Good afternoon, dear readers and guests of the blog site, how many people talk about time, that it runs quickly or slowly, and everyone understands that it is priceless and important. Same with infrastructure Active Directory, she is one of critical factors, the correct functioning of the domain. In the domain, everyone trusts each other, and once logged in and received all the tickets from Kerberos, the user goes anywhere, limited only by his available rights. So, if you do not have the exact time on your workstations to the domain controller, then you can assume that you are starting to have serious problems, which we will discuss below and consider how to fix them using Windows NTP server settings.

Time Synchronization in Active Directory

The following time synchronization scheme works among computers participating in Active Directory.

• The root domain controller in the AD forest that owns the PDC emulator FSMO role (let's call it root PDC) is the time source for all other domain controllers in that domain.
• Child domain controllers synchronize time with domain controllers upstream in the AD topology.
• Ordinary domain members (servers and workstations) synchronize their time with the nearest available domain controller to them, respecting the AD topology.

The root PDC can synchronize its time with both external source, and with itself, the latter is set by default and is absurd, as errors in the system log periodically hint at.

Synchronization of clients of the root PDC can be performed both from its internal clock and from an external source. In the first case, the root PDC's time server advertises itself as "reliable".

Next, I will give the optimal configuration of the root PDC time server from my point of view, in which the root PDC itself periodically synchronizes its time from a reliable source on the Internet, and synchronizes the time of clients accessing it with its internal clock.

Enter netdom query fsmo. In my example, the role of the PDC and NTP server belongs to the dc7 controller

NTP Server Configuration on the Root PDC

Configuring the Windows time server (NTP server) can be done using the command line utility w32tm, and through the registry. Where possible, I will provide both options. But at the beginning, look at your complete settings on the computer, this is done with the command:

w32tm /query /configuration

EventLogFlags: 2 (Local)
AnnounceFlags: 10 (Local)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 6 (Local)
MaxPollInterval: 10 (Local)
MaxNegPhaseCorrection: 172800 (Local)
MaxPosPhaseCorrection: 172800 (Local)
MaxAllowedPhaseOffset: 300 (Local)

FrequencyCorrectRate: 4 (Local)
PollAdjustFactor: 5 (Local)
LargePhaseOffset: 50000000 (Local)
SpikeWatchPeriod: 900 (Local)
LocalClockDispersion: 10 (Local)
HoldPeriod: 5 (Local)
PhaseCorrectRate: 7 (Local)
UpdateInterval: 100 (Local)

NtpClient (Local)

Enabled: 1 (Local)
InputProvider: 1 (Local)
CrossSiteSyncFlags: 2 (Local)

ResolvePeerBackoffMinutes: 15 (Local)
ResolvePeerBackoffMaxTimes: 7 (Local)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 1 (Local)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Local)
Type: NT5DS (Local)

NtpServer (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombinations: 1 (Local)

VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)

Enabling synchronization of the internal clock with an external source

Enable NTP Server

The NTP server is enabled by default on all domain controllers, but it can also be enabled on member servers.

Setting the list of external sources for synchronization

The 0x8 flag at the end means that synchronization should occur in NTP client mode, at intervals suggested by this server. In order to set your own synchronization interval, you must use the 0x1 flag.

Setting the synchronization interval with an external source

Time in seconds between synchronization source polls, default 900s = 15min. Works only for sources marked with the 0x1 flag.

• 
  "SpecialPollInterval"=dword:00000384

Setting the minimum positive and negative correction

Maximum positive and negative correction time (difference between the internal clock and the synchronization source) in seconds, beyond which synchronization does not occur. I recommend the value 0xFFFFFFFF, at which the correction can always be made.

