On This PageBenefits and Purposes of the Windows Time ServiceMany components of Microsoft Windows 2000 Service Pack 4 (SP4) rely on accurate and synchronized time to function correctly. For example, without clocks that are synchronized to the correct time on all computers, Windows 2000 authentication might falsely interpret logon requests as intrusion attempts and consequently deny access to users. With time synchronization, you can correlate events on different computers in an enterprise. With synchronized clocks on all of your computers, you ensure that you can correctly analyze events that happen in sequence on multiple computers. The Windows Time service automatically synchronizes a local computer’s time with other computers on a network to improve security and performance in your organization. Overview: Using the Windows Time Service in a Managed EnvironmentComputers keep the time on their internal clocks, which allows them to perform any function that requires the date or time. For scheduling purposes, however, the clocks must be set to the correct date and time, and they must be synchronized with the other clocks in the network. Without some other method in place, these clocks must be set manually. With time synchronization, computers set their clocks automatically to match another computer's clock. One computer maintains very accurate time, and then all other computers set their clocks to match that computer. In this way, you can set accurate time on all computers. The Windows Time service is installed by default on all computers running Windows 2000. The Windows Time service uses Coordinated Universal Time (UTC), which is independent of time zone. Time zone information is stored in the computer's registry and is added to the system time just before it is displayed to the user. The Windows Time service starts automatically on computers that are joined to a domain. (For computers that are not joined to a domain, you can start the time service manually.) In a domain, time synchronization takes place when the Windows Time service turns on during system startup. In the default configuration, the Net Logon service looks for a domain controller that can authenticate and synchronize time with the client. When a domain controller is found, the client sends a request for time and waits for a reply from the domain controller. This communication is an exchange of Simple Network Time Protocol (SNTP) packets intended to calculate the time offset and roundtrip delay between the two computers. How the Windows Time Service Communicates with Sites on the InternetThe Windows Time service automatically synchronizes the local computer's time with other computers on the network. The time source for this synchronization varies, depending on whether the computer is joined to a domain in the Active Directory directory service or to a workgroup. When a Computer Running Windows 2000 is a Member of a DomainIn this scenario, the Windows Time service configures itself automatically, using the Windows Time service that is available on the domain controllers. The Windows Time service on a domain controller can be configured as either a reliable or an unreliable time source. The Windows Time service running on a client will attempt to synchronize its time source with servers that are indicated as reliable. The Windows Time service can configure a domain controller within its domain as a reliable time source, and it synchronizes itself periodically with this source. These settings can be modified or overwritten, depending on specific needs. When a Computer Running Windows 2000 is Not a Member of a DomainThe Windows Time service must be manually started for computers running Windows 2000 that are not members of a domain. Computers running Windows 2000 use the Simple Network Time Protocol (SNTP). The following list describes various aspects of the Windows Time service data that is sent to and from the Internet and how the exchange of information takes place: | • | Specific information sent or received: The service sends information in the form of a Simple Network Time Protocol (SNTP) packet. For more information about Windows Time service and SNTP packets, see the references listed in "Related Documentation and Links" later in this section. | | • | Default settings: Computers that are members of an Active Directory domain synchronize time with domain controllers by default. Domain controllers synchronize time with their parent domain controller. By default, the root parent domain controller will not synchronize to a time source. The root parent domain controller can be set to either synchronize to a known and trusted Internet-based time source, or a hardware time device that provides an NTP (Network Time Protocol) or SNTP interface. Its time accuracy can also be maintained manually. | | • | Triggers and user notification: The Windows Time service is started when the computer starts. Additionally, the service will continue to synchronize time with the designated network time source and adjust the computer time of the local computer when necessary. Notification is not sent to the user. | | • | Logging: Information related to the service is stored in the Windows System event log. The time and network address of the time synchronization source is contained in the Windows event log entries. Additionally, warning or error condition information related to the service is stored in the Windows System event log. | | • | Information storage: The service does not store information, as all information that results from the time synchronization process is lost when the time synchronization service request is completed. | | • | Encryption: Encryption is not used in the network time synchronization for domain peers. | | • | Protocol: The service on Windows 2000 implements SNTP to communicate with other computers on the network. | | • | Port: NTP and SNTP default to using User Datagram Protocol (UDP) port 123 on time servers. If this port is not open to the Internet, you cannot synchronize your server to Internet SNTP servers. | | • | Ability to disable: Disabling the service has no direct effect on applications or other services. Applications and services that depend on time synchronization, such as Kerberos V5 authentication protocol, may fail, or they may yield undesirable results if there is a significant time discrepancy among computers. Because most computers’ hardware-based clocks are imprecise, the difference between computer clocks on the network usually increases over time. |
