If the time difference between the local clock and the selected accurate time sample also called the time skew is too large to correct by adjusting the local clock rate, the time service sets the local clock to the correct time.
This adjustment of clock rate or direct clock time change is known as clock discipline. The Windows Time Service Manager is responsible for initiating the action of the NTP time providers included with the operating system.
The Windows Time Service Manager controls all functions of the Windows Time service and the coalescing of all time samples. In addition to providing information about the current system state, such as the current time source or the last time the system clock was updated, the Windows Time Service Manager is also responsible for creating events in the event log.
These time samples are then passed to the Windows Time Service Manager, which collects all the samples and passes them to the clock discipline subcomponent. The clock discipline subcomponent applies the NTP algorithms which results in the selection of the best time sample. The clock discipline subcomponent adjusts the time of the system clock to the most accurate time by either adjusting the clock rate or directly changing the time.
If a computer has been designated as a time server, it can send the time on to any computer requesting time synchronization at any point in this process. Time protocols determine how closely two computers' clocks are synchronized. A time protocol is responsible for determining the best available time information and converging the clocks to ensure that a consistent time is maintained on separate systems.
NTP is an Internet time protocol that includes the discipline algorithms necessary for synchronizing clocks. NTP is a fault-tolerant, highly scalable time protocol and is the protocol used most often for synchronizing computer clocks by using a designated time reference.
NTP time synchronization takes place over a period of time and involves the transfer of NTP packets over a network. NTP packets contain time stamps that include a time sample from both the client and the server participating in time synchronization. NTP relies on a reference clock to define the most accurate time to be used and synchronizes all clocks on a network to that reference clock. UTC is independent of time zones and enables NTP to be used anywhere in the world regardless of time zone settings.
NTP includes two algorithms, a clock-filtering algorithm and a clock-selection algorithm, to assist the Windows Time service in determining the best time sample. The clock-filtering algorithm is designed to sift through time samples that are received from queried time sources and determine the best time samples from each source.
The clock-selection algorithm then determines the most accurate time server on the network. This information is then passed to the clock discipline algorithm, which uses the information gathered to correct the local clock of the computer, while compensating for errors due to network latency and computer clock inaccuracy. The NTP algorithms are most accurate under conditions of light-to-moderate network and server loads. As with any algorithm that takes network transit time into account, NTP algorithms might perform poorly under conditions of extreme network congestion.
The Windows Time service is a complete time synchronization package that can support a variety of hardware devices and time protocols. To enable this support, the service uses pluggable time providers. A time provider is responsible for either obtaining accurate time stamps from the network or from hardware or for providing those time stamps to other computers over the network.
The NTP provider is the standard time provider included with the operating system. NtpServer output provider.
This is a time server that responds to client time requests on the network. NtpClient input provider. This is a time client that obtains time information from another source, either a hardware device or an NTP server, and can return time samples that are useful for synchronizing the local clock. Although the actual operations of these two providers are closely related, they appear independent to the time service.
Starting with Windows Server, when a Windows computer is connected to a network, it is configured as an NTP client. Also, computers running the Windows Time service only attempt to synchronize time with a domain controller or a manually specified time source by default.
These are the preferred time providers because they are automatically available, secure sources of time. Within an AD DS forest, the Windows Time service relies on standard domain security features to enforce the authentication of time data. The security of NTP packets that are sent between a domain member computer and a local domain controller that is acting as a time server is based on shared key authentication. The Windows Time service uses the computer's Kerberos session key to create authenticated signatures on NTP packets that are sent across the network.
NTP packets are not transmitted inside the Net Logon secure channel. Instead, when a computer requests the time from a domain controller in the domain hierarchy, the Windows Time service requires that the time be authenticated. The domain controller then returns the required information in the form of a bit value that has been authenticated with the session key from the Net Logon service.
If the returned NTP packet is not signed with the computer's session key or is signed incorrectly, the time is rejected. All such authentication failures are logged in the Event Log.
Generally, Windows time clients automatically obtain accurate time for synchronization from domain controllers in the same domain.
In a forest, the domain controllers of a child domain synchronize time with domain controllers in their parent domains. When a time server returns an authenticated NTP packet to a client that requests the time, the packet is signed by means of a Kerberos session key defined by an interdomain trust account. The interdomain trust account is created when a new AD DS domain joins a forest, and the Net Logon service manages the session key.
In this way, the domain controller that is configured as reliable in the forest root domain becomes the authenticated time source for all of the domain controllers in both the parent and child domains, and indirectly for all computers located in the domain tree.
The Windows Time service can be configured to work between forests, but it is important to note that this configuration is not secure. For example, an NTP server might be available in a different forest. However, because that computer is in a different forest, there is no Kerberos session key with which to sign and authenticate NTP packets. To obtain accurate time synchronization from a computer in a different forest, the client needs network access to that computer and the time service must be configured to use a specific time source located in the other forest.
If a client is manually configured to access time from an NTP server outside of its own domain hierarchy, the NTP packets sent between the client and the time server are not authenticated, and therefore are not secure.
Even with the implementation of forest trusts, the Windows Time service is not secure across forests. Although the Net Logon secure channel is the authentication mechanism for the Windows Time service, authentication across forests is not supported.
Hardware-based clocks such as GPS or radio clocks are often used as highly accurate reference clock devices. By default, the Windows Time service NTP time provider does not support the direct connection of a hardware device to a computer, although it is possible to create a software-based independent time provider that supports this type of connection.
This type of provider, in conjunction with the Windows Time service, can provide a reliable, stable time reference. Hardware devices, such as a cesium clock or a Global Positioning System GPS receiver, provide accurate current time by following a standard to obtain an accurate definition of time. Cesium clocks are extremely stable and are unaffected by factors such as temperature, pressure, or humidity, but are also very expensive.
