Beginning with Windows 2000, all Windows operating systems include the W32Time time service. This service is designed to synchronize time within an organization. W32Time is responsible for the operation of both the client and server parts of the time service, and the same computer can be both an NTP (Network Time Protocol) client and server.
By default, the Windows time service is configured as follows:
• When installing the operating system, Windows launches the NTP client and synchronizes with an external time source;
• When you add a computer to a domain, the synchronization type changes. All client computers and member servers in a domain use a domain controller that authenticates them for time synchronization;
• When a member server is promoted to a domain controller, an NTP server is launched on it, which uses a controller with the PDC emulator role as a time source;
• The PDC emulator, located in the forest root domain, is the primary time server for the entire organization. At the same time, it is also synchronized with an external time source.
This scheme works in most cases and does not require intervention. However, the Windows time service structure may not follow a domain hierarchy, and any computer can be designated as a reliable time source. As an example, I will describe setting up an NTP server in Windows Server 2008 R2, although the procedure has not changed much since Windows 2000.
Start NTP server
I’ll note right away that the time service in Windows Server (from 2000 to 2012) does not have a graphical interface and is configured either from the command line or by directly editing the system registry. Personally, the second method is closer to me, so we go to the registry.
So, the first thing we need to do is start the NTP server. Open the registry branch
HKLMSystemCurrentControlSetservicesW32TimeTimeProvidersNtpServer.
Here, to enable the NTP server, the Enabled parameter must be set to 1.
Then restart the time service with net stop w32time && net start w32time
After restarting the NTP service, the server is already active and can serve clients. You can verify this using the w32tm /query /configuration command. This command displays a complete list of service options. If the NtpServer section contains the Enabled :1 line, then everything is in order, the time server is running.
In order for the NTP server to serve clients, do not forget to open UDP port 123 on the firewall for incoming and outgoing traffic.
Basic NTP server settings
The NTP server has been enabled, now we need to configure it. Open the HKLMSystemCurrentControlSetservicesW32TimeParameters registry branch. Here, we are primarily interested in the Type parameter, which specifies the type of synchronization. It can take the following values:
NoSync — The NTP server is not synchronized with any external time source. The clock built into the CMOS chip of the server itself is used;
NTP – The NTP server is synchronized with external time servers, which are specified in the NtpServer registry value;
NT5DS – NTP server performs synchronization according to the domain hierarchy;
AllSync – The NTP server uses all available sources for synchronization.
The default value for a domain member computer is NT5DS, for a standalone computer it is NTP.
And the NtpServer parameter, which specifies the NTP servers with which this server will synchronize time. By default, this parameter contains the Microsoft NTP server (time.windows.com, 0x1), if necessary, you can add several more NTP servers by entering their DNS names or IP addresses separated by a space. The list of available time servers can be viewed for example here.
At the end of each name, you can add a flag (eg ,0x1) that determines the mode for synchronization with the time server. The following values are allowed:
0x1 – SpecialInterval, use of a special polling interval;
0x2 – UseAsFallbackOnly mode;
0x4 – SymmetricActive, symmetrical active mode;
0x8 – Client, sending a request in client mode.
When using the SpecialInterval flag, the interval value set in the SpecialPollInterval key is required. If the UseAsFallbackOnly flag is set, the time service is told that this server will be used as a fallback server and that other servers in the list will be contacted before synchronizing with it. Symmetric active mode is used by NTP servers by default, and client mode can be used in case of synchronization problems. You can see more about synchronization modes here, or don’t fool around and just put ,0x1 everywhere (as Microsoft advises).
Another important AnnounceFlags setting is found in the HKLMSystemCurrentControlSetservicesW32TimeConfig registry key. It is responsible for how the NTP server declares itself and can take the following values:
0x0 (Not a time server) – the server does not advertise itself through NetLogon as a time source. It can respond to NTP requests, but neighbors will not be able to recognize it as a time source;
0x1 (Always time server) – the server will always announce itself regardless of its status;
0x2 (Automatic time server) – the server will only announce itself if it receives reliable time from another neighbor (NTP or NT5DS);
0x4 (Always reliable time server) – the server will always declare itself as a reliable time source;
0x8 (Automatic reliable time server) – the domain controller is automatically declared reliable if it is a forest root domain PDC emulator. This flag allows the forest master PDC to assert itself as the authorized time source for the entire forest, even if it is not connected to the upstream NTP servers. No other controller or member server (which has the 0x2 flag by default) can claim to be a reliable time source if it cannot find a time source for itself.
The value of AnnounceFlags is the sum of its constituent flags, for example:
10=2+8 — NTP server declares itself as a reliable time source, provided that it receives time from a reliable source or is a PDC of the root domain. Flag 10 is set by default for both domain members and standalone servers.
5=1+4 — NTP server always claims to be a reliable time source. For example, to declare a member server (not a domain controller) as a reliable time source, you need flag 5.
Well, let’s set the interval between updates. The SpecialPollInterval key already mentioned above, located in the HKLMSystemCurrentControlSetservicesW32TimeTimeProvidersNtpClient registry branch, is responsible for it. It is set in seconds and defaults to 604800, which is 1 week. This is a lot, so it’s worth reducing the value of SpecialPollInterval to a reasonable value, say 1 hour (3600).
