Working with NTP and Windows Time Service

For the purposes of this document we will only be talking about Windows 2000 and newer Microsoft operating systems. We will also mostly assume that these computers are apart of the same domain, except where noted, as NTP is unmanaged in a non-domain environment and should just be setup for each computer to get time from the Internet.

Windows Time Keeping
The Windows internal clock ticks once every 10 milliseconds, so no windows clock will be more accurate then 10 milliseconds.

Windows domains use SNTP (Simple Network Time Protocol), a basic version of NTP. The SNTP protocol ensures that all clocks in an enterprise (an entire Active Directory Forest) are within 20 seconds of one another, and all clocks in a site (Active Directory site, usually a single physical location) are within two seconds of one another.

W32Time Service
The Windows service that controls time is W32Time. It auto starts on all domain computers. On domain controllers, it runs a SNTP server on TCP port 123. On non-domain computers (aka stand alone) it does not auto start.

By default all computers in a domain use the 'domain hierarchy' to sync time. If a computer is not apart of a domain, then it must be configured manually. All domain members get their time from domain controllers. All domain controllers get their time from the DC who has the PDC Emulator role. All PDC Emulators of sub-domains get their time from the root domain PDC Emulator.

W32Time attempts synchronization every 45 minutes until the clocks have successfully synchronized three times. When the clocks are correctly synchronized, W32Time then synchronizes at eight-hour intervals, unless there is a failure to obtain a timestamp, or a validation failure. If there is a failure, the process starts over from the beginning.

If a computer, upon time syncing, finds its clock to be off by more then 60 seconds, it will log an event in the System Event Log.

Time Keeping Security
Windows uses Kerberos for authentication in a domain. Kerberos requires timestamps (and accurate time) to properly authenticate. By default, if a computer is over 5 minutes off from the Kerberos domain controller it wants to authenticate with, it will be denied authentication with an error of “clock skew too great”. Look below for how to change the time limit.

Once a client requests the time from it's domain controller, the domain controller then returns the required authentication in the form of a signed 64-bit hash of the time information. If the returned time is not signed or is signed incorrectly, the time is rejected.

If a client is manually configured to access time from an NTP time server outside of the domain hierarchy, the SNTP packets sent between the client and the time server are not authenticated and therefore are not secure. This is how the PDC Emulator gets its time. This is also how any non-domain computer gets their time.

Time Stratum
Stratum is the term used to describe the hierarchy of time servers. A SNTP server with a lower number ‘stratum’ is considered to be of higher accuracy and closer to the ‘true time’. The final ‘root’ server, or Stratum 1, will probably be a UNIX based box on the Internet that your Stratum 2 server (most likely the PDC Emulator of your root AD domain) will sync with.

Here is the path computers will take to get their time. A member of one Stratum level will only try to sync with a server (not workstation) in a lower numbered Stratum.

  1. External NTP time source
  2. <li>PDC emulator of the forest root domain</li>
    <li>Domain controllers in the forest root domain or PDC emulators in child domains</li>
    <li>Workstations and member servers in the forest root domain or domain controllers in child domains</li>
    <li>Workstations and member servers in child domains</li>

Settings and Commands

Set SNTP Master Manually
To prevent the root SNTP server in your active directory from hopping around with the PDC Emulator role, you can set the registry value ReliableTimeSource on any domain controller, making it the master SNTP server rather then the PDC Emulator for that domain. The real world purpose of this it to set a domain controller in the root domain of the forest to this value, and then set it’s external sync source using ‘net time /’. Otherwise, you would have to run the net time command every time the PDC Emulator role changed in the root domain.

HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
Entry Name: ReliableTimeSource
Data Type: REG_DWORD
Value: 1

Change External Time Source
To change the PDC Emulators external time source (or the external time source of any non-domain computer), pull up a cmd.exe console and run these commands:
net stop w32time
net time /
net time /,
net start w32time

Test Time Sync
To test a time sync from any computer in the domain, pull up a cmd.exe console and run:
w32tm –v –test –once

Force Time Sync
To force any computer to sync now, run:
w32tm –s computername
(leave out computername for localhost)

Disable External Time Source
If your domain doesn’t have Internet access, or you just want your root domain PDC Emulator to consider itself the total master of all things time, you can set the following registry value so that it will stop trying to sync with an external time source (or stop complaining to the Event Log that it doesn’t have a time source set).

HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
Entry Name:Type
Data Type: REG_SZ
Value: NoSync

Time Skew
To change the “time skew” of a domain you need to edit the Domain Security Policy from a domain controller. Look for ‘Kerberos Policy’ under Account Policies. Change the value ‘Maximum tolerance for computer clock synchronization’. Increasing this value will reduce security on your network, but may be necessary if you sync over slow and unreliable links. Decrease this time value to reduce the likelihood of a ‘replay attack’.

More Information

The Windows Time Service