"MaxPosPhaseCorrection"=dword:FFFFFFFF
"MaxNegPhaseCorrection"=dword:FFFFFFFF

Everything you need in one line

w32tm.exe /config /manualpeerlist:"time.nist.gov,0x8 ntp1.imvp.ru,0x8 ntp2.imvp.ru,0x8 time.windows.com,0x8 pool.ntp.org,0x8" /syncfromflags:manual / reliable:yes /update

Useful Commands

• Apply changes made to the time service configuration
  w32tm /config /update
• Force sync from source
  w32tm /resync /rediscover
• Display the synchronization status of domain controllers in a domain
  w32tm /monitor
• Display of current synchronization sources and their status
  w32tm /query /peers

Configuring NTP Server and Client by Group Policy

Since we have with you Active domain Directory, then it's stupid not to use group policies to bulk configure servers and workstations, I'll show you how to configure your NTP server in windows and a client. Open the Group Policy Editor snap-in. Before setting up our NTP server on Windows, we need to create a WMI filter that will apply the policy only to the PDC master server.

Enter the query name, namespace, will be "root\CIMv2" and the query "Select * from Win32_ComputerSystem where DomainRole = 5". We save it.

You then create a policy on the Domain Controllers container.

At the very bottom of the policy, apply your created WMI filter.

Go to the branch: Computer Configuration > Policies > Administrative Templates > System > Windows Time Service > Time Providers.

Here we open the "Configure Windows NTP Client" policy. Set parameters

• NtpServer: 0.ru.pool.ntp.org.0x1, 1.ru.pool.ntp.org.0x1, 2.ru.pool.ntp.org.0x1, 3.ru.pool.ntp.org.0x1
• Type: NTP
• CrossSiteSyncFlags: 2. A two means that if this parameter is set to 2 (All), any sync member can be used. This value is ignored unless NT5DS is set. Default value: 2 (decimal) (0x02 (hexadecimal))
• ResolvePeerBackoffMinutes: 15. This value, expressed in minutes, determines how long the W32time service waits before trying to resolve a DNS name if it fails. Default value: 15 minutes
• Resolve Peer BAckoffMaxTimes: 7. This value determines the number of DNS name resolution attempts that the W32time service makes before restarting the discovery process. For each DNS name resolution failure, the timeout interval before next try doubles. Default value: seven attempts.
• SpecilalPoolInterval: 3600 This NTP client setting value, expressed in seconds, determines how often a manually configured time source that uses a specific polling interval is polled. If the SpecialInterval flag is set for the NTPServer parameter, the client uses the value specified as SpecialPollInterval instead of the MinPollInterval and MaxPollInterval values ​​to determine how often the time source is polled. Default value: 3600 seconds (1 hour).
• EventLogFlags: 0

We make a separate group policy for client working machines, here with such parameters.

• NtpServer: The address of your domain controller with the PDC role.
• Type: NT5DS
• CrossSiteSyncFlags: 2
• ResolvePeerBackoffMinutes: 15
• Resolve Peer BAckoffMaxTimes: 7
• SpecilalPoolInterval: 3600
• EventLogFlags: 0

Setting up an NTP server in Windows

Starting with Windows 2000, all Windows operating systems include a time service W32Time. This service is designed to synchronize time within an organization. W32Time is responsible for the operation of both the client and server parts of the time service, and the same computer can be both an NTP (Network Time Protocol) client and server at the same time.

By default, the Windows time service is configured as follows:

When the operating system is installed, Windows starts an NTP client and synchronizes with an external time source;
When you add a computer to a domain, the synchronization type changes. Everything client computers and member servers in the domain use a domain controller to synchronize time, authenticating them;
When a member server is promoted to a domain controller, an NTP server is launched on it, which uses a controller with the PDC emulator role as a time source;
The PDC emulator, located in the forest root domain, is the primary time server for the entire organization. At the same time, it is also synchronized with an external time source.

This scheme works in most cases and does not require intervention. However, the Windows time service structure may not follow a domain hierarchy, and any computer can be designated as a reliable time source. As an example, I will describe setting up an NTP server in Windows Server 2008 R2, although the procedure has not changed much since Windows 2000.

Starting an NTP server

I note right away that the time service in Windows Server (from 2000 to 2012) does not have GUI and is configured either from the command line or by direct editing system registry. Personally, the second method is closer to me, so we go to the registry.