After setting, you need to update the service configuration. You can do this with the w32tm /config /update command. And a few more commands for configuring, monitoring and diagnosing the time service:
– using this option, you can find out how much the system time of this computer differs from the time on the domain controller or other computers. For example: w32tm /monitor /computers:time.nist.gov
– using this command, you can force the computer to synchronize with the time server it uses.
– shows the time difference between the current and remote computer, and can display the result in graphical form. For example, the command w32tm /stripchart /computer:time.nist.gov /samples:5 /dataonly will make 5 comparisons against the specified source and display the result in text form.
is the main command used to configure the NTP service. With its help, you can set the list of time servers used, the type of synchronization, and much more. For example, you can override the default values and configure time synchronization with an external source using the w32tm /config /syncfromflags:manual /manualpeerlist:time.nist.gov /update command
– Shows the current service settings. For example, the command will show the current time source, and w32tm /query /configuration will display all service parameters.
Well, as a last resort 🙁
– removes the time service from the computer.
– registers the time service on the computer. In this case, the entire parameter branch in the registry is recreated.
Network Time Protocol (NTP) runs on the Transport Layer port 123 UDP and enables accurate time synchronization for network computers. This irons out time inconsistencies on servers and clients during file logging or replication of server databases among other resources.
In this article, we’ll outline the process of installing, configuring, and querying an NTP server on Windows Server 2019.
NTP Server
NTP servers utilize the Network Time Protocol to send time signals to servers across the globe upon request. N TP servers use the Universal Time Coordinated (UTC) time source for time signal synchronization.
The main purpose of NTP servers is to provide time synchronization for servers and computer networks with other major network servers and clients across the globe. In turn, this streamlines communications and transactions all over the world.
Installing and Configuring an NTP Server on Windows Server 2019
The process of installing, configuring, and querying an NTP Server on Windows Server 2019 is quite straightforward.
Set the NTP service to Automatic option
To start off, Hit Windows Key + R to launch the Run dialogue. Next, type services.msc and hit ENTER.
In the ‘Services’ window, locate the service ‘Windows Time’. Right-click and select the ‘Properties’ option as shown:
On the pop-up window, select the Startup type as ‘Automatic’.
Finally, click on ‘OK’ and then ‘Apply’.
As before, launch the run dialogue by pressing Windows Key + R. Then type ‘regedit’ and hit ENTER.
The Registry editor will be launched as shown:
Navigate to the path shown below:
On the right pane, locate and double-click the ‘Enabled’ file as shown:
Set the Value data to 1 and click OK.
At the right pane locate the ‘Announce Flags’ file.
Double click on the file and set its value to 5 in the ‘Value Data’ section.
Finally, reboot the NTP server for the changes to take place. Head back to the services Window, right-click on ‘Windows Time’ and select ‘Restart’
Configuring NTP Server on Windows 2019 using Windows PowerShell
Set-ItemProperty -Path “HKLM:SYSTEMCurrentControlSetServicesw32timeTimeProvidersNtpServer” -Name “Enabled” -Value 1
Next, configure Announce Flags value as shown:
Set-ItemProperty -Path “HKLM:SYSTEMCurrentControlSetservicesW32TimeConfig” -Name “AnnounceFlags” -Value 5
Finally, restart the NTP server using the command:
Important Note: UDP port 123 must be open for the NTP server traffic to reach your Windows Server 2019. If the NTP servers are unreachable, you can check your firewall settings to fix this.
Other useful commands
Now your Windows Server 2019 clock is synchronized with time the NTP server’s pool.ntp.org and works as NTP client. You can achieve full network and accompanying infrastructure time synchronization by synchronizing all network workstations, servers, routers, hubs, and switches.
Since NTP servers operate over the UDP protocol using TCP/IP, these network infrastructures must be working efficiently for effective NTP server operation. In case you want to make time servers on windows server 2019 hosted on a virtual machine, you should disable the virtual machine time synchronization settings and sync their time with the domain Windows Server 2019.
Most modern operating systems, including Windows, can synchronize their system time to a NTP server. Windows utilizes a time service called ‘Windows Time’, which is automatically installed in the service list. The program executable is ‘w32time.exe’. The service is installed and enabled by default during installation.
Windows synchronizes time in different ways, depending on the network implementation utilized. When peer-to-peer networking is employed, each individual workstation sync to a time reference independently.
However, when Windows Domain Networking is deployed, only the Primary Domain Controller (PDC) synchronizes with a time reference. All other servers and workstations in the domain sync to the PDC using Windows proprietary protocol. The default installation procedure automatically configures workstations and servers to sync to the controlling PDC. Only the PDC needs to be configured to synchronize to an external time reference. Configuring a Windows Server to Sync to an External Time Reference.
1. Change the server type to NTP. Registry Key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeParametersTypeChange value data to: NTP
2. Set announce flags. Registry Key:HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeConfigAnnounceFlagsChange value data to: 5
3. Enable NTP serverRegistry Key:HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeTimeProvidersNtpServerChange value data to: 1.
