Note: This article was originally published in 2013. Some steps, commands, or software versions may have changed. Check the current Windows Servers documentation for the latest information.
Prerequisites
Before you begin, make sure you have:
- Windows Server installed
- Administrator access
- Remote Desktop or direct console access
The Problem: Hyper-V and VMware Time Drift
The Windows Time service (w32time) provides time synchronization to peers and clients, which ensures consistent time throughout an active directory enterprise. I’ve frequently struggled with getting my Domain not to end up with strange times.
Often, the issue at hand is that the primary Domain Controller (holding the PDC emulator role) is a Virtual Machine. Virtualization hosts (like Hyper-V or VMware) often struggle to keep track of perfect time under heavy CPU loads, resulting in time drift. Fortunately, it’s usually just a few seconds initially, but soon enough the entire domain is consistently behind the rest of the world. Kerberos authentication will fail if the time difference between server and client exceeds 5 minutes.
Crucial Fix for VMs: If your PDC Emulator is a Virtual Machine, you must disable the host integration time sync (e.g., “Time Synchronization” in Hyper-V Integration Services or VMware Tools time sync). Let the PDC sync directly from the internet via NTP.
Best Public NTP Servers to Use
By default, the first domain controller that you deploy holds the primary domain controller (PDC) emulator operations master role. You must set the PDC emulator to synchronize with a valid external Network Time Protocol (NTP) source.
While time.windows.com is the default, it’s highly recommended to use a list of robust servers for redundancy:
- NIST Servers:
time.nist.gov,time-a.nist.gov,time-b.nist.gov - NTP Pool Project:
0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org - Google Public NTP:
time.google.com - Cloudflare NTP:
time.cloudflare.com
Note: Because synchronization with an external time source is unauthenticated over port 123, you should use multiple sources.
Step-by-Step: Configure the PDC Emulator for NTP
To configure the Windows Time service on the forest root domain controller (PDC Emulator):
- Open Firewall Ports: Ensure UDP port 123 is open for outgoing traffic on your corporate firewall. NTP requires UDP 123.
- Log on to the PDC Emulator domain controller. Open an elevated administrative Command Prompt.
- Stop the time service before reconfiguring:
net stop w32time - Set the external peers and update the configuration:
(Note: The quotation marks around the peer list are required, separated by a single space).w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org" /reliable:yes /update - Start the time service back up:
net start w32time - Force an immediate sync:
w32tm /resync /rediscover
When you type w32tm /config /update, you indicate to the OS that you’ve made changes and they are ready. However, this results in a slow, gradual sync (slewing the clock). The w32tm /resync command forces it to step the clock and re-synchronize immediately.
How to Check Time Sync Status
After configuring the time service, it’s crucial to verify it’s working:
Check the current time source and stratum:
w32tm /query /statusYou should see the “Source” pointing to one of your external NTP servers (e.g., 0.pool.ntp.org) rather than Local CMOS Clock.
Check connectivity to your peers:
w32tm /query /peersThis shows the state of your configured external servers. If the state is pending or unreachable, check your UDP Port 123 firewall rules.
Compare your server’s time against an external server:
w32tm /stripchart /computer:time.nist.gov /samples:5 /dataonlyThis command polls the remote server 5 times and outputs the exact millisecond offset.
W32tm Command Reference
You can use the W32tm.exe tool to configure Windows Time service (W32time) settings. You can also use W32tm.exe to diagnose problems with the time service. W32tm.exe is the preferred command-line tool for configuring, monitoring, or troubleshooting the Windows Time service. For examples of how you can use this command, see Examples.
Syntax
W32tm </parameter> </param2>Parameters
| Parameter | Description |
|---|---|
W32tm /? | W32tm command-line Help |
W32tm /register | Registers the time service to run as a service, and adds default configuration to the registry. |
W32tm /unregister | Unregisters the time service, and removes all configuration information from the registry. |
w32tm /monitor | Domain: Specifies which domain to monitor. computers: Monitors the given list of computers. threads: Specifies the number of computers to analyze simultaneously. |
w32tm /ntte <epoch> | Converts a Windows NT system time into a readable format. |
w32tm /resync | Tells a computer that it should resynchronize its clock as soon as possible, throwing out all accumulated error statistics. |
w32tm /stripchart | Display real-time tracking against a peer (e.g. /computer:<target>). |
w32tm /config | Update the time service configuration (e.g. /manualpeerlist:"peers" /syncfromflags:manual /reliable:yes). |
w32tm /tz | Displays the current time zone settings. |
w32tm /query | Displays a computer’s Windows Time service info. Use /status, /peers, /configuration, or /source. |
w32tm /debug | Enables or disables local computer Windows Time service private log. |
Remarks
The Windows Time service is not a full-featured NTP solution that meets time-sensitive application needs, and it is not supported by Microsoft as such. For more information, see (http://go.microsoft.com/fwlink/?LinkID=179459) in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=179459). If you have questions about the Windows Time service, please post them to the (http://go.microsoft.com/fwlink/?LinkId=195451) (http://go.microsoft.com/fwlink/?LinkId=195451).
Examples
If you want to set the local Windows Time client to point to two different time servers, one named ntpserver.contoso.com and another named clock.adatum.com, type the following command at the command line, and then press ENTER:
w32tm /config /manualpeerlist:ntpserver.contoso.com,clock.adatum.com /syncfromflags:manual /update
For a list of valid NTP servers that are available on the Internet for external time synchronization, see (http://go.microsoft.com/fwlink/?LinkID=60401) in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=60401). If you want to check the Windows Time client configuration from a client computer running Windows 7 that has a host name of CONTOSOW1, run the following command:
W32tm /query /computer:contosoW1 /configuration
The output of this command is a list of configuration parameters that are set for the Windows Time client.
Additional references
- (https://technet.microsoft.com/es-es/library/cc771080\(v=ws.10\).aspx)
- (https://technet.microsoft.com/es-es/library/cc773061\(v=ws.10\).aspx#w2k3tr_times_intro)
(http://img.zemanta.com/zemified_h.png?x-id=5212764c-241e-47bc-bad2-f7c5eef93eab)](http://www.zemanta.com/?px “Enhanced by Zemanta”)
Related Articles
- [How to: ](/change-product-key-windows-8-windows-server-2012/)
- [](/communication-with-the-underlying-transaction-manager-has-failed/)
- How to: Delete a DHCP Failover relationship when the partner server is unreachable
- DFSR: How to properly Size the Staging Folder and Conflict and Deleted Folder