다음을 통해 공유


Windows Time Service and Resulting Internet Communication in Windows 7 and Windows Server 2008 R2

Applies To: Windows 7, Windows Server 2008 R2

In this section

Benefits and purposes of Windows Time Service

Overview: Using Windows Time Service in a managed environment

How Windows Time Service communicates with sites on the Internet

Controlling Windows Time Service to limit the flow of information to and from the Internet

Configuration settings for Windows Time Service

Procedures for configuring Windows Time Service

Troubleshooting a computer that is unable to synchronize with a time server

Additional references

This section discusses how Windows Time Service in Windows® 7 and Windows Server® 2008 R2 communicates across the Internet, and it explains steps to take to limit, control, or prevent that communication in an organization with many users.

Benefits and purposes of Windows Time Service

Many features in Windows 7 and Windows Server 2008 R2 rely on accurate and synchronized time to function correctly. For example, if clocks are not synchronized to the correct time on all computers, the authentication process in Windows 7 and Windows Server 2008 R2 might falsely interpret logon requests as intrusion attempts and deny access to the person logging on.

With time synchronization, you can correlate events on computers in an enterprise. When the clocks on all of your computers are synchronized, you can correctly analyze events that happen in a sequence on multiple computers. Windows Time Service automatically synchronizes a local computer’s time with other computers on a network to improve security and performance in your organization.

Overview: Using Windows Time Service in a managed environment

Computers keep the time on their internal clocks, which allows them to perform any function that requires the date or time. For scheduling purposes, however, the clocks must be set to the correct date and time, and they must be synchronized with the other clocks in the network. If the computers on the network do not have time synchronization, these clocks must be set manually.

With time synchronization, computers set their clocks automatically to match another computer's clock. One computer maintains very accurate time, and then all other computers set their clocks to match that computer. In this way, you can set accurate time on all computers.

Windows Time Service is installed by default on all computers running Windows 7 and Windows Server 2008 R2. Windows Time Service uses Coordinated Universal Time (UTC), which is independent of time zones. Time zone information is stored in each computer's registry, and it is added to the system time before it is displayed to the user or administrator.

By default, Windows Time Service starts automatically on computers running Windows 7 and Windows Server 2008 R2. In a domain, time synchronization takes place when Windows Time Service turns on during system startup and periodically while the system is running. In the default configuration, the Net Logon service looks for a domain controller that can authenticate and synchronize time with the client. When a domain controller is found, the client sends a request for time and waits for a reply from the domain controller. This communication is an exchange of Network Time Protocol (NTP) packets, which calculate the time offset and round-trip delay between the two computers.

How Windows Time Service communicates with sites on the Internet

In Windows 7 and Windows Server 2008 R2, Windows Time Service automatically synchronizes the local computer's time with other computers on the network. The time source for this synchronization varies, depending on whether the computer is joined to a workgroup or to a domain.

When a computer running Windows 7 or Windows Server 2008 R2 is part of a workgroup

Within a workgroup, the default setting for the time synchronization frequency is set to "once per week," and this default setting uses the time.windows.com site as the trusted time synchronization source. This setting remains unless you manually set it otherwise. As an alternative, you could choose one or more computers to be the locally reliable time source, and configure Windows Time Service on those computers so that it uses a known accurate time source (special hardware or a time source that is available on the Internet). All other computers in the workgroup can be configured manually to synchronize their time with these local time sources.

When a computer running Windows 7 or Windows Server 2008 R2 is a member of a domain

Within a domain, Windows Time Service configures itself automatically by using the Windows Time Service that is available on the domain controllers.

Windows Time Service on a domain controller can be configured as a reliable or an unreliable time source. By default, Windows Time Service on computers running Windows 7 or Windows Server 2008 R2 attempt to synchronize their time source with servers that are indicated as reliable.

Communication between Windows Time Service and the Internet

The following list describes various aspects of Windows Time Service data that is sent to and from the Internet and how the exchange of information takes place.

  • Specific information sent or received: The service sends information in the form of a Network Time Protocol (NTP) packet. For more information about Windows Time Service and NTP packets, see the references listed in Additional references later in this section.

