Win Time Client

Home Downloads Order  
 

Up
Products
Specials
Site Map
Support
Tech Info
Contact
Search

 

Advanced Feat.
Win Time Client
ServerMP
Operation
FAQ
Installation
Troubleshooting

 

 

 

 

 

 

 

Using the Windows Time Service (w32time)
while running ClockWatch as an SNTP Timeserver

The Windows Time Service is an NTP based time client built into Windows. With it you can synchronize your computer to an external timeserver.

Beginning with Windows 2000, Windows has included a time synchronization service Windows Time (w32time.exe). W32time is designed to ensure loose synchronization only; the clocks in a network will agree within 20 seconds of one another (for greater accuracy consider ClockWatch Client). This w32time service uses the SNTP protocol and can be used in conjunction with ClockWatch Server. In the Client/Server configuration described below, ClockWatch Server is acting as the network time server for other computers on the network. The following discusses the simple steps to set up a network that keeps in sync:
Basically, to synchronize a  network, you need a master clock (the time server) and slave clocks (time clients). The timeserver gets the exact time from an external source and maintains the timeserver at the correct time. It also handles time requests from the clients.

In this case, both the server and the client are communicating with each other using the SNTP protocol which normally uses User Datagram Protocol (UDP) port 123.
 
Steps on configuring ClockWatch Server and Windows Time Client
1. Setting up the Time Server  
2. Setting up the Time Clients: Window XP/2008/Vista/Win7/8 – native win32 time client
Windows 2000 setsntp
Windows NT resource kit
Windows 95/98/ME ClockWatch client
3. Time Synchronization settings in a Domain
4. Starting and Stopping the Time Service
5. Turning on logging in the Time Service

1. Setting up ClockWatch as the time server

1) Load ClockWatch Server on the designated time server. This does not have to be a "server" other than it should normally be turned on and be visible by all the clients on the local network.

2) Configuring ClockWatch server to act as an SNTP timeserver:

  1. Open the Clients options tab in ClockWatch Server

  2. Enable "Listen for Clients" if not already checked

  3. Set the communication port number to "123"

  4. Select  "SNTP" as the client protocol

  5. Press 'OK' to save the changes


Client Options Tab in ClockWatch

3) Turn off the Windows Time Service on the timeserver. This program will conflict with ClockWatch acting as a time server and must be disabled. You must also change the startup type to 'Manual' to prevent it from starting the next time you reboot Windows. You can administer Services from the Control Panel.

4) The trial version of ClockWatch Server will only accept time requests from a single client. Contact Beagle Software for a free utility to allow your trial timeserver to handle multiple clients.

2. Configuring Windows Clients to work with the time server

W32Time is started by default on Windows XP,  Windows Server 2008, Windows Vista and Windows 7/8 machines regardless of whether they belong to a workgroup or a domain. On Windows 2000 however, W32Time must be manually started on machines belonging to a workgroup.

Windows XP/2008/Vista/Win7/8

If your computer is a member of a domain, your computer clock is probably synchronized automatically by a network time server. If your computer is not a member of a domain, you can synchronize your computer clock with an Internet time server.

This procedure provides information on switching to a different timeserver.

To change the clock synchronization server.

  1. Open Date and Time in Control Panel.

  2. Click the Internet Time tab.

    The Internet Time tab is not available if your computer is a member of a domain. See time synchronization in a domain.

  3. Select the Automatically synchronize with an Internet time server check box.
  4. In the Server box, enter the name of the ClockWatch time server configured in the step above. Use the network name of the computer (or the IP address).
  5. Click Update Now to test the connection to the time server.

 Notes

  • To open Date and Time, click Start, then Control Panel, and then double-click Date and Time.
  • Internet time synchronization updates your clock on a regular basis, but only when you are connected to the network. It takes just a moment and should not interfere with your work.

Windows 2000

Windows 2000 (Professional and Server) use a time synchronization service to synchronize the date and time of computers running on a Windows 2000-based network. 

If you are using Active Directory -
Synchronized time is critical in Window 2000 because the default authentication protocol (MIT Kerberos version 5) uses workstation time as part of the authentication ticket generation process. If your Windows 2000 clients belong to a Windows 2000 Active Directory Domain see time synchronization in a domain.


