Share this page : facebooktwitterlinkedinmailfacebooktwitterlinkedinmail
NTP server in Windows Domain

 

In a windows Domain, the Domain controller (PDC) is acting as a ntp server, all the host machines are syncing time from the DC.

To guarantee all the hosts is running on time, you first need to make sure the DC is accurate and sync with an external NTP server regularly, which can be done either via a Microsoft tool or manual editing registry.

 

Manually configure the Windows Time service

To configure an internal time server to synchronize with an external time source, follow these steps:

  1. Change the server type to NTP. To do this, follow these steps:
    1. Select Start > Run, type regedit, and then select OK.
    2. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type
    3. In the pane on the right, right-click Type, and then select Modify.
    4. In Edit Value, type NTP in the Value data box, and then select OK.
  2. Set AnnounceFlags to 5. To do this, follow these steps:
    1. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags
    2. In the pane on the right, right-click AnnounceFlags, and then select Modify.
    3. In Edit DWORD Value, type 5 in the Value data box, and then select OK.

       Notes

      • If an authoritative time server that is configured to use an AnnounceFlag value of 0x5 does not synchronize with an upstream time server, a client server may not correctly synchronize with the authoritative time server when the time synchronization between the authoritative time server and the upstream time server resumes. Therefore, if you have a poor network connection or other concerns that may cause time synchronization failure of the authoritative server to an upstream server, set the AnnounceFlag value to 0xA instead of to 0x5.
      • If an authoritative time server that is configured to use an AnnounceFlag value of 0x5 and to synchronize with an upstream time server at a fixed interval that is specified in SpecialPollInterval, a client server may not correctly synchronize with the authoritative time server after the authoritative time server restarts. Therefore, if you configure your authoritative time server to synchronize with an upstream NTP server at a fixed interval that is specified in SpecialPollInterval, set the AnnounceFlag value to 0xA instead of 0x5.
  3. Enable NTPServer. To do this, follow these steps:
    1. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer
    2. In the pane on the right, right-click Enabled, and then select Modify.
    3. In Edit DWORD Value, type 1 in the Value data box, and then select OK.
  4. Specify the time sources. To do this, follow these steps:
    1. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
    2. In the pane on the right, right-click NtpServer, and then select Modify.
    3. In Edit Value, type Peers in the Value data box, and then select OK.

       Note Peers is a placeholder for a space-delimited list of peers from which your computer obtains time stamps. Each DNS name that is listed must be unique. You must append ,0x1 to the end of each DNS name. If you do not append ,0x1 to the end of each DNS name, the changes that you make in step 5 will not take effect.

  5. Configure the time correction settings. To do this, follow these steps:
    1. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxPosPhaseCorrection
    2. In the pane on the right, right-click MaxPosPhaseCorrection, and then select Modify.
    3. In Edit DWORD Value, click to select Decimal in the Base box.
    4. In Edit DWORD Value, type TimeInSeconds in the Value data box, and then select OK.

       Note

      • TimeInSeconds is a placeholder for a reasonable value, such as 1 hour (3600) or 30 minutes (1800). The value that you select will depend on the poll interval, network condition, and external time source.
      • The default value of MaxPosPhaseCorrection is 48 hours (172800 seconds) in Windows Server 2008 R2 or later.
    5. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxNegPhaseCorrection
    6. In the pane on the right, right-click MaxNegPhaseCorrection, and then select Modify.
    7. In Edit DWORD Value, click to select Decimal in the Base box.
    8. In Edit DWORD Value, type TimeInSeconds in the Value data box, and then select OK.

       Note

      • TimeInSeconds is a placeholder for a reasonable value, such as 1 hour (3600) or 30 minutes (1800). The value that you select will depend on the poll interval, network condition, and external time source.
      • The default value of MaxNegPhaseCorrection is 48 hours in Windows Server 2008 R2 or later.
  6. Close Registry Editor.
  7. At the command prompt, type the following command to restart the Windows Time service, and then press Enter:
    net stop w32time && net start w32time

SpecialPollInterval

The last line in the screen shot shows the SpecialPollInterval.

Note the 0x1 after each server entry in the manual peer list. This SpecialInterval tells Windows Time to check the time every SpecialPollInterval seconds. If your SpecialPollInterval is already 3600 (1 hour) as shown above, that should be fine for a physical server. If your server is virtualized and thus subject to more clock skew, you may want to reduce that, e.g. to 900 (15 minutes). There is no command to do that; you must edit this registry value:

HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollInterval

The meanings of the registry values are documented on TechNet (Server 2003/2008/2008R2).

MaxPosPhaseCorrection and MaxNegPhaseCorrection

MaxPosPhaseCorrection and MaxNegPhaseCorrection limit the allowable offset taken from a time sample. When any instance of w32time polls another machine for the time, it will determine the offset between the time source and itself. This value is known as the “Sample Offset”. Before the samples is used by the time service, it will be compared to the phase correction limits. If the sample offset is greater than the phase correction limit, then sample will be thrown out and a “TOO BIG” event will be generated. The event contains all of the information about the time sample, including who sent it. The purpose of doing this is to isolate domain controllers in the network who get into a bad time state. In this way, the other DCs will log and error about the time samples being too big rather than blindly accepting it.

 

Knowing your limits

The next question is: What is an acceptable limit of phase correction? After much analysis and debate, we are advising a value of 48 hours. If a domain controller receives a sample that says it is more than 48 hours off, either in the future or in the past, the domain controller will throw it out. However, every customer should evaluate their own situation to be sure.

This is advised for both limits, both forward and backwards.

