Monday, 22 June 2015

It's about time...


The Windows Time service (W32Time) uses Network Time Protocol (NTP) to synchronize the time across server and client operating systems in a domain hierarchy.

W32Time is not considered to be precise or reliable, and is not supported as an accurate time source. The service was designed to do the following:

  • Support the Kerberos V5 authentication protocol
  • Provide loose sync time for client computers

The W32Time service cannot reliably maintain sync time to the range of one to two seconds. Such tolerances are outside the design specification of the W32Time service.

The National Institute of Standards and Technology (NIST) maintains a list of third-party publishers of time and frequency software.

Beginning in Windows Server 2016, Windows now supports highly accurate time with up to 1ms (millisecond) accuracy!

In the past it was necessary to use a 3rd party product (e.g. Greyware's "Domain Time II") to guarantee accurate time synchronisation for Windows (Linux does this out of the box).

The following is a quote from Microsoft’s website:

Earlier versions of Windows (Prior to Windows 10 1607 or Windows Server 2016 1607) cannot guarantee highly accurate time. The Windows Time service on these systems:

  • Provided the necessary time accuracy to satisfy Kerberos version 5 authentication requirements
  • Provided loosely accurate time for Windows clients and servers joined to a common Active Directory forest

Tighter accuracy requirements were outside of the design specification of the Windows Time Service on these operating systems and is not supported.

Time accuracy in Windows 10 and Windows Server 2016 has been substantially improved, while maintaining full backwards NTP compatibility with older Windows versions. Under the right operating conditions, systems running Windows 10 or Windows Server 2016 and newer releases can deliver 1 second, 50ms (milliseconds), or 1ms accuracy.

Time Synchronization in an AD DS Hierarchy

In a Windows domain, the Forest Root Domain PDC Emulator FSMO role holder is the server that is considered to be the best time source and should be configured to sync with an external, reliable time source (such as an Internet NTP Time Server).

Client servers and workstations will synchronize with their authenticating Domain Controller (DC).

DCs can sync with the PDC Emulator in their own domain, or any DC in the parent domain.

DCs in the forest root domain will sync with their PDC Emulator.

How to reinstall the Windows Time service and reset the default configuration

  • net stop w32time
  • w32tm /unregister
  • w32tm /register
  • net start w32time

Helpful links

No comments:

Post a Comment