Troubleshooting the Windows time service

Troubleshooting the Windows time service

This article provides information on troubleshooting Windows Time service problems in an Active Directory domain

The Windows Time service is very important in Active Directory. By default, Kerberos authentication requires that the clocks on all machines in the domain be synchronized to within five minutes of each other when corrected for time-zone differences and Daylight Saving Time. Machines whose clocks are outside this range will not be able to authenticate and therefore will have no access to domain resources.

Within an AD domain, the domain controller (DC) holding the PDC Emulator FSMO role is the master time server for the entire domain. This doesn't mean that every machine in the domain synchronizes its clock directly with the PDC Emulator, however. Other DCs synchronize with the PDC Emulator, while member servers and clients can sync with any DC. In this hierarchy, the PDC Emulator should be the only machine that is configured to sync with an external time source, such as a public NTP server. Everything else in the domain should be configured to synchronize with AD. Any other configuration may result in a loss of clock synchronization.

Refer to this TechNet site for detailed information on how the Windows Time service works.

Determine the extent of the problem

The first step in troubleshooting a Windows Time service issue should be to determine how many machines are affected. If the time is incorrect on only one machine, the steps required to fix the problem will be different from the steps required to fix a domain-wide time issue.

If only a few machines are affected

  1. If the affected machine is running Windows Vista or later, run w32tm /query /source at a command prompt to determine the time source of the affected machine. An external time source should only be listed if this command is run on the PDC Emulator; otherwise, the command should output the name of a DC in the domain.
  2. The w32tm /query /status command also shows the machine's time source, as well as other potentially useful information. The /verbose switch provides even more information. As with the first command, these switches are only available on machines running Windows Vista or later.
  3. If the correct time source is listed, you can use w32tm /resync to attempt to resynchronize the machine's clock with the time source. Adding the /rediscover switch to this command causes the machine to first attempt to discover network time sources, then attempt a resync.
  4. To change the machine's time source, you can use one of two commands:
    w32tm /config /syncfromflags:DOMHIER /update configures the machine to use the domain hierarchy (AD) as its time source.
    w32tm /config /syncfromflags:MANUAL /manualpeerlist:<list> /update configures the machine to use the time servers in <list> as its time source.
    Note: If multiple time servers are specified in <list>, they must be separated by spaces, and the entire list must be enclosed in quotation marks.

If the entire domain is affected

  1. If the time is incorrect on all machines in the domain, the PDC Emulator is very likely the source of the problem. Run the netdom query fsmo command on a DC to determine which DC holds the PDC Emulator role.
  2. Run w32tm /query /source from a command prompt on the PDC Emulator to ensure that it is configured to synchronize with an external time source. The PDC Emulator should never be configured to synchronize with the domain, since it is the domain's master time source.
  3. If the PDC Emulator is a virtual machine (VM), disable guest-host clock synchronization. The procedure for doing this depends on the operating system running on the virtualization host.
  4. To configure the PDC Emulator to sync with one or more external time servers, use the following command:
    w32tm /config /syncfromflags:MANUAL /manualpeerlist:<list> /update
    If multiple time servers are specified in <list>, they must be separated by spaces, and the entire list must be enclosed in quotation marks.

Windows Time service registry settings

The w32tm commands specified in the above procedures make changes to the Windows Time service registry values, which are all located under the following registry key:
It is possible to set these values manually rather than using w32tm commands, of course. If you choose to do so, the following sites may prove useful:

Group Policy

If you make changes to the Windows Time service using w32tm commands or via the registry, but those changes don't take effect at all or take effect for only a short time before reverting to their previous values, there may be a Group Policy Object (GPO) overriding your changes. Group Policy settings for the Windows Time service include many of the same items that can be configured via the registry or w32tm commands. These settings can be found in the following location:
Computer Configuration\Policies\Administrative Templates\System\Windows Time Service

Reset the Windows Time service registry values to default settings

If all else fails, this procedure will reset the Windows Time service to its default settings:

  1. Open the Services console and stop the Windows Time service (or run net stop w32time from a command prompt) if it is running.
  2. Open an elevated command prompt and run w32tm /unregister to remove the Windows Time service from the registry. The service will no longer be listed in the Services console.
  3. Run w32tm /register to recreate the service with its default registry settings.
  4. Make any needed registry changes, then start the Windows Time service in the Services console or with the net start w32time command.

Quick Tips content is self-published by the Dell Support Professionals who resolve issues daily. In order to achieve a speedy publication, Quick Tips may represent only partial solutions or work-arounds that are still in development or pending further proof of successfully resolving an issue. As such Quick Tips have not been reviewed, validated or approved by Dell and should be used with appropriate caution. Dell shall not be liable for any loss, including but not limited to loss of data, loss of profit or loss of revenue, which customers may incur by following any procedure or advice set out in the Quick Tips.

文章 ID: SLN164073

上次修改日期: 10/01/2014 03:26 PM