A packaged solution

 

Here is an example of a registry entry that you can merge on-demand to apply a 48 hour limit to the phase correction:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config] “MaxNegPhaseCorrection”=dword:0002a300
“MaxPosPhaseCorrection”=dword:0002a300

 

Then on an end computer can use command below to sync with DC:

net time \\domain /set /y

To check where the current machine is syncing from , type w32tm /query /status.

Time sync issue in virtualization

In some scenarios involving guest domain controllers, Hyper-V TimeSync samples can disrupt domain time synchronization. The best practice for the Hyper-V time setting is enable the Time synchronization.

There are definitely times when you will want to augment the functionality of the Hyper-V time integration services with a remote time source (be it a domain source or an external time server) but the only way to get the best experience around virtual machine boot / restore operations is to leave the Hyper-V time integration services enabled. So the topology for the time sync will be as below:

Hyper-V Host setup

First stop the time service with:

net stop w32time

Registry changes (base HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\):

  • w32time\Config\AnnounceFlags = 10
  • w32time\Parameters\NtpServers = 0.au.pool.ntp.org,0x1 1.au.pool.ntp.org,0x1 2.au.pool.ntp.org,0x1 3.au.pool.ntp.org,0x1
  • w32time\TimeProviders\NtpClient\SpecialPollInterval = 900 (15 minutes)
  • w32time\TimeProviders\NtpServer\Enabled = 1

Some use AnnounceFlags=5 but the correlation with a domain controller (which is not setup in this case) causes the ntp server to not announce itself (observation; not fact) hence AnnounceFlags is set to 10 (more on AnnounceFlags)

0x1 on the ntpservers = use special poll interval (instead of standard ntp poll intervals). (more on 0x1, 0x2, 0x4 and 0x8). Using SpecialPollInterval is not required, but it seems to be recommended (perhaps mostly for guests and not so much for hosts). If you decide not to use SpecialPollInterval, you have to limit MinPollInterval and MaxPollInterval instead. Their defaults are 10 (1024 seconds) and 15 (32768 seconds); I suggest 6 (64 seconds) and 10 (1024 seconds)) instead.

Make sure the time service is started when the server has network connection:

sc triggerinfo w32time start/networkon stop/networkoff

The default is to start (and stop) the time service with the domain controller (which is not present in this setup). Forgetting this step will stop your time server on every boot (shortly after it is started automatically). This problem was a difficult one to track.

And start the service again:

net start w32time

Now the host will poll one of the ntp time servers every 15 minutes and offer to be a ntp server for other clients. I have firewalled udp:123 to make sure only the guests are allowed in.

Make sure you use command w32tm /resync  then w32tm /query /configuration and w32tm /query /source to check the active configuration.

Make sure no NTP setting related domain policy applied on the Hyper-V host if the hyper-V host is domain joined.

According to my test, the precedence of the configuration may be Group Policy > Domain advertising NTP > Hyper-V setting, Registry setting.

If you having trouble to apply the setting to the w32tm configuration, try to edit the local GPO in gpedit.msc on the Hyper-V host, also make sure the Hyper-V host having Internet connection if it is sitting behind Proxy server.

 Computer Configuration -> Administrative Templates -> System -> Windows Time Service -> Time Providers and enable policy Enable Windows NTP Client and Configure Windows NTP Client.

 

  • As an NTP server specify the name or IP address: 0.au.pool.ntp.org,0x1 1.au.pool.ntp.org,0x1 2.au.pool.ntp.org,0x1 3.au.pool.ntp.org,0x1
  • SpecialPoolInterval: 900
  • Set authentication type: NTP

Then use command w32tm /resync  then w32tm /query /configuration and w32tm /query /source to check the active configuration again, make sure the source is one of the ntp.org server you typed above.

VM Client Machine

 

Go to the VM setting, under management > Integration Services > Enable the Time Synchronization for the VM hosting PDC master role.

Other Domain Client

 

By default in Active Directory domain environment clients synchronize their time with domain controllers (option Nt5DS  synchronize time to domain hierarchy).

Typically, this behavior does not need to be reconfigured, however, if there are problems with time sync on domain clients, you can try to specify time server directly on clients using GPO.

To do this, create a new GPO and assign it to the OU with computers. In the GPO Editor go to Computer Configuration -> Administrative Templates -> System -> Windows Time Service -> Time Providers and enable policy Configure Windows NTP Client.

 

  • As an NTP server specify the name or IP address of the PDC:  FQDN_of_PDC,0x9
  • Set authentication type: NT5DS
problems
You dont have permission to change the time zone.

This may not be popular issue, but sometimes still happens even you are the local admin and domain admin, to resolve this issue, use command tzutil /l to show the time zone, name, find your time zone name, and note it down

tzutil /l

(UTC-12:00) International Date Line West
Dateline Standard Time

(UTC-11:00) Coordinated Universal Time-11
UTC-11

(UTC-10:00) Aleutian Islands
Aleutian Standard Time

The first line is the location, and the second line is the Time zone name, Then use below command to change it:

tzutil /s "time zone name"

eg:

tzutil /s "AUS Eastern Standard Time"
W32tm command

w32tm /monitor /domain:my_domain : lists each domain controller it can find in the specified domain and prints a result which lets you determine each partner. This command will include machines that have been configured manually.

w32tm /query /status

w32tm /query /source : The results display the Source among other things. The Source indicates with whom you synchronize time in the domain.

Reference:

How to configure an authoritative time server in Windows Server

https://support.microsoft.com/en-au/help/816042/how-to-configure-an-authoritative-time-server-in-windows-server

Net time VS w32tm:

NET TIME and w32time

How to configure an Authoritative Time server on windows server:

https://support.microsoft.com/en-au/help/816042/how-to-configure-an-authoritative-time-server-in-windows-server

Accurate time on Win2016:

https://docs.microsoft.com/en-us/windows-server/networking/windows-time-service/accurate-time