  • Default settings: For a description of the default settings, see the following sections earlier in this document:

    • When a Computer Running Windows Windows 7 or Server 2008 R2 Is Part of a Workgroup

    • When a computer running Windows 7 or Windows Server 2008 R2 is a member of a domain

  • Triggers and user notification: Windows Time Service is started when the computer starts. Additionally, the service continues to synchronize time with the designated network time source and adjust the computer time of the local computer when necessary. Notification is not sent to the person using the computer.

  • Logging: Information that is related to the service is stored in the Windows System event log. This includes warning or error condition information in addition to the time and network address of the time synchronization source.

  • Encryption: Encryption is not used in the network time synchronization for domain peers. (Authentication, however, is used.)

  • Information storage: The service does not store information. All information that results from the time synchronization process is lost when the time synchronization service request is completed.

  • Port: NTP uses User Datagram Protocol (UDP) port 123 on time servers. If this port is not open to the Internet, you cannot synchronize your server to Internet NTP servers.

  • Protocol: The service on Windows 7 and Windows Server 2008 R2 implements NTP to communicate with other computers on the network.

  • Ability to disable: Disabling the service is not recommended, because this might have indirect effects on applications or other services. Applications and services that depend on time synchronization, such as Kerberos V5 authentication protocol, may fail, or they may yield undesirable results if there is a significant time discrepancy among computers. Because most clocks on computers are imprecise, the time difference between computer clocks in a network usually increases over time.

Controlling Windows Time Service to limit the flow of information to and from the Internet

Group Policy can be used to control Windows Time Service for computers that are running Windows 7 or Windows Server 2008 R2 to limit the flow of information to and from the Internet.

The synchronization type and NTP time-server information can be managed and controlled through Group Policy. The Windows Time Service Group Policy Object (GPO) contains configuration settings that specify the synchronization type. When the synchronization type is set to NT5DS, Windows Time Service synchronizes its time resource with a network domain controller. Alternatively, setting the type attribute to NTP configures Windows Time Service to synchronize with an NTP time server that is specified by a Domain Name System (DNS) name or IP address.

Clients on a managed network can be configured to synchronize computer clock settings to an NTP server on the network. This minimizes traffic to the Internet and ensures that the clients synchronize to a single reliable time source. It is also possible (although not recommended) to disable time synchronization for computers running Windows Server 2008 R2 by using Group Policy. For more information, see Procedures for configuring Windows Time Service later in this section.

How Windows Time Service can affect users and applications

Many Windows features and services depend on time synchronization. For example, the Kerberos V5 authentication protocol on a Windows Server 2003 domain has a default time synchronization threshold of five minutes. Computers in the domain that are more than five minutes out of synchronization will fail to authenticate by using the Kerberos protocol. This time value is also configurable, allowing for greater or lesser thresholds. Failure to authenticate using the Kerberos protocol can prevent a user from logging on or accessing Web sites, shared resources, printers, and other resources or services within a domain.

When the local clock offset is determined, the following adjustments are made to the time:

  • If the local clock time of the client differs from the time on the server by more than the threshold amount, Windows Time Service will change the local clock time immediately. The threshold is five minutes if the computer is part of a domain. It is one second if the computer is part of a workgroup. However, if a computer is part of a workgroup and the time differs from the time source by more than 15 hours, the time is not synchronized, as described later in this list.

  • If the local clock time of the client differs from the server by less than the threshold amount, the service will gradually synchronize the client with the correct time.

  • In a workgroup, if the local clock time of the client differs from the time on a time source by more than 15 hours, a workstation that is running Windows Time Service and using default settings will not synchronize with the time source. Such occurrences are rare, and they are often caused by configuration setting errors. For example, if a person sets the date on the computer incorrectly, the time does not synchronize. Under these circumstances, most often the time is off by a day or more. Be sure to check the calendar on the computer to ensure that the correct date is set.

Configuration settings for Windows Time Service

You can set the global configuration settings for Windows Time Service by using Group Policy. The settings that might be relevant for communication between Windows Time Service and the Internet are described in this subsection.

