Troubleshooting the Windows Time Service w32time Issues

The Windows Time service is important in Active Directory. By default, Kerberos authentication requires that the clocks on all machines in the domain be synchronized to within five minutes of each other when corrected for time zone differences and Daylight Saving Time. Machines whose clocks are outside this range cannot authenticate and have no access to domain resources.

Within an AD domain, the domain controller (DC) holding the PDC Emulator FSMO role is the primary time server for the entire domain. This does not mean that every machine in the domain synchronizes its clock directly with the PDC Emulator, however. Other DCs synchronize with the PDC Emulator, while member servers and clients can sync with any DC. In this hierarchy, the PDC Emulator should be the only machine that is configured to sync with an external time source, such as a public NTP server. Everything else in the domain should be configured to synchronize with AD. Any other configuration may result in a loss of clock synchronization.

See Microsoft document How the Windows Time Service Works  for detailed information about how the Windows Time service works.

Determine the extent of the problem.

The first step in troubleshooting a Windows Time service issue should be to determine how many machines are affected. If the time is incorrect on only one machine, the steps that are required to fix the problem are different from the steps required to fix a domain-wide time issue.

If only a few machines are affected:

1. If the affected machine is running Windows Vista or later, run w32tm /query /source at a command prompt to determine the time source of the affected machine. An external time source should only be listed if this command is run on the PDC Emulator; otherwise, the command should output the name of a DC in the domain.
2. The w32tm /query /status command also shows the machine's time source, and other potentially useful information. The /verbose switch provides even more information. As with the first command, these switches are only available on machines running Windows Vista or later.
3. If the correct time source is listed, you can use w32tm /resync to attempt to resynchronize the machine's clock with the time source. Adding the /rediscover switch to this command causes the machine to first attempt to discover network time sources, then attempt a resync.
4. To change the machine's time source, you can use one of two commands:
   w32tm /config /syncfromflags:DOMHIER /update configures the machine to use the domain hierarchy (AD) as its time source.
   w32tm /config /syncfromflags:MANUAL /manualpeerlist:<list> /update configures the machine to use the time servers in <list> as its time source.
   
   NOTE: If multiple time servers are specified in <list>, they must be separated by spaces, and the entire list must be enclosed in quotation marks.

If the entire domain is affected:

1. If the time is incorrect on all machines in the domain, the PDC Emulator is likely the source of the problem. Run the netdom query fsmo command on a DC to determine which DC holds the PDC Emulator role.
2. Run w32tm /query /source from a command prompt on the PDC Emulator to ensure that it is configured to synchronize with an external time source. The PDC Emulator should never be configured to synchronize with the domain, since it is the domain's primary time source.
3. If the PDC Emulator is a virtual machine (VM), disable guest-host clock synchronization. The procedure for doing this depends on the operating system running on the virtualization host.
4. To configure the PDC Emulator to sync with one or more external time servers, use the following command:
   w32tm /config /syncfromflags:MANUAL /manualpeerlist:<list> /update
   NOTE: If multiple time servers are specified in <list>, they must be separated by spaces, and the entire list must be enclosed in quotation marks.

Windows Time service registry settings

The w32tm commands that are specified in the above procedures change the Windows Time service registry values, which are all located under the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time

It is possible to set these values manually rather than using w32tm commands. If you choose to do so, the following Microsoft documents may prove useful:

• Windows Time Service Tools and Settings (includes a section on registry settings)
• How to Configure an Authoritative Time Server in Windows Server

Group Policy

If you change to the Windows Time service using w32tm commands or using the registry, but those changes do not take effect at all or take effect for only a short time before reverting to their previous values, a Group Policy Object (GPO) may be overriding your changes. Group Policy settings for the Windows Time service include many of the same items that can be configured using the registry or w32tm commands. These settings can be found in the following locations:

Computer Configuration\Policies\Administrative Templates\System\Windows Time Service

Reset the Windows Time service registry values to default settings.

If all else fails, this procedure resets the Windows Time service to its default settings:

1. Open the Services console and stop the Windows Time service (or run net stop w32time from a command prompt) if it is running.
2. Open an elevated command prompt and run w32tm /unregister to remove the Windows Time service from the registry. The service is no longer listed in the Services console.
3. Run w32tm /register to re-create the service with its default registry settings.
4. Make any needed registry changes, then start the Windows Time service in the Services console or with the net start w32time command.

• How to know if the Windows time service is running?

To determine if the Windows Time service (also known as w32time ) is running, you can check its status in the Services console. Open the Services console (accessed using services.msc), locate Windows Time, and verify that its status is Running. You can also check the Startup Type to ensure that it is set to Automatic or Manual.

See the Meinberg article Fast Troubleshooting for Windows Time Service (w32time) Synchronization  for quick troubleshooting tips.

• How accurate is the Windows time Service?

See the Microsoft article Configuring systems for high accuracy  for more information.