Managing Windows Time Service: A Comprehensive Guide

The Windows Time service (W32Time) plays a crucial role in synchronizing the date and time for all computers managed by Active Directory Domain Services (AD DS). This article delves into the tools and settings used to effectively manage the Windows Time service.

Default Synchronization

By default, computers joined to a domain synchronize time through a domain hierarchy of time sources. If a computer has been manually configured to synchronize from a specific time source, you can reconfigure it to automatically source time from the domain hierarchy.

Most domain-joined computers have a time client type of NT5DS, synchronizing time from the domain hierarchy. An exception is the domain controller, serving as the primary domain controller (PDC) emulator operations master for the root forest domain. The PDC emulator is configured to synchronize time with an external source.

Achieving Precision

You can achieve down to one-millisecond time accuracy in your domain. For more information, refer to the [Support boundary for high-accuracy time](https://docs.microsoft.com/en-us/windows-server/networking/windows-time-service/support-boundary-for-high-accuracy-time) and [Accurate Time for Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/networking/windows-time-service/accurate-time).

Caution: Avoid using the Net time command to configure a computer’s clock time when the Windows Time service is running. The Net time /querysntp command is deprecated on older computers running Windows XP or earlier.

Network Port and Protocol

The Windows Time service follows the Network Time Protocol (NTP) specification, utilizing UDP port 123 for all time synchronization activities. Whether a computer synchronizes its clock or provides time to another, it occurs over UDP port 123.

Note: NTP Servers typically listen on UDP port 123 for requests and respond from the same port. Both Inbox W32Time NTP Client and NTP Server share UDP port 123 for their functions.

NTP Pool Configuration for Switzerland

If you’re in Switzerland, consider configuring your NTP settings to use the Swiss NTP pool. Add the following lines to your ntp.conf file:

server 0.ch.pool.ntp.org

server 1.ch.pool.ntp.org

server 2.ch.pool.ntp.org

server 3.ch.pool.ntp.org

Das METAS ist zuständig für die Verbreitung der offiziellen Schweizer Zeit. Es bietet kostenlos einen NTP-Zeitverbreitungsdienst an, der es ermöglicht, Computeruhren über das Netz mit der offiziellen Schweizer Zeit zu synchronisieren. Die technische Dokumentation und die Software im Zusammenhang mit dem NTP-Protokoll finden Sie unter www.ntp.org.

Das METAS betreibt drei öffentlich zugängliche Stratum-1-NTP-Server, nämlich:

ntp11.metas.ch

ntp12.metas.ch

ntp13.metas.ch

https://www.metas.ch/metas/de/home/fabe/zeit-und-frequenz/time-dissemination.html

Die Aliasadresse ntp.metas.ch verweist auf einen der oben genannten Server.In most cases, using pool.ntp.org is recommended, and the system will automatically find the closest available servers for you. If you need multiple server names, consider using 0.pool.ntp.org, 1.pool.ntp.org, etc. For those distributing software or equipment using NTP, refer to the [pool.ntp.org information for vendors](https://www.pool.ntp.org/vendors.html).

https://www.ntppool.org/zone/ch

Command-line Parameters for W32Time

The w32tm command is the preferred tool for configuring, monitoring, and troubleshooting the Windows Time service. Here are some crucial command-line parameters:

– /config: Adjusts configuration, notifying the Windows Time service of changes.

– /update: Notifies the service that configuration changes should take effect.

– /syncfromflags: Sets sources for the NTP client to synchronize from.

– /reliable: Specifies whether the computer is a reliable time source.

– /query: Displays information about the Windows Time service.

Example Commands:

Set external time Server for a DC (Domain Controller)

/config [/computer:<target>] [/update] [/manualpeerlist:<peers>] [/syncfromflags:<source>] [/LocalClockDispersion:<seconds>] [/reliable:(YES|NO)] [/largephaseoffset:<milliseconds>]**

w32tm /config /manualpeerlist:”0.ch.pool.ntp.org 1.ch.pool.ntp.org 2.ch.pool.ntp.org 3.ch.pool.ntp.org” /syncfromflags:manual /update /reliable:yes

net stop w32time

net start w32time

Important: /reliable:(YES|NO): Set whether this computer is a reliable time source. This setting is only meaningful on domain controllers.

YES: This computer is a reliable time service.

NO: This computer isn’t a reliable time service.

check: w32tm /query /configuration

Set the client to sync time automatically from a domain source:

w32tm /config /syncfromflags:butsch.local /update

net stop w32time

net start w32time

Check the client time configuration remote machine:

w32tm /query /computer:W11 /configuration

Check the client time configuration local machine:

w32tm /query /configuration

Check in Registry:

reg query HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

Time Synchronization in vSphere/ESX

For users employing vSphere/ESX, it’s crucial to ensure time synchronization aligns with Windows Server settings. Verify synchronization settings within your virtualized environment and maintain consistency with Windows Time service configurations.

Since Windows Server 2016, improvements align with RFC specifications, emphasizing the importance of configuring local time clients to point to multiple peers. If you have only two time servers, deprioritize one using the NtpServer UseAsFallbackOnly flag.

Ensure your time synchronization strategy encompasses both Windows Server and vSphere/ESX environments, maintaining accurate time across your infrastructure.

Time Synchronization in vSphere/ESX

vSphere Web Client:

1. Log in to the vCenter Server using the vSphere Web Client.

2. Navigate to Hosts and Clusters.

3. Select the specific ESXi host you want to configure.

4. Go to the Configure tab.

5. Under System, choose Time Configuration.

6. Click Edit.

7. Enable the Network Time Protocol (NTP) client by selecting “Use Network Time Protocol.”

8. Click Start.

9. Set the NTP Service Startup Policy to “Start and stop with host.”

10. In the NTP Servers section, input the desired NTP server(s).

11. Click OK to save the configuration.

vSphere Client (H5 Client):

1. Log in to the vCenter Server using the vSphere Client (H5 Client).

2. Navigate to Hosts and Clusters.

3. Select the ESXi host you want to configure.

4. Go to the Configure tab.

5. Under System, choose Time Configuration.

6. Click Edit.

7. Enable the Network Time Protocol (NTP) client by selecting “Use Network Time Protocol.”

8. Click Start NTP service.

9. Set the NTP Service Startup Policy to “Start and stop with host.”

10. In the NTP Servers section, insert the desired NTP server(s).

11. Click OK to save the configuration.

ESXi Web Client and ESXi UI Client:

1. Access https://[ESXi IP] and log in with root credentials.

2. In the upper left, click Manage.

3. On the System tab, choose Time & Date.

4. Click Edit Settings.

5. Enable the Network Time Protocol (NTP) by clicking “Use Network Time Protocol.”

6. Set the service startup policy to “Start and Stop with Host.”

7. Adjust NTP servers to your preferred choices.

8. Click Save to apply and commit the changes.

Ensuring consistent time synchronization across your ESXi hosts is crucial for maintaining accurate time in your virtualized environment. Follow these steps based on your preferred vSphere client to configure Network Time Protocol (NTP) settings, keeping your ESXi hosts in sync with reliable time servers.

https://kb.vmware.com/s/article/57147

*Note: Always consider using Switzerland’s NTP pool for servers in that region (e.g., 0.ch.pool.ntp.org, 1.ch.pool.ntp.org, 2.ch.pool.ntp.org, 3.ch.pool.ntp.org).*

This comprehensive guide equips you with the knowledge to effectively manage the Windows Time service and synchronize time across your domain and virtualized environments.