In Computer Configuration under Policies (if present), in Administrative Templates\System\Windows Time Service\Global Configuration Settings, there is only one setting that might, in certain scenarios, affect the way that Windows Time Service communicates when the computer is in a domain. This setting is AnnounceFlags, which controls whether this computer is marked as a reliable time server. A computer is not marked as reliable unless it is also marked as a time server. The settings are as follows:

  • 0   Not a time server

  • 1   Always a time server

  • 2   Automatic time server, meaning that the role is decided by Windows Time Service

  • 4   Always a reliable time server

  • 8   Automatic reliable time server, meaning that the role is decided by Windows Time Service

  • 10   The Windows Time Service decides the role. This is the default setting.

In the Group Policy settings located in Computer Configuration under Policies (if present), in Administrative Templates\System\Windows Time Service\Time Providers\Configure Windows NTP Client, there are a number of settings that might affect the way that Windows Time Service communicates across the Internet. The following table describes some of these policy settings.

Note

The table lists the settings that most directly affect the way Windows Time Service communicates with time sources, but the table does not list all settings. For example, it does not list the setting that specifies the location of the Windows Time Service DLL or the setting that controls event logging for Windows Time Service.

Selected Group Policy settings for configuring the Windows Time Service NTP client for computers running Windows Server 2008 R2

Setting Name and Effect Default Setting

NtpServer:

Establishes a space-delimited list of peers from which a computer obtains time stamps that consist of one or more DNS names or IP addresses per line. Computers that are connected to a domain must synchronize with a more reliable time source, such as the official U.S. time clock. This setting is used only when Type is set to NTP or AllSync.

  • 0x01 SpecialInterval

  • 0x02 UseAsFallbackOnly

  • 0x04 SymmetricActive

  • 0x08 NTP request in Client mode

time.windows.com, 0x1

Type:

Indicates which peers to accept synchronization from as follows:

  • NoSync  Time service does not synchronize with other sources.

  • NTP  Time service synchronizes from the servers specified in the NtpServer registry entry.

  • NT5DS  Time service synchronizes from the domain hierarchy.

  • AllSync  Time service uses all the available synchronization mechanisms.

Workgroup: NTP

Domain: NT5DS

CrossSiteSyncFlags:

Determines whether the service chooses synchronization partners outside the domain of the computer.

  • None: 0

  • PdcOnly: 1

  • All: 2

This value is ignored if the NT5DS value is not set.

2

ResolvePeerBackoffMinutes:

Specifies the initial interval to wait, in minutes, before attempting to locate a peer to synchronize with. If the Windows Time Service cannot successfully synchronize with a time source, it will continue trying by using the settings that are specified in ResolvePeerBackoffMinutes and ResolvePeerBackoffMaxTimes.

15

ResolvePeerBackoffMaxTimes:

Specifies the maximum number of times to double the wait interval when repeated attempts fail to locate a peer to synchronize with. A value of zero means that the wait interval is always the initial interval that is selected in ResolvePeerBackoffMinutes.

7

SpecialPollInterval:

Specifies the special poll interval in seconds for peers that have been configured manually. When a special poll is enabled, Windows Time Service uses this poll interval instead of a dynamic one that is determined by the synchronization algorithms built into Windows Time Service.

Workgroup: 604800

Domain: 3600

For other sources of information about Group Policy, see Appendix B: Resources for Learning About Group Policy for Windows 7 and Windows Server 2008 R2.

Procedures for configuring Windows Time Service

The following procedures explain how to set some of the Windows Time Service configuration settings that are available in Group Policy. For details about other Group Policy settings for Windows Time Service, see the table earlier in this section.

To set the Group Policy for Windows Time Service Global Configuration Settings

  1. As needed, see Appendix B: Resources for Learning About Group Policy for Windows 7 and Windows Server 2008 R2, and then edit an appropriate Group Policy Object (GPO).

  2. Expand Computer Configuration, expand Policies (if present), expand Administrative Templates, expand System, and then click Windows Time Service.

  3. In the details pane, double-click Global Configuration Settings, and then click Enabled.

  4. Configure the settings.

To Configure the Group Policy setting to prevent a computer running Windows 7 or Windows Server 2008 R2 from synchronizing its computer clock with NTP servers

  1. As needed, see Appendix B: Resources for Learning About Group Policy for Windows 7 and Windows Server 2008 R2, and then edit an appropriate GPO.

  2. Expand Computer Configuration, expand Policies (if present), expand Administrative Templates, expand System, expand Windows Time Service, and then click Time Providers.

