Troubleshooting the Windows Time Service in Microsoft Windows Servers
Summary:Understand Windows Time service (w32time) problems in an Active Directory domain. Configure Windows Time Server and use W32tm commands to ensure precise synchronization.
Please select a product to check article relevancy
This article applies to This article does not apply toThis article is not tied to any specific product.Not all product versions are identified in this article.
The Windows Time service is important in Active Directory. By default, Kerberos authentication requires that the clocks on all machines in the domain be synchronized to within five minutes of each other when corrected for time zone differences and Daylight Saving Time. Machines whose clocks are outside this range cannot authenticate and have no access to domain resources.
Cause
Within an AD domain, the domain controller (DC) holding the PDC Emulator FSMO role is the primary time server for the entire domain. This does not mean that every machine in the domain synchronizes its clock directly with the PDC Emulator, however. Other DCs synchronize with the PDC Emulator, while member servers and clients can sync with any DC. In this hierarchy, the PDC Emulator should be the only machine that is configured to sync with an external time source, such as a public NTP server. Everything else in the domain should be configured to synchronize with AD. Any other configuration may result in a loss of clock synchronization.
See this TechNet site for detailed information about how the Windows Time service works.
Resolution
Determine the extent of the problem
The first step in troubleshooting a Windows Time service issue should be to determine how many machines are affected. If the time is incorrect on only one machine, the steps that are required to fix the problem are different from the steps required to fix a domain-wide time issue.
If only a few machines are affected
If the affected machine is running Windows Vista or later, run w32tm /query /source at a command prompt to determine the time source of the affected machine. An external time source should only be listed if this command is run on the PDC Emulator; otherwise, the command should output the name of a DC in the domain.
The w32tm /query /status command also shows the machine's time source, and other potentially useful information. The /verbose switch provides even more information. As with the first command, these switches are only available on machines running Windows Vista or later.
If the correct time source is listed, you can use w32tm /resync to attempt to resynchronize the machine's clock with the time source. Adding the /rediscover switch to this command causes the machine to first attempt to discover network time sources, then attempt a resync.
To change the machine's time source, you can use one of two commands: w32tm /config /syncfromflags:DOMHIER /update configures the machine to use the domain hierarchy (AD) as its time source. w32tm /config /syncfromflags:MANUAL /manualpeerlist:<list> /update configures the machine to use the time servers in <list> as its time source.
NOTE: If multiple time servers are specified in <list>, they must be separated by spaces, and the entire list must be enclosed in quotation marks.
If the entire domain is affected
If the time is incorrect on all machines in the domain, the PDC Emulator is likely the source of the problem. Run the netdom query fsmo command on a DC to determine which DC holds the PDC Emulator role.
Run w32tm /query /source from a command prompt on the PDC Emulator to ensure that it is configured to synchronize with an external time source. The PDC Emulator should never be configured to synchronize with the domain, since it is the domain's primary time source.
If the PDC Emulator is a virtual machine (VM), disable guest-host clock synchronization. The procedure for doing this depends on the operating system running on the virtualization host.
To configure the PDC Emulator to sync with one or more external time servers, use the following command: w32tm /config /syncfromflags:MANUAL /manualpeerlist:<list> /update
NOTE: If multiple time servers are specified in <list>, they must be separated by spaces, and the entire list must be enclosed in quotation marks.
Windows Time service registry settings
The w32tm commands that are specified in the above procedures make changes to the Windows Time service registry values, which are all located under the following registry key:
If you make changes to the Windows Time service using w32tm commands or using the registry, but those changes do not take effect at all or take effect for only a short time before reverting to their previous values, there may be a Group Policy Object (GPO) overriding your changes. Group Policy settings for the Windows Time service include many of the same items that can be configured using the registry or w32tm commands. These settings can be found in the following locations:
Computer Configuration\Policies\Administrative Templates\System\Windows Time Service
Reset the Windows Time service registry values to default settings
If all else fails, this procedure resets the Windows Time service to its default settings:
Open the Services console and stop the Windows Time service (or run net stop w32time from a command prompt) if it is running.
Open an elevated command prompt and run w32tm /unregister to remove the Windows Time service from the registry. The service is no longer listed in the Services console.
Run w32tm /register to re-create the service with its default registry settings.
Make any needed registry changes, then start the Windows Time service in the Services console or with the net start w32time command.
Affected Products
Servers, Microsoft Windows Small Business Server 2008, Microsoft Windows Small Business Server 2011 Essentials, Microsoft Windows 2008 Server R2, Microsoft Windows 2008 Server Service Pack 2, Microsoft Windows 2012 Server
, Microsoft Windows 2012 Server R2
...
Article Properties
Article Number: 000134430
Article Type: Solution
Last Modified: 23 Sept 2024
Version: 8
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.
Article Properties
Article Number: 000134430
Article Type: Solution
Last Modified: 23 Sept 2024
Version: 8
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.