Controlling the Windows Time Service to Limit the Flow of Information to and from the InternetThe synchronization type and NTP time server information can be managed and controlled through the Windows 2000 registry. The procedures for configuring the Windows Time service are given later in this section of the white paper. When the synchronization type is set to Nt5DS, the Windows Time service synchronizes its time resource with the network domain controller. Alternatively, setting the type attribute to NTP configures the Windows Time service to synchronize with a specified NTP time server. The NTP server is specified by either its Domain Name System (DNS) name or its IP address when you select NTP as the synchronization type. For more general information about the Windows Time service, see "The Windows Time Service" on the Microsoft Web site at: www.microsoft.com/windows2000/techinfo/howitworks/security/wintimeserv.asp Clients on a managed network can be configured to synchronize computer clock settings to an NTP server on the network to minimize traffic out to the Internet and to ensure that the clients synchronize to a single reliable time source. If you choose to do so, you can disable time synchronization for both non-domain and domain computers running Windows 2000 by using the Windows 2000 registry. The procedures for configuring the Windows Time service are given later in this section of the white paper. How the Windows Time Service can Affect Users and ApplicationsWindows components and services depend on time synchronization. For example, the Kerberos V5 authentication protocol on a Windows 2000 domain has a default time synchronization threshold of five minutes. Computers that are more than five minutes out of synchronization on the domain will fail to authenticate using the Kerberos protocol. This time value is also configurable, allowing for shorter or longer thresholds. Failure to authenticate using the Kerberos protocol can prevent logons, access to Web sites, file shares, printers, and other resources or services within a domain. When the local clock offset has been determined, the following adjustments are made to the time: | • | If the local clock time of the client is behind the current time received from the server, the Windows Time service will change the local clock time immediately. | | • | If the local clock time of the client is more than three minutes ahead of the time on the server, the service will change the local clock time immediately. | | • | If the local clock time of the client is less than three minutes ahead of the time on the server, the service will quarter or halve the clock frequency for long enough to synchronize the clocks. | | • | If the client is less than 15 seconds ahead, it will halve the frequency; otherwise, it will quarter the frequency. The amount of time the clock spends running at an unusual frequency depends on the size of the offset that is being corrected. |
Configuration Settings for the Windows Time ServiceYou can set the global configuration settings for the Windows Time service by modifying the entries in the Windows 2000 registry. For more information about the Windows Time service and the registry, see "Registry Entries for the W32Time Service" on the Microsoft Web site at: support.microsoft.com/default.aspx?scid=kb;en-us;223184&sd=tech Notes: To modify entries in the Windows 2000 registry, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Administrators group might be able to modify the registry. As a security best practice, consider using Run as when modifying the registry. To open Registry Editor, click Start, click Run, and then type regedit. The computer registry values for Windows 2000 listed in this subsection are located in the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters The following table describes the values that can be set: Registry settings for Windows Time service on computers running Windows 2000 ReliableTimeSource | REG_DWORD
optional | Used to indicate that this computer has reliable time. 0 = Do not mark computer as reliable. [default = 0] 1 = Mark computer as reliable. This is only useful on a domain controller. | Period | REG_DWORD
or REG_SZ | Used to control how often the time service synchronizes. If a value is given, it must be one of the following special values:
65531, "DailySpecialSkew" = once every 45 minutes until successful one time, then once every day
65532, "SpecialSkew" = once every 45 minutes until successful three times, then once every eight hours (three times per day) [default]
65533, "Weekly" = once every week (seven days)
65534, "Tridaily" = once every three days
65535, "BiDaily" = once every two days
0 = once per day
freq = freq times per day. If you choose to add a value other than any of those specified above, you must use this option. | AvoidTimeSyncOnWan | REG_DWORD
optional | Used to prevent the computer from synchronizing from a computer that is in another site and thus connected by a costly temporary connection.