  3. In the details pane, double-click Enable Windows NTP Client, and then select Disabled.

To configure the Group Policy setting to prevent a computer running Windows 7 or Windows Server 2008 R2 from servicing time synchronization requests from other computers on the network

  1. As needed, see Appendix B: Resources for Learning About Group Policy for Windows 7 and Windows Server 2008 R2, and then edit an appropriate GPO.

  2. Expand Computer Configuration, expand Policies (if present), expand Administrative Templates, expand System, expand Windows Time Service, and then click Time Providers.

  3. In the details pane, double-click Enable Windows NTP Server, and then select Disabled.

Starting and stopping Windows Time Service

By default, Windows Time Service starts automatically at system startup. You can, however, start or stop the service manually by accessing services in Administrative Tools or by using the net command.

To manually start or stop Windows Time Service by using the graphical user interface

  1. Click Start, and then click Control Panel.

  2. Double-click Administrative Tools and then double-click Services.

  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  4. Right-click Windows Time, and then click the action that you want to perform—Start or Stop.

To manually start or stop Windows Time Service by using the net command

  1. To open a Command Prompt window as an administrator, click Start, click All Programs, click Accessories, right-click Command Prompt, and click Run as administrator.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. At the command prompt, type the appropriate command, and then press ENTER.

    • To start the service, type:

      net start w32time

    • To stop the service, type:

      net stop w32time

Synchronizing computers with time sources

Use the following procedures to synchronize the internal time server with an external time source and to synchronize the client time with a time server.

To view the complete syntax for W32tm, at a command prompt, type:

w32tm /?

To synchronize an internal time server with an external time source

  1. To open a Command Prompt window as an administrator, click Start, click All Programs, click Accessories, right-click Command Prompt, and click Run as administrator.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. At the command prompt, type the following (where PeerList is a comma-separated list of Domain Name System (DNS) names or Internet Protocol (IP) addresses of the desired time sources):

    **w32tm /config /syncfromflags:manual /manualpeerlist:**PeerList

    and then press ENTER.

  4. Type w32tm /config /update and then press ENTER.

Note

The most common use of this procedure is to synchronize the internal network's authoritative time source with a precise external time source. This procedure can be run on any computer that is running Windows 2000, Windows XP, Windows Server 2003, Windows 7, or Windows Server 2008 R2. If the computer cannot reach the servers, the procedure fails and an entry is written to the Windows System event log.

The **w32tm** command-line tool is used for diagnosing problems that can occur with Windows Time Service. If you are going to use the tool on a domain controller, it is necessary to stop the service. Running the tool and Windows Time Service at the same time on a domain controller generates an error because both are attempting to use the same UDP port. When you finish using the **w32tm** command-line tool, you must restart the service.

To synchronize the client time with a time server

  1. To open a Command Prompt window as an administrator, click Start, click All Programs, click Accessories, right-click Command Prompt, and click Run as administrator.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. At the command prompt, type w32tm /resync, and then press ENTER.

Note

This procedure only works on computers that are joined to a domain.

Troubleshooting a computer that is unable to synchronize with a time server

In many cases, problems with Windows Time Service can be attributed to network configuration. If the network is not configured correctly, computers might not be able to send time samples back and forth, and therefore will not be able to synchronize. Viewing the contents of NTP packets can help you identify exactly where a packet is blocked on a network. You can also use the W32tm command-line tool to assist you in troubleshooting this and other types of errors associated with Windows Time Service.

By default, a standalone workstation running Windows Time Service will not synchronize with a time source if the workstation’s time is more than 15 hours off. For information about scenarios in which this can occur, see “How Windows Time Service Can Affect Users and Applications,” earlier in this section.

To view the complete syntax for W32tm, at a command prompt, type:

w32tm /?

To resynchronize the time on a client computer with a time server

  1. To open a Command Prompt window as an administrator, click Start, click All Programs, click Accessories, right-click Command Prompt, and click Run as administrator.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. At the command prompt, type w32tm /resync /rediscover and then press ENTER.

Note

When you run the preceding command, it redetects the network configuration and rediscovers network resources, causing resynchronization. This rediscovery procedure only works on computers that are joined to a domain. You can then view the event log for more information about why the time service does not synchronize.

Additional references

For more information, see following resources on the Microsoft® Web site: