain

On servers in this scenario, Windows Time Service configures itself automatically, using the Windows Time Service that is available on the domain controllers.

Windows Time Service on a domain controller can be configured as either a reliable or an unreliable time source. Windows Time Service running on a client will attempt to synchronize its time source with servers that are indicated as reliable. Windows Time Service can configure a domain controller within its domain as a reliable time source, and it synchronizes itself periodically with this source. These settings can be modified or overwritten, depending on specific needs.

When a computer running Windows 2000 or a Windows Server 2003 family operating system is not a member of a domain

Windows Time Service must be manually started for computers running Windows 2000 that are not members of a domain. For computers running a Windows Server 2003 operating system that are not members of a domain, Windows Time Service is configured by default to synchronize its time source with time.windows.com. Windows Time Service starts automatically for computers running a Windows Server 2003 operating system. These computers use the Network Time Protocol (NTP), while computers running Windows 2000 use the Simple Network Time Protocol (SNTP).

The following list describes various aspects of Windows Time Service data that is sent to and from the Internet and how the exchange of information takes place:

  • Specific information sent or received: The service sends information in the form of a Network Time Protocol (NTP) packet. For more information about Windows Time Service and NTP packets, see the references listed in “Related Documentation and Links,” later in this section.

  • Default and recommended settings: Computers that are members of an Active Directory domain synchronize time with domain controllers by default. Domain controllers synchronize time with their parent domain controller. By default, the root parent domain controller will not synchronize to a time source. The root parent domain controller can be set to either synchronize to a known and trusted Internet-based time source, or a hardware time device that provides an NTP (Network Time Protocol) or SNTP interface. Its time accuracy can also be maintained manually.

  • Triggers: Windows Time Service is started when the computer starts. Additionally, the service will continue to synchronize time with the designated network time source and adjust the computer time of the local computer when necessary.

  • User notification: Notification is not sent to the user.

  • Logging: Information related to the service is stored in the Windows System event log. The time and network address of the time synchronization source is contained in the Windows event log entries. Additionally, warning or error condition information related to the service is stored in the Windows System event log.

  • Encryption: Encryption is used in the network time synchronization for domain peers.

  • Information storage: The service does not store information, as all information that results from the time synchronization process is lost when the time synchronization service request is completed.

  • Port: NTP and SNTP default to using User Datagram Protocol (UDP) port 123. If this port is not open to the Internet, you cannot synchronize your server to Internet SNTP servers.

  • Communication protocol: The service on Windows 2000 implements SNTP to communicate with other computers on the network. The service on the Windows Server 2003 family implements NTP to communicate with other computers on the network.

  • Ability to disable: Disabling the service has no direct effect on applications or other services. Applications and services that depend on time synchronization, such as Kerberos V5 authentication protocol, may fail, or they may yield undesirable results if there is a significant time discrepancy among computers. Because most computers’ hardware-based clocks are imprecise, the difference between computer clocks on the network usually increases over time.

Controlling Windows Time Service to Limit the Flow of Information to and from the Internet

Group Policy can be used to control Windows Time Service for computers that are running a Windows Server 2003 family operating system to limit the flow of information to and from the Internet.

The synchronization type and NTP time server information can be managed and controlled through Group Policy. The Windows Time Service Group Policy object (GPO) contains configuration settings that specify the synchronization type. When the synchronization type is set to Nt5DS, Windows Time Service synchronizes its time resource with the network domain controller. Alternatively, setting the type attribute to NTP configures Windows Time Service to synchronize with a specified NTP time server. The NTP server is specified by either its Domain Name System (DNS) name or its IP address when you select NTP as the synchronization type.

For more information about configuring Windows Time Service during deployment of products in the Windows Server 2003 family, see Designing and Deploying Directory and Security Services and Designing a Managed Environment in the Microsoft Windows Server 2003 Deployment Kit at:

https://go.microsoft.com/fwlink/?linkid=44319

Clients on a managed network can be configured to synchronize computer clock settings to an NTP server on the network to minimize traffic out to the Internet and to ensure that the clients synchronize to a single reliable time source. If you choose to do so, you can disable time synchronization for both non-domain and domain computers running Windows Server 2003 family operating systems by using Group Policy. The procedures for configuring Windows Time Service are given at the end of this section of the white paper.

