Windows Time Configuration Best Practice—Step by Step


The Time Service tool (W32tm) is a required protocol by the Kerberos authentication in Microsoft Active Directory. Windows time services ensure that entire server and client fleet in an organization that are running the Microsoft operating system use a common and correct time.
To ensure correct time usage, the Windows time service uses a hierarchical control of time services and avoids any loops in time hierarchy. In this hierarchy, the PDC emulator of Active Directory FSMO role is at the root of the forest becomes authoritative for the organization. By default, Windows-based domain joined computers use the following hierarchy:

  • All client desktop computers and member servers nominate the authenticating domain controller as their in-bound time partner.
  • All secondary domain controllers and RODCs in a domain nominate the primary domain controller (PDC) as their in-bound time partner.
  • All PDC emulator follow the hierarchy of domains in the selection of their in-bound time partner.

Microsoft recommends the following:

  • Configure the authoritative time server to obtain the time from a hardware source. When you configure the authoritative time server to sync with an Internet time source, there is no authentication between PDC and external time source.
  • Reduce your time correction settings for your servers and stand-alone clients. These recommendations provide more accuracy and security to your domain.

Before you configure NTP Server and Client, you must consider the following for time Services for a virtualized Domain Controller and/or virtual machines.

  • There must be a unique time provider in your infrastructure. You cannot have domain controller or hyper-v host or ESXi host as time provider. Only domain controller is your time provider and domain controller sync time with hardware time provider or internet time provider.
  • Never put a virtualized domain controller in a saved state.
  • Never sync a domain controller time with the virtual host
  • Uncheck time synchronization in the Integration Services if the DC and virtual servers are virtualized on Hyper-v
  • Uncheck time synchronization of DC and virtual machines in VMware Tools configuration
  • Do not restore a snapshot to a production domain controller (PDC)

Step1: Remove Time Synchronisation of Guest with Host

Follow the procedure if the host is Hyper-v Host

1. If the virtual machine is on Hyper-V, Right click the VM, Click Settings, choose Integration Services under Management.

2. On the Integration Service, uncheck Time synchronization.

3. Click OK.

Follow the procedure if the host is ESXi Host

1. If the virtual machine is on VMware ESXi, Right click on VM, Click Edit Settings,

2. Click Option, Click VMware Tools, uncheck Synchronise guest time with host, Click Ok.

Step2: Configure Cisco Switch as NTP Source

global configuration mode

switch# config t

Enable NTP

switch(config)#ntp enable

Show NTP Status

switch(config)# show ntp status

configures the NTP server

switch(config)#ntp server {ip-address | ipv6-address | dns-name} [prefer] [use-vrf vrf-name]

configures the NTP peer to communicate over
the specified NTP Server

switch(config)#ntp peer {ip-address | ipv6-address | dns-name} [prefer] [use-vrf vrf-name]

Displays the configured server and
peers.

switch(config)#show ntp peers

Saves the changes

switch(config)# copy running-config startup-config

Follow this example to configure Cisco 6000 series as NTP on High Availability Catalyst 6000 Switch. Cisco NTP guide is available here.

Step3: Configure a Domain Controller as a NTP Server

Follow the procedure to configure NTP server using elevated command line otherwise use step3 to configure NTP server using GPO. My recommended approach is GPO instead of command line. But if you are command line junky then you can use this command line. 

  1. Find out whether the server you are configure NTP provider is a PDC emulator. Command to issue in PDC Emulator.

Netdom query fsmo

  1. Run the following commands from an Elevated command prompt to stops the time service

net stop w32time

  1. Completely removes all time settings from the registry – you may have to run this twice, or you may get an access denied.  If you get an access denied, just run it again.

w32tm /unregister

  1. Re-creates the Registry Settings

w32tm /register

  1. Starts the service

Net start w32time

  1. Sets the server to sync with the NTP servers on pool.ntp.org. To find out correct time pool in your region visit http://www.pool.ntp.org/en/ and Click your region on the right hand side panel to find out your NTP server in your time zone. Example is an Australian time zone setup.

