It’s easy to forget how crucial time synchronization is across a network/domain until it stops working. After you setup your Domain controller and pick a time zone, it should all just work–and it typically does. However, if you manage Windows Servers for long enough, this is probably going to be something you have to mess with.
So, here’s a scenario–definitely not one I’ve come across–you’re on one of the servers, and you notice the clock is off by three minutes. You check the other servers, their clock is off by three minutes. You identity which server (if you didn’t know already) has the PDC emulator FSMO role, then, check time zone, restart w32time service, restart the server–maybe even try manually adjusting the time by a few minutes. No dice. Looking into the NTP server seems like a good next step.
By default, a Windows machine/server is going to use time.windows.com for its NTP server. There’s a chance it’ll pick the Local CMOS Clock. There’s multiple ways to check this, and I’m going to get into that next. First, I want to go over the utility used to look into our NTP settings. W32tm is the network time services utility. To get an understanding of how it works, and how Windows thinks of time services, it’s good to read the top part of its help output. Run w32tm /?
I’m showing this specifically because these are two of the major components of Windows Time Service. It is a Windows service and the configuration is added to the registry. To start or stop Windows Time Service, the cmd command is
net stop|start w32time .
The next part is how we look at our current configuration. There’s two ways to do it: Using the w32tm /query /another_command or checking the registry. We should be checking both to make sure its configured correctly. Let’s start with w32tm.
Within this part of the utility we can do:
w32tm /query /source|configuration|peers|status|verbose
The first command I would run would be w32tm /query /source . This will tell you if you are using the BIOS clock or an NTP server. If you run
w32tm /query /peer
And you’re using the hardware clock, then you won’t get that information. It will just say:
As opposed to:
Next, I think it would be prudent to check check the status. This will show us the IP address of our NTP server, stratum, last successful sync, and the source server (naturally).
If you were looking at this, and noticed an issue with the last successful sync, it could be worth it to run
w32tm /resync
If this fixes the issue, then success! However, it could still be worth your time to change NTP servers.
Since I mentioned there are two ways to check NTP settings, let’s look at the registry now. The three main areas in the registry are:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32time\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
The big one we want to check is Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters. This will show us our NTP server in the registry. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config is good to check if you’re making changes to announce flags, updating intervals or poll interval.
Now that we’ve check our general NTP settings. Let’s change our NTP server. I am going to change them to the NTP Pool Project U.S. servers. Here’s a link to their website if you want to check them out.
https://www.pool.ntp.org/zone/us
There’s also NIST servers if you want something different and more secure. They support authenticated NTP if you register with them, and their documentation even outlines how often you can poll their servers.
https://tf.nist.gov/tf-cgi/servers.cgi
Ok, I am going to add all the 4 servers into my configuration. The command would look like:
w32tm /config /update /manualpeerlist:”0.us.pool.ntp.org 1.us.pool.ntp.org 2.us.pool.ntp.org 3.us.pool.ntp.org” /syncfromflags:manual /reliable:yes
We can make sure the changes take by running:
w32tm /resync /rediscover
Now we check our NTP servers by running:
w32tm /query /source
w32tm /query /peers
And let’s check the registry for good measure.
Looks like a success to me. Hopefully this article was helpful in going over a high level overview of Windows Time Service and NTP servers. I am going to leave a cheat sheet underneath this for the commands used in this article and a few extra for troubleshooting another server.
net stop|start w32time
w32tm /query /source|configuration|peers|status|verbose
w32tm /config /manualpeerlist:”0.us.pool.ntp.org 1.us.pool.ntp.org 2.us.pool.ntp.org 3.us.pool.ntp.org” /syncfromflags:manual /reliable:yes /update
w32tm /resync /rediscover
If the w32time service disappears or other servers are not syncing to the PDC emulator:
w32tm /register
w32tm /config /syncfromflags:domhier /update (Sync from Domain Hierachy, AKA PDC emulator)