How Windows Time Service can affect users and applications

Windows components and services depend on time synchronization. For example, the Kerberos V5 authentication protocol on a Windows Server 2003 family domain has a default time synchronization threshold of five minutes. Computers that are more than five minutes out of synchronization on the domain will fail to authenticate using the Kerberos protocol. This time value is also configurable, allowing for smaller thresholds. Failure to authenticate using the Kerberos protocol can prevent logons, access to Web sites, file shares, printers, and other resources or services within a domain.

When the local clock offset has been determined, the following adjustments are made to the time:

  • If the local clock time of the client is behind the current time received from the server, Windows Time Service will change the local clock time immediately.

  • If the local clock time of the client is more than three minutes ahead of the time on the server, the service will change the local clock time immediately.

  • If the local clock time of the client is less than three minutes ahead of the time on the server, the service will quarter or halve the clock frequency for long enough to synchronize the clocks.

  • If the client is less than 15 seconds ahead, it will halve the frequency; otherwise, it will quarter the frequency. The amount of time the clock spends running at an unusual frequency depends on the size of the offset that is being corrected.

Configuration Settings for Windows Time Service

You can set the global configuration settings for Windows Time Service by using Group Policy. For details about locating Windows Time Service policy settings, see "Procedures for Configuring Windows Time Service," later in this section. The following table describes the policy settings.

These Group Policy settings correspond to registry entries of the same name, which are located in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time.

Group Policy settings for configuring Windows Time Service

Policy setting Effect of policy setting Default setting

FrequencyCorrectRate

One over the rate at which the clock is corrected. If this value is too small, the clock will be unstable and will overcorrect. If the value is too large, the clock will take a long time to synchronize.

4

HoldPeriod

The period of time for which spike detection is disabled in order to bring the local clock into synchronization quickly. A spike is a time sample indicating that time is off a number of seconds, usually received after good time samples have been returned consistently.

5

LargePhaseOffset

A time offset greater than or equal to this value is considered suspicious by the time service. This occurrence might be caused by a noise spike.

1,280,000

MaxAllowedPhaseOffset

The maximum offset (in seconds) for which Windows Time Service attempts to adjust the computer clock by using the clock rate. When the offset exceeds this rate, the service sets the computer clock directly.

300

MaxNegPhaseCorrection

The largest negative time correction in seconds that the service will make. If the service determines that a change larger than this is required, it logs an event instead.

54,000 (15 hrs)

MaxPosPhaseCorrection

The largest positive time correction in seconds that the service will make. If the service determines a change larger than this is required, it will log an event instead.

54,000 (15 hrs)

PhaseCorrectRate

One over how much of the remaining phase error in order to correct this update interval.

7

PollAdjustFactor

Controls the decision to increase or decrease the poll interval for the system. The larger the value, the smaller the amount of error that causes the poll interval to be decreased.

5

SpikeWatchPeriod

The amount of time that a suspicious offset must persist before it is accepted as correct (in seconds).

90

UpdateInterval

The number of clock ticks between phase correction adjustments.

100

AnnounceFlags

Controls whether this computer is marked as a reliable time server. A computer is not marked as reliable unless it is also marked as a time server.

6

EventLogFlags

Controls the events that the time service logs.

2

LocalClockDispersion

The dispersion (in seconds) that you must assume when the only time source is the built-in complementary metal oxide semiconductor (CMOS) clock.

10

MaxPollInterval

The largest interval, in log2 seconds, allowed for the system polling interval. Note that while a system must poll according to the scheduled interval, a provider can refuse to produce samples when requested to do so.

15

MinPollInterval

The smallest interval, in log2 seconds, allowed for the system polling interval. Note that while a system does not request samples more frequently than this, a provider can produce samples at times other than the scheduled interval.

4

You can set the Windows NTP Client configuration settings for Windows Time Service by using Group Policy. For details about locating Windows Time Service policy settings, see "Procedures for Configuring Windows Time Service," later in this section. The following table describes the policy settings.

These Group Policy settings correspond to the registry entries of the same name located in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters.

Group Policy settings for configuring the Windows Time Service NTP Client for computers running Windows Server 2003

Policy setting Effect of setting Default setting

NtpServer

Establishes a space-delimited list of peers from which a computer obtains time stamps, consisting of one or more DNS names or IP addresses per line. Computers connected to a domain must synchronize with a more reliable time source, such as the official U.S. time clock.

time.windows.com

Type

Indicates which peers to accept synchronization from:

NoSync. The time service does not synchronize with other sources.

NTP. The time service synchronizes from the servers specified in the NtpServer registry entry.

NT5DS. The time service synchronizes from the domain hierarchy.