w32tm /config /syncfromflags:manual /manualpeerlist:”au.pool.ntp.org time.windows.com” /reliable:yes /update

when using hardware time source, use this command

w32tm /config /syncfromflags:manual /manualpeerlist:”IP Address (DNS if available) of Cisco Core Switch” /reliable:yes /update

  1. Updates the configuration

w32tm /config /update

  1. Restarts the service so the new settings take effect.

net stop w32time && net start w32time

  1. Syncs the clock to your new NTP servers.  This needs to return “The command completed successfully.”

w32tm /resync /rediscover

  1. Query the time configuration to make sure time is configured as desired

W32TM /query /status

w32tm /query /peers

w32tm /query /configuration

Step4: Configure a NTP Server using Group Policy Object

  1. Open Group Policy Management Console, Right Click Domain Controllers OU, Click New group Policy, Type the Name of the GPO as Time Provider, Click Ok
  2. Right Click Time Provider GPO, Click Edit, Expand to Computer ConfigurationAdministrative TemplatesSystemWindows Time Service
  3. Right On the Configure Global Configuration Settings, Click Edit, Click Enable, Click Ok. Example shown below.

Clock Discipline Parameters

FrequencyCorrectRate

4

HoldPeriod

5

LargePhaseOffset

50000000

MaxAllowedPhaseOffset

300

MaxNegPhaseCorrection

300

MaxPosPhaseCorrection

300

PhaseCorrectRate

1

PollAdjustFactor

5

SpikeWatchPeriod

900

UpdateInterval

30000

General Parameters

AnnounceFlags

5

EventLogFlags

2

LocalClockDispersion

10

MaxPollInterval

10

MinPollInterval

6

ChainEntryTimeout

ChainMaxEntries

ChainMaxHostEntries

ChainDisable

ChainLoggingRate

4. Expand to Computer ConfigurationAdministrative TemplatesSystemWindows Time ServiceTime Providers, Enable Enable Windows NTP Client and Enable Windows NTP Server. Double Click Configure Windows NTP Client settings, type NTP server Name (example shown below),

NtpServer

au.pool.ntp.org time.windows.com

OR

IP Address of Cisco Core Switch if you are using Hardware Time Provider.

Type

NTP

CrossSiteSyncFlags

2

ResolvePeerBackoffMinutes

15

ResolvePeerBackoffMaxTimes

7

SpecialPollInterval

3600

EventLogFlags

1

Standard time configuration should look like this:

Location

Configuration

Status

Settings

Computer ConfigurationAdministrative TemplatesSystemWindows Time Service

Configure Global Configuration Settings here

Enabled

Default

Computer ConfigurationAdministrative TemplatesSystemWindows Time ServiceTime Providers

Configure Windows NTP Client settings here.

Enabled

au.pool.ntp.org

time.windows.com

Enable Windows NTP Client here. Enable

Enabled

Enable Windows NTP Server here.

Enabled

Step5: Create and link a separate GPO for domain joined client or server

  1. Open Group Policy Management Console, Right Click Domain Controllers OU, Click New group Policy, Type the Name of the GPO as Time Provider, Click Ok
  2. Right Click Time Provider GPO, Click Edit, Expand to Computer ConfigurationAdministrative TemplatesSystemWindows Time Service
  3. Right On the Configure Global Configuration Settings, Click Edit, Click Enable, Click Ok. Example shown below.

Clock Discipline Parameters

FrequencyCorrectRate

4

HoldPeriod

5

LargePhaseOffset

50000000

MaxAllowedPhaseOffset

300

MaxNegPhaseCorrection

300

MaxPosPhaseCorrection

300

PhaseCorrectRate

1

PollAdjustFactor

5

SpikeWatchPeriod

900

UpdateInterval

30000

General Parameters

AnnounceFlags

5

EventLogFlags

2

LocalClockDispersion

10

MaxPollInterval

10

MinPollInterval

6

ChainEntryTimeout

ChainMaxEntries

ChainMaxHostEntries

ChainDisable

ChainLoggingRate

4. Expand to Computer ConfigurationAdministrative TemplatesSystemWindows Time ServiceTime Providers, Enable Enable Windows NTP Client and Enable Windows NTP Server. Double Click Configure Windows NTP Client settings, type NTP server Name (example shown below),

NtpServer

dc.superplaneteers.com

Type

NT5DS

CrossSiteSyncFlags

2

ResolvePeerBackoffMinutes

15

ResolvePeerBackoffMaxTimes

7

SpecialPollInterval

3600

EventLogFlags

1

Standard configuration should look like this:

Location

Configuration

Status

settings

Computer ConfigurationAdministrative TemplatesSystemWindows Time Service

Configure Global Configuration Settings here

Enabled

Default

Computer ConfigurationAdministrative TemplatesSystemWindows Time ServiceTime Providers

Configure Windows NTP Client settings here.