So, the first thing we need to do is start the NTP server. Open the registry branch
HKLM\System\CurrentControlSet\services\W32Time\TimeProviders\NtpServer.
Here to enable the NTP server parameter Enabled you need to set the value 1 .

Then we restart the time service with the command net stop w32time && net start w32time

After restarting the NTP service, the server is already active and can serve clients. You can verify this using the w32tm /query /configuration command. This command outputs full list service settings. If section NtpServer contains the string Enabled:1, then everything is in order, the time server is working.

In order for the NTP server to serve clients, do not forget to open UDP port 123 on the firewall for incoming and outgoing traffic.

Basic NTP server settings

The NTP server has been enabled, now you need to configure it. Open the registry branch HKLM\System\CurrentControlSet\services\W32Time\Parameters. Here we are primarily interested in the parameter type A that specifies the type of sync. It can take the following values:

NoSync- The NTP server is not synchronized with any external time source. The clock built into the CMOS chip of the server itself is used;
NTP- The NTP server is synchronized with external time servers, which are specified in the registry setting NtpServer;
NT5DS- The NTP server synchronizes according to the domain hierarchy;
AllSync- The NTP server uses all available sources for synchronization.

The default value for a computer that is a member of a domain is NT5DS, for separately standing computer — NTP.

And parameter NtpServer, which specifies the NTP servers with which time will be synchronized given server. By default, this parameter contains the Microsoft NTP server (time.windows.com, 0x1), if necessary, you can add several more NTP servers by entering their DNS names or IP addresses separated by a space. List available servers time can be seen for example.

You can add a flag at the end of each name (ex. ,0x1) which specifies the mode to synchronize with the time server. The following values ​​are allowed:

0x1– SpecialInterval, use of a special polling interval;
0x2– UseAsFallbackOnly mode;
0x4– SymmetricActive, symmetrical active mode;
0x8– Client, sending a request in client mode.

When using the SpecialInterval flag, you must set value key spacing SpecialPollInterval. If the UseAsFallbackOnly flag is set, the time service is told that this server will be used as a fallback server and that other servers in the list will be contacted before synchronizing with it. Symmetric active mode is used by default by NTP servers, and client mode can be used in case of synchronization problems. You can see more about synchronization modes, or don’t fool around and just put it everywhere ,0x1(as advised by Microsoft).

One more important parameter Announce Flags located in the registry key HKLM\System\CurrentControlSet\services\W32Time\Config. It is responsible for how the NTP server declares itself and can take the following values:

0x0( Not a time server) - the server does not advertise itself through NetLogon as a time source. It can respond to NTP requests, but neighbors will not be able to recognize it as a time source;
0x1(Always time server) - the server will always announce itself regardless of the status;
0x2(Automatic time server) - the server will only announce itself if it receives reliable time from another neighbor (NTP or NT5DS);
0x4(Always reliable time server) - the server will always declare itself as a reliable time source;
0x8(Automatic reliable time server) - a domain controller is automatically declared reliable if it is a forest root domain PDC emulator. This flag allows the forest master PDC to assert itself as the authorized time source for the entire forest, even if it is not connected to the upstream NTP servers. No other controller or member server (which has the default flag 0x2) cannot claim to be a reliable source of time if it cannot find a source of time for itself.

Meaning Announce Flags is the sum of its constituent flags, for example:

10=2+8 - NTP server declares itself as a reliable time source, provided that it receives time from a reliable source or is a PDC of the root domain. Flag 10 is set by default for both domain members and standalone servers.

5=1+4 - The NTP server always claims to be a reliable time source. For example, to declare a member server (not a domain controller) as a reliable time source, flag 5 is needed.

Well, let's set the interval between updates. The key already mentioned above is responsible for it. SpecialPollInterval, located in the registry key HKLM\System\CurrentControlSet\services\W32Time\TimeProviders\NtpClient. It is in seconds and defaults to 604800, which is 1 week. This is a lot, so it's worth reducing the value of SpecialPollInterval to a reasonable value, say 1 hour (3600).

