The Time Service tool (W32tm) is a required protocol by the Kerberos authentication in Microsoft Active Directory. Windows time services ensure that entire server and client fleet in an organization that are running the Microsoft operating system use a common and correct time.
To ensure correct time usage, the Windows time service uses a hierarchical control of time services and avoids any loops in time hierarchy. In this hierarchy, the PDC emulator of Active Directory FSMO role is at the root of the forest becomes authoritative for the organization. By default, Windows-based domain joined computers use the following hierarchy:
- All client desktop computers and member servers nominate the authenticating domain controller as their in-bound time partner.
- All secondary domain controllers and RODCs in a domain nominate the primary domain controller (PDC) as their in-bound time partner.
- All PDC emulator follow the hierarchy of domains in the selection of their in-bound time partner.
Microsoft recommends the following:
- Configure the authoritative time server to obtain the time from a hardware source. When you configure the authoritative time server to sync with an Internet time source, there is no authentication between PDC and external time source.
- Reduce your time correction settings for your servers and stand-alone clients. These recommendations provide more accuracy and security to your domain.
Before you configure NTP Server and Client, you must consider the following for time Services for a virtualized Domain Controller and/or virtual machines.
- There must be a unique time provider in your infrastructure. You cannot have domain controller or hyper-v host or ESXi host as time provider. Only domain controller is your time provider and domain controller sync time with hardware time provider or internet time provider.
- Never put a virtualized domain controller in a saved state.
- Never sync a domain controller time with the virtual host
- Uncheck time synchronization in the Integration Services if the DC and virtual servers are virtualized on Hyper-v
- Uncheck time synchronization of DC and virtual machines in VMware Tools configuration
- Do not restore a snapshot to a production domain controller (PDC)
Step1: Remove Time Synchronisation of Guest with Host
Follow the procedure if the host is Hyper-v Host
1. If the virtual machine is on Hyper-V, Right click the VM, Click Settings, choose Integration Services under Management.
2. On the Integration Service, uncheck Time synchronization.
3. Click OK.
Follow the procedure if the host is ESXi Host
1. If the virtual machine is on VMware ESXi, Right click on VM, Click Edit Settings,
2. Click Option, Click VMware Tools, uncheck Synchronise guest time with host, Click Ok.
Step2: Configure Cisco Switch as NTP Source
global configuration mode |
switch# config t |
Enable NTP |
switch(config)#ntp enable |
Show NTP Status |
switch(config)# show ntp status |
configures the NTP server |
switch(config)#ntp server {ip-address | ipv6-address | dns-name} [prefer] [use-vrf vrf-name] |
configures the NTP peer to communicate over |
switch(config)#ntp peer {ip-address | ipv6-address | dns-name} [prefer] [use-vrf vrf-name] |
Displays the configured server and |
switch(config)#show ntp peers |
Saves the changes |
switch(config)# copy running-config startup-config |
Follow this example to configure Cisco 6000 series as NTP on High Availability Catalyst 6000 Switch. Cisco NTP guide is available here.
Step3: Configure a Domain Controller as a NTP Server
Follow the procedure to configure NTP server using elevated command line otherwise use step3 to configure NTP server using GPO. My recommended approach is GPO instead of command line. But if you are command line junky then you can use this command line.
- Find out whether the server you are configure NTP provider is a PDC emulator. Command to issue in PDC Emulator.
Netdom query fsmo
- Run the following commands from an Elevated command prompt to stops the time service
net stop w32time
- Completely removes all time settings from the registry – you may have to run this twice, or you may get an access denied. If you get an access denied, just run it again.
w32tm /unregister
- Re-creates the Registry Settings
w32tm /register
- Starts the service
Net start w32time
- Sets the server to sync with the NTP servers on pool.ntp.org. To find out correct time pool in your region visit http://www.pool.ntp.org/en/ and Click your region on the right hand side panel to find out your NTP server in your time zone. Example is an Australian time zone setup.
