Because of the divergent nature of requirements of these two scenarios, they synchronized time from different sources and at varying intervals using different protocols.
These factors have affected the time synchronization on the domain client PCs at home. Over a period, domain clients with poor domain connectivity can experience loss of domain functionality or other functionality due to their system time drifting too far from the current time.
This post touches upon some configuration ideas for domain clients used for working from home and connecting to their AD Domains remotely. Domain time sync adequately covers the first aspect but can fall short on time error due to potential remote connectivity issues. Assuming the domain is synchronized with UTC in some manner, one can synchronize domain clients with simple NTP servers over the internet as a backup mechanism to keep the time on them reasonably accurate.
Although this involves the use of unsecured NTP protocol, some techniques can be used to minimize potential risks. NTP servers on the internet tend to be available and reachable from most internet end points. Please see the Windows Time Service tools and settings reference for more information on W32time service settings. The following configures time. This sets up very infrequent polling of the Simple NTP server and quick time convergence.
It should allow maintaining time accuracy within a few minutes of UTC on most machines. This configuration prevents a client from accepting large time corrections from any time server.
You need to tailor this for your application and choosing too small of a value may prevent time correction. Secure time seeding feature was introduced in Windows as a means of correcting very large time errors on consumer PCs. The feature is enabled by default on domain machines also. Please refer to the blog post on more details and determine how you would like to use this feature in your domain. A computer that is configured to be a reliable time source is identified as the root of the time service.
The root of the time service is the authoritative server for the domain and typically is configured to retrieve time from an external NTP server or hardware device. A time server can be configured as a reliable time source to optimize how time is transferred throughout the domain hierarchy. If a domain controller is configured to be a reliable time source, Net Logon service announces that domain controller as a reliable time source when it logs on to the network. When other domain controllers look for a time source to synchronize with, they choose a reliable source first if one is available.
A cycle in the synchronization network occurs when time remains consistent between a group of domain controllers and the same time is shared between them continuously without a resynchronization with another reliable time source. The Windows Time service's time source selection algorithm is designed to protect against these types of problems. If the computer is not a member of a domain, it must be configured to synchronize with a specified time source.
If the computer is a member server or workstation within a domain, by default, it follows the AD DS hierarchy and synchronizes its time with a domain controller in its local domain that is currently running the Windows Time service.
If the computer is a domain controller, it makes up to six queries to locate another domain controller to synchronize with. Each query is designed to identify a time source with certain attributes, such as a type of domain controller, a particular location, and whether or not it is a reliable time source.
The time source must also adhere to the following constraints:. A PDC emulator can synchronize with a reliable time source in its own domain or any domain controller in the parent domain. If the domain controller is not able to synchronize with the type of domain controller that it is querying, the query is not made. The domain controller knows which type of computer it can obtain time from before it makes the query.
For example, a local PDC emulator does not attempt to query numbers three or six because a domain controller does not attempt to synchronize with itself. The following table lists the queries that a domain controller makes to find a time source and the order in which the queries are made. A domain controller does not attempt to synchronize with itself. Each query returns a list of domain controllers that can be used as a time source.
Windows Time assigns each domain controller that is queried a score based on the reliability and location of the domain controller. The following table lists the scores assigned by Windows Time to each type of domain controller. When the Windows Time service determines that it has identified the domain controller with the best possible score, no more queries are made.
The scores assigned by the time service are cumulative, which means that a PDC emulator located in the same site receives a score of nine. If the root of the time service is not configured to synchronize with an external source, the internal hardware clock of the computer governs the time. Manually-specified synchronization enables you to designate a single peer or list of peers from which a computer obtains time. If the computer is not a member of a domain, it must be manually configured to synchronize with a specified time source.
A computer that is a member of a domain is configured by default to synchronize from the domain hierarchy, manually-specified synchronization is most useful for the forest root of the domain or for computers that are not joined to a domain. Manually specifying an external NTP server to synchronize with the authoritative computer for your domain provides reliable time. However, configuring the authoritative computer for your domain to synchronize with a hardware clock is actually a better solution for providing the most accurate, secure time to your domain.
Manually-specified time sources are not authenticated unless a specific time provider is written for them, and they are therefore vulnerable to attackers. Also, if a computer synchronizes with a manually-specified source rather than its authenticating domain controller, the two computers might be out of synchronization, causing Kerberos authentication to fail. This might cause other actions requiring network authentication to fail, such as printing or file sharing.
If only the forest root is configured to synchronize with an external source, all other computers within the forest remain synchronized with each other, making replay attacks difficult. The "all available synchronization mechanisms" option is the most valuable synchronization method for users on a network. This method allows synchronization with the domain hierarchy and may also provide an alternate time source if the domain hierarchy becomes unavailable, depending on the configuration.
If the client is unable to synchronize time with the domain hierarchy, the time source automatically falls back to the time source specified by the NtpServer setting. This method of synchronization is most likely to provide accurate time to clients. There are certain situations in which you will want to stop a computer from synchronizing its time. For example, if a computer attempts to synchronize from a time source on the Internet or from another site over a WAN by means of a dial-up connection, it can incur costly telephone charges.