0 = The site of the time source is ignored. [default = 0]
1 = The computer will not synchronize with a time source that is in a different site. | LocalNTP | REG_DWORD | Used to start the SNTP server.
0 = Do not start server unless this computer is a domain controller. [default = 0]
1 = Always start server. | Type | REG_SZ | Used to control how a computer synchronizes.
Nt5DS = Synchronize to domain hierarchy. [default = Nt5DS]
NTP = Synchronize to manually configured source.
NoSync = Do not synchronize. | NtpServer | REG_SZ
optional | Used to manually configure the time source. This can be set to the DNS name or IP address of the server from which to synchronize. Only one DNS name or IP address can be specified. This can be modified from the command line. [default = blank] | GetDcBackoffMinutes | REG_DWORD
optional | The initial number of minutes to wait before looking for a domain controller (time source) if the last attempt to find a domain controller failed. [default = 15] | GetDcBackoffMaxTimes | REG_DWORD
optional | The maximum number of times to double the backoff interval when successive attempts to find a domain controller fail. An event is logged every time a wait of the maximum length occurs. If the value of this entry is 0, then the wait between successive attempts is always the minimum and no event is logged. [default = 7] The time service tries to find a domain controller according to its usual synchronization schedule, but if the backoff interval has not expired, then that attempt will be skipped. For example, if given the default values, the backoff interval will follow this pattern: 15 minutes, 30 minutes, 1 hour, 2 hours, 4 hours, 8 hours, 16 hours, etc. The time service will, however, only attempt to synchronize on 45-minute intervals, so the attempts to find a domain controller will actually occur after 45 minutes, 1 hour 30 minutes, 2 hours 15 minutes, 4 hours 30 minutes, 8 hours 15 minutes, 16 hours 30 minutes, etc. |
Caution Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. You can also use the Last Known Good Configuration startup option if you encounter problems after manual changes have been applied. Procedures for Configuring the Windows Time ServiceThe following procedures explain how to: | • | Start the Windows Time service. | | • | Stop the Windows Time service. |
By default, the Windows Time service starts automatically at system startup. You can, however, start or stop the service manually by accessing services in Administrative Tools or by using the net command. To Manually Start the Windows Time Service Using the Graphical Interface 1. | Click Start, point to Settings, and then click Control Panel. | 2. | Double-click Administrative Tools, and then double-click Services. | 3. | Select Windows Time from the list of services. | 4. | On the Action menu, click Start to begin the service. |
To Manually Stop the Windows Time Service Using the Graphical Interface 1. | Click Start, and then either click Control Panel, or point to Settings and then click Control Panel. | 2. | Double-click Administrative Tools, and then double-click Services. | 3. | Select Windows Time from the list of services. | 4. | On the Action menu, click Stop to discontinue the service. |
To Manually Start the Windows Time Service Using the Net Command 1. | Open Command Prompt. | 2. | At the command prompt, type net start w32time, and then press ENTER. |
To Manually Stop the Windows Time Service Using the Net Command 1. | Open Command Prompt. | 2. | At the command prompt, type net stop w32time, and then press ENTER. |
Related Documentation and LinksUsing online resources. The Microsoft Web site contains support information, including the latest downloads and Knowledge Base articles written by support professionals at Microsoft: | • | You can search frequently asked questions (FAQs) by product, browse the product support newsgroups, and contact Microsoft Support at the following Web site. You can also search the Microsoft Knowledge Base of technical support information and self-help tools for Microsoft products at this site: support.microsoft.com/ | | • | You can search for troubleshooting information, service packs, patches, and downloads for your system on the Technet Web site at www.microsoft.com/technet/ |
| |