After configuration, you need to update the service configuration. You can do this with the w32tm /config /update command. And a few more commands for configuring, monitoring and diagnosing the time service:

w32tm /monitor - with this option you can find out how much system time on this computer is different from the time on the domain controller or other computers. For example: w32tm /monitor /computers:time.nist.gov
w32tm /resync - With this command, you can force the computer to synchronize with the time server it uses.
w32tm /stripchart - shows the time difference between the current and remote computer, and can display the result in graphical form. For example, the command w32tm /stripchart /computer:time.nist.gov /samples:5 /dataonly will make 5 comparisons with the specified source and display the result in text form.

w32tm /config is core team Used to configure the NTP service. With its help, you can set the list of time servers used, the type of synchronization, and much more. For example, you can override the default values ​​and set up time synchronization with an external source using the command w32tm /config /syncfromflags:manual /manualpeerlist:time.nist.gov /update
w32tm /query - shows current settings services. For example, w32tm /query /source will show the current time source, and w32tm /query /configuration will show all service parameters.

Well, as a last resort 🙁
w32tm /unregister - Removes the time service from the computer.
w32tm /register - Registers the time service on the computer. In this case, the entire parameter branch in the registry is recreated.

Time setting in server rooms operating systems Windows using the NTP protocol is critical for many services. Without the correct configured time, or rather, if the clocks on the server and workstations do not agree, many Active Directory protocols and synchronization services cannot work correctly. Setting and maintaining a clock using NTP is a simple task, but sometimes with some complexities, which we will try to cover in this article.

For example, we will use not the latest system - Windows Server 2012. It is the most common and, at the same time, for many other systems, including Windows Server 2008, Windows Server 2016, similar commands and rules apply. It should be noted that the description refers to setting up an environment with a single master PDC. More complex options are not considered.

Reset NTP settings

In order to set the NTP service to the "default" state, you must run the following commands:

Stop-Service w32time w32tm /unregister w32tm /register

IN this case they stop the service, unregister the service, and re-register it with the system. You should only run these commands if absolutely necessary. As a rule, there is no need for them - NTP is configured if other system circumstances are taken into account.

NTP Setup Commands in the Normal Case

To set the network time protocol to Windows controller Server, first of all, you need to disable synchronization through Hyper-V if the controller is virtualized using this technology. To do this, go to the settings and uncheck the Time Synchronization item in the Management -> Integration Services section

For those not using Hyper-V, the previous step can be omitted.

w32tm /config /manualpeerlist:"0.de.pool.ntp.org 1.de.pool.ntp.org" /syncfromflags:MANUAL

UDP over NTP and firewall blocking

The time protocol uses UDP port number 123 for its communication. standard configuration. Make sure that the firewall does not block this port. In case blocking occurs, there will be a lot of information in the ntp logs that the connection is not possible:

Log Name: System
Source: Microsoft-Windows-Time-Service
Event ID: 47
Level: Warning
Description: Time Provider NtpClient: No valid response has been received from manually configured peer pool.ntp.org after 8 attempts to contact it. This peer will be discarded as a time source and NtpClient will attempt to discover a new peer with this DNS name. The error was: The peer is unreachable.

In order to make sure that this is the problem, you can enable the output of additional debugging information. We set up Windows Server logs in such a way that all necessary information, but they didn't grow more than 20 megabytes:

w32tm /debug /disable

blocking ntp the firewall is caught by the phrase in debugging:

- Logging error: NtpClient has been configured to acquire time from one or more time sources, however none of the sources are currently accessible and no attempt to contact a source will be made for 1 minutes. NTPCLIENT HAS NO SOURCE OF ACCURATE TIME.

In this case (yes, in general, immediately for the purpose of verification), you need to check the rule in the firewall

And, if necessary, change the rule or add it.

Verifying that ntp is working properly

To check if everything is working correctly, you can start the synchronization manually:

If everything went well, you will receive a message:

Sending resync command to local computer
The command completed successfully.

If there are problems - message:

The computer did not resync because no time data was available.

In the second case, you need to check everything first: the firewall, the correctness specified servers(Whether they made a mistake in the name). If anything, we have already provided information about resetting the settings.