w32tm /config /syncfromflags:manual /manualpeerlist:”au.pool.ntp.org time.windows.com” /reliable:yes /update
when using hardware time source, use this command
w32tm /config /syncfromflags:manual /manualpeerlist:”IP Address (DNS if available) of Cisco Core Switch” /reliable:yes /update
- Updates the configuration
w32tm /config /update
- Restarts the service so the new settings take effect.
net stop w32time && net start w32time
- Syncs the clock to your new NTP servers. This needs to return “The command completed successfully.”
w32tm /resync /rediscover
Query the time configuration to make sure time is configured as desired
W32TM /query /status
w32tm /query /peers
w32tm /query /configuration
Step4: Configure a NTP Server using Group Policy Object
- Open Group Policy Management Console, Right Click Domain Controllers OU, Click New group Policy, Type the Name of the GPO as Time Provider, Click Ok
- Right Click Time Provider GPO, Click Edit, Expand to Computer ConfigurationAdministrative TemplatesSystemWindows Time Service
- Right On the Configure Global Configuration Settings, Click Edit, Click Enable, Click Ok. Example shown below.
Clock Discipline Parameters |
|
FrequencyCorrectRate |
4 |
HoldPeriod |
5 |
LargePhaseOffset |
50000000 |
MaxAllowedPhaseOffset |
300 |
MaxNegPhaseCorrection |
300 |
MaxPosPhaseCorrection |
300 |
PhaseCorrectRate |
1 |
PollAdjustFactor |
5 |
SpikeWatchPeriod |
900 |
UpdateInterval |
30000 |
General Parameters |
|
AnnounceFlags |
5 |
EventLogFlags |
2 |
LocalClockDispersion |
10 |
MaxPollInterval |
10 |
MinPollInterval |
6 |
ChainEntryTimeout |
|
ChainMaxEntries |
|
ChainMaxHostEntries |
|
ChainDisable |
|
ChainLoggingRate |
4. Expand to Computer ConfigurationAdministrative TemplatesSystemWindows Time ServiceTime Providers, Enable Enable Windows NTP Client and Enable Windows NTP Server. Double Click Configure Windows NTP Client settings, type NTP server Name (example shown below),
NtpServer |
au.pool.ntp.org time.windows.com OR IP Address of Cisco Core Switch if you are using Hardware Time Provider. |
Type |
NTP |
CrossSiteSyncFlags |
2 |
ResolvePeerBackoffMinutes |
15 |
ResolvePeerBackoffMaxTimes |
7 |
SpecialPollInterval |
3600 |
EventLogFlags |
1 |
Standard time configuration should look like this:
Location |
Configuration |
Status |
Settings |
Computer ConfigurationAdministrative TemplatesSystemWindows Time Service |
Configure Global Configuration Settings here |
Enabled |
Default |
Computer ConfigurationAdministrative TemplatesSystemWindows Time ServiceTime Providers |
Configure Windows NTP Client settings here. |
Enabled |
au.pool.ntp.org time.windows.com |
Enable Windows NTP Client here. Enable |
Enabled |
– |
|
Enable Windows NTP Server here. |
Enabled |
– |
Step5: Create and link a separate GPO for domain joined client or server
- Open Group Policy Management Console, Right Click Domain Controllers OU, Click New group Policy, Type the Name of the GPO as Time Provider, Click Ok
- Right Click Time Provider GPO, Click Edit, Expand to Computer ConfigurationAdministrative TemplatesSystemWindows Time Service
- Right On the Configure Global Configuration Settings, Click Edit, Click Enable, Click Ok. Example shown below.