7. Restart the windows time service. Stop and restart the Windows Time Service using the ‘net stop’ and ‘net start’ commands:net stop w32time && net start w32timeSynchronizing a Windows Workgroup
Microsoft Windows XP, Vista, Windows 7
When Windows for Workgroups is deployed, you have to manually configure time synchronization settings. You need to specify the time server that the Windows Time Service is to use as a reference clock. This is a very straightforward process; simply specify the time reference that the host is to synchronise with using the ‘net time’ command:
Alternatively, you can utilize the date and time properties applet from the control panel. Select the ‘Internet Time’ tab from the applet, check ‘Automatically Synchronize with an Internet Time Server’ and enter the DNS name or IP address of the server. If you select ‘Update Now’ the time service will attempt to contact and synchronize with the time reference immediately.
Typical responses are:
The applet will also periodically automatically synchronize with the specified reference. The next time synchronization is due to commence is displayed at the bottom of the applet’s window.
About the Author.
Andy Shinton has spent his entire career within the IT industry, mainly in the Time and Frequency sector. Since 2002, he has headed TimeTools Research and Development Division. Andy regularly writes white-papers and articles about NTP and Network Timing Solutions.
Related Articles
The Fundamentals Of Time Synchronization
There is no question about it, having accurate time in your environment set in critical infrastructure systems is a must. Many business-critical applications and infrastructure systems rely on accurate time synchronized between them to ensure the system functions as expected. Time skew can cause all kinds of weirdness when it is misconfigured or out of sync between different servers/systems. This is especially true in a Windows Server Active Directory domain. Having accurate time between a client computer and domain controllers is essential. Let’s take a look at how to set ntp server Windows 2016 or Windows 2019 to see how this can be easily carried out.
What is NTP?
Wen it comes to synchronizing time in most enviornments, Network Time Protocol (NTP) is the protocol that is used to ensure accurate time across your environent. In most environments, NTP servers, special time servers, are configured that provide an external time source for which your internal servers can synchronize with.
There are several widely known NTP IP addresses on the Internet that provide reliable time sources for your network. The NTP.org servers are one such set of time servers that provide an NTP source for configuration. There are a few NTP values to be aware of:
How Time is synchronized in a Windows Server domain
In a Windows domain, Microsoft has default configuration in place that takes care of a good portion of the NTP configuration. Starting with Windows 2000 Server, Windows clients are configured as NTP Clients. When configured as an NTP client, Windows computers only attempt to contact the domain controller for NTP synchronization or a manually specified NTP server.
Microsoft has made the domain controller the default in a Windows domain since it makes sense that clients already have a secure channel established with DCs for other types of communications. Additionally, accurate and synchronized time between domain controllers and clients is especially important for all kinds of things such as logins, group policy synchronization and other tasks/operations.
An important point to consider and that comes into play when thinking about why we set ntp server in Windows 2016 or Windows 2019 is the authoritative domain controller must have a reliable source to synchronize with as well. This is generally an external time server outside of the domain hierarchy.
Now that we know how the domain hierarchy for time is configured, how is the external time source configured on your domain controller that is configured as the reliable source of time?
Configuring Windows Time Service with W32tm. exe
When it comes to Windows Server environments like Windows Server 2016 or Windows Server 2019, there is a special Windows service that controls the time synchronization of your Windows hosts. This is the Windows Time Service.
Using the W32tm.exe utility is fairly straightforward. It can be used from a normal command prompt as well as from a PowerShell prompt. There are several command parameters included that allow not only configuring the NTP servers you want to query, but also parameters that allow viewing the low level registry configuration as well as the synchronization status.
You can read the official Microsoft KB on the Windows Time service and the W32tm.exe utility here:
However, there are a few commands I would like to show you for the purposes of configuring your Domain controller that is to be the reliable time source (PDC Emulator) for your domain.
The first command is the command line entry to specify your NTP servers, which in this case I am using the NTP.org servers to set as the source of my NTP synchronization.
w32tm /config /syncfromflags:manual /manualpeerlist:”0.us.pool.ntp.org 1.us.pool.ntp.org 2.us.pool.ntp.org 3.us.pool.ntp.org” /update
Stop-Service w32time
Start-Service w32time
Configuring the time source for your domain with the w32tm utility
w32tm /query /status
Querying the NTP synchronization status of your Windows Server 2016 or 2019 domain controller
You can also check the values configured in your registry key hkey local machine system currentcontrolset services w32time config using the commands below. You can drill into the configuration parameters using the /dumpreg /subkey command.
w32tm /dumpreg
w32tm /dumpreg /subkey:parameters
Viewing the NTP registry values that are configured for your Windows Server
Final Thoughts
As shown, you can easily set NTP Server Windows 2016 or Windows 2019 using the w32tm command utility that allows interacting with the time service in Windows Server.
In a Windows domain, you want to configure your authoritative time source domain controller, which by default is the PDC Emulator, to pull time information from an authoritative source like NTP.org or some other reliable NTP time server.
After configuring the time source, the other domain controllers will synchronize with this server and then the Windows clients joined to the domain will synchronize with the domain controllers that have the corrected time from the authoritative server.