AllSync. The time service uses all the available synchronization mechanisms.

Default options

NTP. Use on computers that are not joined to a domain.

NT5DS. Use on computers that are joined to a domain.

ServiceDll

Provides the directory location of the Windows Time service dynamic-link library (DLL).

C:\WINDOWS\system32\w32time.dll

ServiceMain

Service Control Manager (SCM) calls this value.

SvchostEntry_W32Time

CrossSiteSyncFlags

Determines whether the service chooses synchronization partners outside the domain of the computer.

None 0

PdcOnly 1

All 2

This value is ignored if the NT5DS value is not set.

2

ResolvePeerBackoffMinutes

Specifies the initial interval to wait, in minutes, before attempting to locate a peer to synchronize with.

15

ResolvePeerBackoffMaxTimes

Specifies the maximum number of times to double the wait interval when repeated attempts to locate a peer to synchronize with fail. A value of zero means that the wait interval is always the minimum.

7

SpecialPollInterval

Specifies the special poll interval in seconds for peers that have been configured manually. When a special poll is enabled, Windows Time Service will use this poll interval instead of a dynamic one that is determined by synchronization algorithms built into Windows Time Service.

3600

EventLogFlags

Controls the events that the time service logs.

0

Note

Group Policy and Active Directory are tools that are available for controlling and managing computers and services within an enterprise or organization. The full description of the rich feature set and methods for using Group Policy are beyond the intended scope of this document. For other sources of information about Group Policy, see Appendix B: Resources for Learning About Group Policy (Windows Server 2003).

For information about configuring the authoritative time server in a domain, see article 884776, "Configuring the Windows Time service against a large time offset" in the Microsoft Knowledge Base at:

https://go.microsoft.com/fwlink/?LinkId=46021

Procedures for Configuring Windows Time Service

The following procedures explain how to set Windows Time Service configuration settings through Group Policy on operating systems in the Windows Server 2003 family to achieve the configurations described in the previous subsections.

To set Group Policy for Windows Time Service global configuration settings

  1. Use the resources described in Appendix B: Resources for Learning About Group Policy (Windows Server 2003) to learn about Group Policy and the Group Policy Management Console. Apply Group Policy objects (GPOs) to an organizational unit, a domain, or a site, as appropriate for your situation.

  2. Click Computer Configuration, click Administrative Templates, click System, and then click Windows Time Service.

  3. In the details pane, double-click Global Configuration Settings, and then click Enabled.

To configure the Group Policy setting to prevent your computer from synchronizing its computer clock with other NTP servers

  1. Use the resources described in Appendix B: Resources for Learning About Group Policy (Windows Server 2003) to learn about Group Policy and the Group Policy Management Console. Apply Group Policy objects (GPOs) to an organizational unit, a domain, or a site, as appropriate for your situation.

  2. Click Computer Configuration, click Administrative Templates, click System, click Windows Time Service, and then click Time Providers.

  3. In the details pane, double-click Enable Windows NTP Client and then select Disabled.

To configure the Group Policy setting to prevent your computer from synchronizing its computer clock from the domain hierarchy or a manually configured NTP server

  1. Use the resources described in Appendix B: Resources for Learning About Group Policy (Windows Server 2003) to learn about Group Policy and the Group Policy Management Console. Apply Group Policy objects (GPOs) to an organizational unit, a domain, or a site, as appropriate for your situation.

  2. Click Computer Configuration, click Administrative Templates, click System, click Windows Time Service, and then click Time Providers.

  3. In the details pane, double-click Configure Windows NTP Client, and then select Disabled.

To configure the Group Policy setting to prevent your computer from servicing time synchronization requests from other computers on the network

  1. Use the resources described in Appendix B: Resources for Learning About Group Policy (Windows Server 2003) to learn about Group Policy and the Group Policy Management Console. Apply Group Policy objects (GPOs) to an organizational unit, a domain, or a site, as appropriate for your situation.

  2. Click Computer Configuration, click Administrative Templates, click System, click Windows Time Service, and then click Time Providers.

  3. In the details pane, double-click Enable Windows NTP Server, and then select Disabled.

Starting and stopping Windows Time Service

By default, Windows Time Service starts automatically at system startup. You can, however, start or stop the service manually by accessing services in Administrative Tools or by using the net command.