Clock Discipline Parameters |
|
FrequencyCorrectRate |
4 |
HoldPeriod |
5 |
LargePhaseOffset |
50000000 |
MaxAllowedPhaseOffset |
300 |
MaxNegPhaseCorrection |
300 |
MaxPosPhaseCorrection |
300 |
PhaseCorrectRate |
1 |
PollAdjustFactor |
5 |
SpikeWatchPeriod |
900 |
UpdateInterval |
30000 |
General Parameters |
|
AnnounceFlags |
5 |
EventLogFlags |
2 |
LocalClockDispersion |
10 |
MaxPollInterval |
10 |
MinPollInterval |
6 |
ChainEntryTimeout |
|
ChainMaxEntries |
|
ChainMaxHostEntries |
|
ChainDisable |
|
ChainLoggingRate |
4. Expand to Computer ConfigurationAdministrative TemplatesSystemWindows Time ServiceTime Providers, Enable Enable Windows NTP Client and Enable Windows NTP Server. Double Click Configure Windows NTP Client settings, type NTP server Name (example shown below),
NtpServer |
dc.superplaneteers.com |
Type |
NT5DS |
CrossSiteSyncFlags |
2 |
ResolvePeerBackoffMinutes |
15 |
ResolvePeerBackoffMaxTimes |
7 |
SpecialPollInterval |
3600 |
EventLogFlags |
1 |
Standard configuration should look like this:
Location |
Configuration |
Status |
settings |
Computer ConfigurationAdministrative TemplatesSystemWindows Time Service |
Configure Global Configuration Settings here |
Enabled |
Default |
Computer ConfigurationAdministrative TemplatesSystemWindows Time ServiceTime Providers |
Configure Windows NTP Client settings here. |
Enabled |
NT5DS |
Enable Windows NTP Client here. Enable |
Enabled |
– |
|
Enable Windows NTP Server here. |
Disabled |
– |
Broadcasting Time Configuration using DHCP Server
Note that use either GPO to configure time or DHCP to broadcast time for Windows 7 and Windows 8 clients. My recommendation is to use GPO to configure time for windows client. However here is a guide how to configure Windows Time via DHCP.
- Log on to the DHCP Server, Click Server Manager, Click Tools, Click DHCP Manager.
- Click Server Options, Click Property, on the general tab, scroll down and select 042 Time Servers, type the IP address of time server, Click resolve, Click Add, Click Ok.
NTP Client Configuration for domain joined Hyper-v Server 2012
- Create an OU in Active Directory named Hyper-v Server 2012. Place all Hyper-v Server in that OU.
- Right click on Hyper-v Server 2012 OU that you want to apply this policy to and click “Link an Existing GPO”. Highlight your time policy you have created in Step5 then select and click OK.
- Repeat for other OUs as necessary. Remember that a nested OU will inherit from its parent unless inheritance is blocked or unless it has its own linked GPO with conflicting settings.
NTP Client Configuration for non domain joined Hyper-v Server 2012
- Sets the server to sync with the NTP servers
w32tm /config /syncfromflags:manual /manualpeerlist:”dc.superplaneteers.com” /reliable:yes /update
Where DC.superplaneteers.com is the PDC and Time Provider.
- Restarts the service so the new settings take effect.
net stop w32time && net start w32time
- Syncs the clock to your new NTP servers. This needs to return “The command completed successfully.”
w32tm /resync /rediscover
Query the time configuration to make sure time is configured as desired
W32TM /query /status
w32tm /query /peers
w32tm /query /configuration
NTP Client Configuration in ESXi Host
Open Virtual Infrastructure Client, Connect to Virtual Center, Expand Data Center, Expand Cluster, Select ESXi Host, Click Configuration, Click Time Configuration, Click Property
On the General Tab, Select Start and Stop with Host
Click NTP Settings, Click Add, Type FQDN of Domain Controller, Click Ok, Click Ok
If you have a Host Profile in Virtual Center, Click Home, Click Host Profiles, Click Create a Host Profile or Edit an existing Host Profile, Expand date and time configuration, Click Time Settings, Type FQDN of DC, Click Ok.
Time drifting error in Windows Machine
Time can drift for many reasons for example network latency and misconfiguration of time services. You may find time drifting event in Windows Server event log which is shown below. A troubleshooting guide has been provided in below URL.
Further Study
Timekeeping best practices for Windows on ESXi Host
Detailed explanation of time configuration GPO