Application examples

To synchronize time, NetPing devices use the NTP protocol. Using this protocol, all devices on the network adjust their time according to specified server. NetPing devices connected to the Internet can use a public NTP server, as recommended in article. If access to Internet networks No, you can set up a local NTP server. Such a server can be any Windows computer with a configured service W32Time (« Windows Time Service »). This service does not have a graphical interface and is configured either through command line or by editing registry keys.

Instructions for setting up an NTP server on Windows 7/8/2008/2012

Consider setting up a time service through editing the registry. The setting is the same for Windows versions 7/8, Windows Server 2008, Windows Server 2012.

For this setting, you must have Windows administrator rights.

Open the registry editor either through the dialog box " Run” triggered by the key combination “ Win» + « R", or through the search form, where we type " regedit».

In the editor that opens, in the left tree menu, open the "branch" " HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer", where we are looking for a key with the name " enable". Click right click mouse and select "Edit". Change key value from 0 on the 1 .

By changing given parameter, we indicated that this computer acts as an NTP server. The computer simultaneously remains a client and can synchronize its time with other servers on the Internet or local network. If you want the internal hardware clock to act as a data source, then change the value of the key parameterAnnounce Flags on the 5 in the thread " HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config».

For the changes to take effect, we need to restart the service. Services are accessed via Control Panel» from the menu « Start» -> « Control Panel» -> « Administration» -> « Services". It is also in the search form when you enter " services.msc". In the list of services that appears, we find the one we are interested in " Windows Time Service"and through the menu called by the right mouse button, select the item" Restart».

A simple care solution time on the domain controller installed on virtual car Hyper-V governed by Windows Server 2008/2012.

During work domain controller governed by Windows Server 2008 R2/2012 installed on a virtual machine Hyper-V, a permanent passing time- in a month, time could take almost half an hour. Do I need to say how important exact time on the domain controller, because on it synchronized the entire fleet of computers in the domain.

1. Disable time synchronization with the host machine

First you need to disable time synchronization guest machine according to the time of the host machine, otherwise we get an incident. If the host machine is a member of a domain, the host is synchronized to the controller on the guest machine, and guest machine is synchronized by the host - we get a closed loop, which most likely leads to a constant time shift within itself. The shift is obtained literally for some fractions of a second, but gradually adding up for each synchronization cycle, a very noticeable clock shift occurs.

In parameters virtual machine Settings → Integration Services → Time Synchronization - uncheck the box

2. Set up synchronization via NTP server

Tools

To configure, use the command line utility w32tm. The main parameters of the utility that are used to configure and manage time: w32tm /query allows you to query the current settings of the NTP client and server w32tm /config is used to configure the time service w32tm /resync is used to initialize time synchronization w32tm /dumpreg is used to display the current registry settings related to time service w32tm /debug is used to enable debug logging of the time service

Setting

Time synchronization is configured on the domain controller under Windows control Server 2008 R2 with FSMO role"PDC emulator": w32tm /query /configuration look at the current settings of the time service w32tm /config /syncfromflags:manual select the source (the list we specified) for time synchronization w32tm /config /manualpeerlist:"server1.ntp.org server2.ntp.org" set the manually specified list of nodes for synchronization. Hosts are DNS names or IP addresses separated by spaces. When specifying multiple nodes, all node values ​​are enclosed in quotation marks. You can, of course, limit yourself to one familiar time.windows.com w32tm /config /reliable:yes set the parameter that this machine is reliable source time and can serve clients w32tm /config /update inform the time service that changes have been made (you can restart the service) w32tm /query /configuration check the changes made to the service parameters w32tm /resync perform synchronization (you can play around, change the time and check whether synced)

For greater reliability, you can also restart the Time Service net commands stop w32time and net start w32time .

For convenience, the listed commands are good to collect in one cmd file and solve the issue in one click:

w32tm /config /syncfromflags:manual w32tm /config /manualpeerlist:time.windows.com w32tm /config /reliable:yes w32tm /config /update w32tm /query /configuration pause w32tm /resync