To manually start Windows Time Service using the graphical interface

  1. Click Start, and then either click Control Panel, or point to Settings and then click Control Panel.

  2. Double-click Administrative Tools, and then double-click Services.

  3. Select Windows Time from the list of services.

  4. On the Action menu, click Start to begin the service.

To manually stop Windows Time Service using the graphical interface

  1. Click Start, and then either click Control Panel, or point to Settings and then click Control Panel.

  2. Double-click Administrative Tools, and then double-click Services.

  3. Select Windows Time from the list of services.

  4. On the Action menu, click Stop to discontinue the service.

To manually start Windows Time Service using the net command

  1. To open a command prompt, click Start, click Run, type cmd, and then click OK.

  2. Type net start w32time, and then press ENTER.

To manually stop Windows Time Service using the net command

  1. To open a command prompt, click Start, click Run, type cmd, and then click OK.

  2. Type net stop w32time, and then press ENTER.

Synchronizing computers with time sources

Use the following procedures to synchronize the internal time server with an external time source, and to synchronize the client time with a time server.

To synchronize an internal time server with an external time source

  1. To open a command prompt, click Start, click Run, type cmd, and then click OK.

  2. Type the following, where PeerList is a comma-separated list of Domain Name System (DNS) names or Internet protocol (IP) addresses of the desired time sources:

    **w32tm /config /syncfromflags:manual /manualpeerlist:**PeerList

    and then press ENTER.

  3. Type w32tm /config /update, and then press ENTER.

Note

The most common use of this procedure is to synchronize the internal network's authoritative time source with precise external time source. This procedure can be run on any computer running Windows 2000, Windows XP, or an operating system in the Windows Server 2003 family. If the computer cannot reach the servers, the procedure fails and an entry is written to the Windows System event log.

To synchronize the client time with a time server

  1. To open a command prompt, click Start, click Run, type cmd, and then click OK.

  2. Type w32tm /resync, and then press ENTER.

Note

This procedure only works on computers that are joined to a domain. The W32tm command-line tool is used for diagnosing problems that can occur with Windows Time Service. If you are going to use the tool on a domain controller, it is necessary to stop the service. Running the tool and Windows Time Service at the same time on a domain controller generates an error because both are attempting to use the same UDP port. When you finish using W32tm command-line tool, the service must be restarted.

Monitoring and Troubleshooting Windows Time Service

In many cases problems with Windows Time Service can be attributed to network configuration. If the network is not configured correctly computers might not be able to communicate to send time samples back and forth. Viewing the contents of NTP packets can help you to identify exactly where a packet is blocked on a network. An error associated with Windows Time Service might occur when a computer is unable to synchronize with an authoritative source. You can use the W32tm command-line tool to assist you in troubleshooting this and other types of errors associated with Windows Time Service.

The W32tm command-line tool is the preferred command-line tool for configuring, monitoring, and troubleshooting Windows Time Service. All tasks that can be performed by using the net command can be accomplished by using this tool or Group Policy. For more information, look up "W32tm" in the Help and Support Center index.

Procedure to follow when a computer is unable to synchronize

A computer running Windows Time Service refuses to synchronize with a time source if the computer's time is more than 15 hours off. Such occurrences are rare, and are often caused by configuration setting errors. For example, if a user sets the date on the computer incorrectly, the time does not synchronize. Under these circumstances, most often the time is off by a day or more. Be sure to check the computer's calendar and ensure that the correct date has been set.

To resynchronize the client time with a time server

  1. To open a command prompt, click Start, click Run, type cmd, and then click OK.

  2. Type w32tm /resync /rediscover, and then press ENTER.

Note

When you run the preceding command, it redetects the network configuration and rediscovers network resources, causing resynchronization. This procedure only works on computers that are joined to a domain. You can then view the event log for more information about why the time service does not synchronize. For more information, look up "Monitoring and controlling services on computers," in Help and Support Center. The W32tm tool is used for diagnosing problems that can occur with Windows Time Service. If you are going to use the W32tm tool on a domain controller, it is necessary to stop the service. Running W32tm and Windows Time Service at the same time on a domain controller generates an error because both are attempting to use the same UDP port. When you finish using W32tm, the service must be restarted.

For more information about configuring Windows Time Service during deployment of products in the Windows Server 2003 family, see Designing and Deploying Directory and Security Services and Designing a Managed Environment in the Microsoft Windows Server 2003 Deployment Kit at:

https://go.microsoft.com/fwlink/?linkid=44319

For information about configuring the authoritative time server in a domain, see article 884776, "Configuring the Windows Time service against a large time offset" in the Microsoft Knowledge Base at:

https://go.microsoft.com/fwlink/?LinkId=46021