When Windows for Workgroups is deployed, you have to manually configure time synchronization settings. You need to specify the time server that the Windows Time Service is to use as a reference clock. Alternatively, you can utilize the date and time properties applet from the control panel. Generally, it is because the time reference was in an unsynchronized state. The applet will also periodically automatically synchronize with the specified reference.
Andy Shinton has spent his entire career within the IT industry, mainly in the Time and Frequency sector. The Fundamentals Of Time Synchronization. About the Author. This website uses cookies to ensure you get the best experience on our website. Ok Privacy Policy. LargeSampleSkew All versions Specifies the large sample skew for logging, in seconds. Events will be logged for this setting only when EventLogFlags is explicitly configured for 0x2 large sample skew.
The default value on domain members is 3. The default value on stand-alone clients and servers is 3. ResolvePeerBackOffMaxTimes All versions Specifies the maximum number of times to double the wait interval when repeated attempts to locate a peer to synchronize with fail. A value of zero means that the wait interval is always the minimum.
The default value on domain members is 7. ResolvePeerBackoffMinutes All versions Specifies the initial interval to wait, in minutes, before attempting to locate a peer to synchronize with. SpecialPollInterval All versions Specifies the special poll interval, in seconds, for manual peers. When the SpecialInterval 0x1 flag is enabled, W32Time uses this poll interval instead of a poll interval determined by the operating system.
The default value on domain members is 3, The default value on stand-alone clients and servers is , It contains reserved data that is used by the Windows operating system. It specifies the time, in seconds, before W32Time will resynchronize after the computer has restarted. Any changes to this setting can cause unpredictable results. The default value on both domain members and on stand-alone clients and servers is left blank. The following registry entries are not a part of the W32Time default configuration but can be added to the registry to obtain enhanced logging capabilities.
By default, the Windows Time service logs an event every time that it switches to a new time source. These are the global Group Policy settings and default values for the Windows Time service. Skip to main content. This browser is no longer supported. Download Microsoft Edge More info. Contents Exit focus mode. Is this page helpful?
Please rate your experience Yes No. Any additional feedback? Caution Don't use the Net time command to configure or set a computer's clock time when the Windows Time service is running. Note If you have a computer with multiple network adapters is multi-homed , you cannot enable the Windows Time service based on a network adapter.
Important Windows Server has improved the time synchronization algorithms to align with RFC specifications. Note In this case, if you want to set the clock back slowly, you would also have to adjust the values of PhaseCorrectRate or UpdateInterval in the registry to make sure that the equation result is TRUE. Note When you remove a Group Policy setting, Windows removes the corresponding entry from the policy area of the registry.
Warning This information is provided as a reference for use in troubleshooting and validation. Note Some of the parameters in the registry are measured in clock ticks and some are measured in seconds. Ticks Property. Submit and view feedback for This product This page.
View all page feedback. In this article. Registers the Windows Time service to run as a service and adds its default configuration information to the registry. Unregisters the Windows Time service and removes all of its configuration information from the registry.
Monitors the Windows Time service. Converts a Windows NT system time measured in 10 -7 -second intervals starting from 0h 1-Jan into a readable format. Converts an NTP time measured in 2 -second intervals starting from 0h 1-Jan into a readable format. Tells a computer that it should resynchronize its clock as soon as possible, throwing out all accumulated error statistics.
Displays a strip chart of the offset between this computer and another computer. Displays the values associated with a given registry key. Displays the computer's Windows Time service information. Enables or disables the local computer Windows Time service private log. Controls whether this computer is marked as a reliable time server. A computer is not marked as reliable unless it is also marked as a time server. Not a time server 0x Always time server 0x Automatic time server 0x Always-reliable time server 0x Automatic reliable time server The default value for domain members is Controls whether or not the chaining mechanism is disabled.
If chaining is disabled set to 0 , a read-only domain controller RODC can synchronize with any domain controller, but hosts that do not have their passwords cached on the RODC will not be able to synchronize with the RODC. Specifies the maximum amount of time that an entry can remain in the chaining table before the entry is considered to be expired.
Expired entries may be removed when the next request or response is processed. The default value is 16 seconds. Controls the frequency at which an event that indicates the number of successful and unsuccessful chaining attempts is logged to the System log in Event Viewer. The default is 30 minutes.
Controls the maximum number of entries that are allowed in the chaining table. If the chaining table is full and no expired entries can be removed, any incoming requests are discarded. The default value is entries. Controls the maximum number of entries that are allowed in the chaining table for a particular host. The default value is 4 entries. Specifies the smallest local clock adjustments that may be logged to the W32time service event log on the target computer.
The default value is parts per million - PPM. Indicates the maximum number of seconds a system clock can nominally hold its accuracy without synchronizing with a time source. If this period of time passes without W32time obtaining new samples from any of its input providers, W32time initiates a rediscovery of time sources. Default: 7, seconds.
Controls which events that the time service logs. Time jump 0x2. Source change The default value on domain members is 2. The default value on stand-alone clients and servers is 2. Controls the rate at which the clock is corrected. If this value is too small, the clock is unstable and overcorrects.
If the value is too large, the clock takes a long time to synchronize. The default value on domain members is 4. The default value on stand-alone clients and servers is 4. Controls the period of time for which spike detection is disabled in order to bring the local clock into synchronization quickly.
Specifies that a time offset greater than or equal to this value in 10 -7 seconds is considered a spike. Maintained by W32Time. Controls the dispersion in seconds that you must assume when the only time source is the built-in CMOS clock.
0コメント