When you disable synchronization on that computer, you prevent the computer from attempting to access a time source over a dial-up connection. You can also disable synchronization to prevent the generation of errors in the event log. Each time a computer attempts to synchronize with a time source that is unavailable, it generates an error in the Event Log. If a time source is taken off of the network for scheduled maintenance and you do not intend to reconfigure the client to synchronize from another source, you can disable synchronization on the client to prevent it from attempting synchronization while the time server is unavailable.
It is useful to disable synchronization on the computer that is designated as the root of the synchronization network. This indicates that the root computer trusts its local clock. Membership in the local Administrators group is required to run W32tm. This option might be used more than once. Computer names are separated by commas, with no spaces. The default value is 3. The allowed range is If not specified, the local computer will resynchronize.
Otherwise, wait for resynchronization to complete before returning. This is used for compatibility purposes. The default is 2 seconds. If not specified, the default is the local computer. When specifying multiple peers, this option must be enclosed in quotes. This setting is only meaningful on domain controllers. YES : This computer is a reliable time service. NO : This computer is not a reliable time service. If not specified, the default value is the local computer. In verbose mode, display the undefined or unused setting too.
Valid values are 0 to A range of numbers is valid, in addition to single numbers, such as ,, Value is for logging all information. Set client to use two time servers To set a client computer to point to two different time servers, one named ntpserver.
To configure a client computer that is currently synchronizing time using a manually-specified computer to synchronize time automatically from the AD domain hierarchy, run the following following:. To check a client configuration from a Windows-based client computer that has a host name of contosoW1 , run the following command:. The output of this command displays a list of W32time configuration parameters that are set for the client.
Windows Server has improved the time synchronization algorithms to align with RFC specifications. Therefore, if you want to set the local time client to point to multiple peers, we recommended that you prepare three or more different time servers. If you have only two time servers, you should specify the Ntpserver UseAsFallbackOnly flag 0x2 to de-prioritize one of them.
For example, if you want to prioritize ntpserver. Additionally, you can run the following command and read the value of NtpServer in the output:. In order for W32tm. Then, to adjust the computer clock by using the clock rate, W32tm. This algorithm varies depending on the version of Windows:. MaxAllowedPhaseOffset is configurable in the registry. However, the registry parameter is measured in seconds instead of clock ticks. This command produces output that resembles the following. The output presents the poll interval in both clock ticks and in seconds.
The equations use the value measured in seconds the value in parentheses. The output presents the clock rate in seconds. To see the SystemClockRate value in clock ticks, use the following formula:. For example, if SystemClockRate is 0. For full descriptions of the configurable parameters and their default values, see Config entries later in this article. The following examples show how to apply these calculations for Windows Server R2 and earlier versions. In this case, if you want to set the clock back slowly, you would also have to adjust the values of PhaseCorrectRate or UpdateInterval in the registry to make sure that the equation result is TRUE.
The Windows Time service stores a number of configuration properties as registry entries. It stores configuration information that the policies define in the Windows registry, and then uses those registry entries to configure the registry entries specific to the Windows Time service.
As a result, the values defined by Group Policy overwrite any pre-existing values in the Windows Time service section of the registry. Some of the preset GPO settings differ from the corresponding default Windows Time service registry entries. Windows loads these settings into the policy area of the registry under the following subkey:. Then Windows uses the policy settings to configure the related Windows Time service registry entries under the following subkey:.
The following table lists the policies that you can configure for the Windows Time service, and the registry subkeys that those policies affect.
When you remove a Group Policy setting, Windows removes the corresponding entry from the policy area of the registry. This information is provided as a reference for use in troubleshooting and validation. Windows registry keys are used by W32Time to store critical information. Don't change these values. Modifications to the registry are not validated by the registry editor or by Windows before they are applied.
If the registry contains invalid values, Windows may experience unrecoverable errors. Some of the parameters in the registry are measured in clock ticks and some are measured in seconds.
To convert the time from clock ticks to seconds, use these conversion factors:. Note Zero is not a valid value for the FrequencyCorrectRate registry entry. HoldPeriod All versions Controls the period of time for which spike detection is disabled in order to bring the local clock into synchronization quickly. A spike is a time sample indicating that time is off a number of seconds, and is usually received after good time samples have been returned consistently. The default value on domain members is 5.
The default value on stand-alone clients and servers is 5. LargePhaseOffset All versions Specifies that a time offset greater than or equal to this value in 10 -7 seconds is considered a spike. Troubleshooting Time Sync Issues There are a few ways you'll know that there are issues with Windows Time in the domain: Visibly observing that the time on the servers is wrong or doesn't match other servers in the domain Receiving authentication errors pointing to a time or date difference causing an issue Warnings in the System event log with a source of Time-Service If you notice any of the above, you'll need to do some troubleshooting.
This command will reach out to the target server and compare the local time to the server's time. If it's unable to contact the target NTP server, you'll see error codes instead. If that happens, you may have network issues, such as a firewall, preventing communication with the NTP server.
You would run this command after making other changes to see if the issues are resolved. If the time service is simply not behaving, you can use these commands to completely re-register the service. Note that this will remove all configuration related to Windows Time and restore it to default: Net Stop W32time W32tm.
The log will contain an entry for each operation that the service performs. It can be difficult to sort through all of the information, but it can be extremely valuable to see each step in detail.
If a single member server is wrong, review the System event log to determine which DCs it is trying to sync from, and ensure those DCs are working correctly.
0コメント