Enabled

NT5DS

Enable Windows NTP Client here. Enable

Enabled

Enable Windows NTP Server here.

Disabled

Broadcasting Time Configuration using DHCP Server

Note that use either GPO to configure time or DHCP to broadcast time for Windows 7 and Windows 8 clients. My recommendation is to use GPO to configure time for windows client. However here is a guide how to configure Windows Time via DHCP.

  1. Log on to the DHCP Server, Click Server Manager, Click Tools, Click DHCP Manager.
  2. Click Server Options, Click Property, on the general tab, scroll down and select 042 Time Servers, type the IP address of time server, Click resolve, Click Add, Click Ok.

NTP Client Configuration for domain joined Hyper-v Server 2012

  1. Create an OU in Active Directory named Hyper-v Server 2012. Place all Hyper-v Server in that OU.
  2. Right click on Hyper-v Server 2012 OU that you want to apply this policy to and click “Link an Existing GPO”. Highlight your time policy you have created in Step5 then select and click OK.
  3. Repeat for other OUs as necessary. Remember that a nested OU will inherit from its parent unless inheritance is blocked or unless it has its own linked GPO with conflicting settings.

NTP Client Configuration for non domain joined Hyper-v Server 2012

  1. Sets the server to sync with the NTP servers

w32tm /config /syncfromflags:manual /manualpeerlist:”dc.superplaneteers.com” /reliable:yes /update

Where DC.superplaneteers.com is the PDC and Time Provider.

  1. Restarts the service so the new settings take effect.

net stop w32time && net start w32time

  1. Syncs the clock to your new NTP servers.  This needs to return “The command completed successfully.”

w32tm /resync /rediscover

  1. Query the time configuration to make sure time is configured as desired

W32TM /query /status

w32tm /query /peers

w32tm /query /configuration

NTP Client Configuration in ESXi Host

Open Virtual Infrastructure Client, Connect to Virtual Center, Expand Data Center, Expand Cluster, Select ESXi Host, Click Configuration, Click Time Configuration, Click Property

clip_image002[4]

On the General Tab, Select Start and Stop with Host

clip_image004[4]

Click NTP Settings, Click Add, Type FQDN of Domain Controller, Click Ok, Click Ok

clip_image006[4]

If you have a Host Profile in Virtual Center, Click Home, Click Host Profiles, Click Create a Host Profile or Edit an existing Host Profile, Expand date and time configuration, Click Time Settings, Type FQDN of DC, Click Ok.

clip_image008[4]

Time drifting error in Windows Machine

Time can drift for many reasons for example network latency and misconfiguration of time services. You may find time drifting event in Windows Server event log which is shown below. A troubleshooting guide has been provided in below URL.

clip_image010[4]

Further Study

Microsoft Reference

Time Drifting Issue

Timekeeping best practices for Windows on ESXi Host

Detailed explanation of time configuration GPO

Cisco NTP Network Appliance

About Raihan Al-Beruni

My Name is Raihan Al-Beruni. I am working as an Infrastructure Architect in Data Center Technologies in Perth, Western Australia. I have been working on Microsoft technologies for more than 15 years. Other than Microsoft technologies I also work on Citrix validated solution and VMware data center virtualization technologies. I have a Masters degree in E-Commerce. I am certified in Microsoft, VMware, ITIL and EMC. My core focus is on cloud technologies. In my blog I share my knowledge and experience to enrich information technology community as a whole. I hope my contribution through this blog will help someone who wants more information on data center technologies.
This entry was posted in Windows Server and tagged , , , , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s