If the Windows 2000 clients belong to a workgroup -
you can manually configure the time synchronization settings:
 

Setting the time server
You can set the time server using the following net time command with the setsntp option, where server_name is the DNS server name, and  ':' is the required conjunction.
net time /setsntp:server_name

Alternatively, you can use the server's IP address:
net time /setsntp:server_IP

For example, if the server name was 'beagle' you would issue the following command:
 net time /setsntp:beagle

You can then test the connection to the time server by typing:
 w32tm –once

To check which time server you're currently using, type:
net time /querysntp

 

Turning on the Time Service

To synchronize with the time server the Time Service must be running on the client. You can start and stop the Time Service using the Windows Control Panel

You can also start and stop the time service using the net start/stop command:

To manually start W32Time using net start at the command prompt, type:
net start w32time

To manually stop W32Time using net stop at the command prompt, type:
net stop w32time
 
Windows NT The Win32 Network Time Synchronization Service (W32Time.exe) was not part of the base configuration in Windows NT. It was included in the Windows NT Resource Kit utilities. Refer to the program documentation for configuration to another timeserver. Alternatively, you can use the ClockWatch Client

Windows 95/98/Me

The Win32 Network Time Synchronization Service does not run on Windows 95/98/Me. We suggest you use the ClockWatch Client for client time synchronization.
   

3. Time Synchronization in a Domain
The following describes how to configure an authoritative time server in Windows 2000/XP/2008/Vista/Win7/8.

Windows includes the W32Time time service tool that is required by the Kerberos authentication protocol. The primary use for such time synchronization is to ensure the security of Kerberos authentication within an Active Directory environment. To prevent replay attacks, Kerberos tickets presented to domain controllers by clients are time-stamped. The authenticating domain controller checks to make sure the timestamp is unique and falls within an allowable skew before accepting the ticket and authenticating the client. The purpose of the time service is to ensure that all computers that are running Windows 2000 or later in an organization use a common time. Administrators can configure an internal time server as authoritative by using the net time command. The time service uses a hierarchical relationship that controls authority.

Computers that are members of an Active Directory domain synchronize time with domain controllers by default. Domain controllers synchronize time with their parent domain controller. By default, the root parent domain controller will not synchronize to a time source. The root parent domain controller can be set to either synchronize to a known and trusted Internet-based time source, or a hardware time device that provides an NTP or SNTP interface. Its time accuracy can also be maintained manually.

 Windows-based computers use the following hierarchy by default:

  • All client desktop computers nominate the authenticating domain controller as their in-bound time partner.

  • All member servers follow the same process as client desktop computers.

  • Domain controllers may nominate the primary domain controller (PDC) operations master as their in-bound time partner but may use a parent domain controller based on stratum numbering.

  • All PDC operations masters follow the hierarchy of domains in the selection of their in-bound time partner.

Following this hierarchy, the PDC operations master at the root of the forest becomes authoritative for the organization, and you should configure the PDC operations master to gather the time from an external source. This is logged in the System event log on the computer as event ID 62.

Administrators can configure the time service on the PDC operations master at the root of the forest to recognize an external Simple Network Time Protocol (SNTP) time server as authoritative by using the following net time command with the setsntp option, where server_name is the DNS server name:
net time /setsntp:server_name

Alternatively, you can use the server's IP address:
net time /setsntp:server_IP

For example, if the server name was 'beagle' you would issue the following command:
net time /setsntp:beagle

You can then test the connection by typing:
w32tm –once


Setting the Domain Client
You can use your ClockWatch time server (clockwatch_server_name) for this function. After you set the SNTP time server as authoritative, run either of the following commands on a computer other than the domain controller to reset the local computer's time against the authoritative time server, where clockwatch_server_name is the network name of your ClockWatch time server:
net time /clockwatch_server_name /set
 

Type the following commands, pressing ENTER after each command:
net stop w32time
w32tm –once
net start w32time

For more information about the net time command type:
net time /?

Reference: Microsoft KB articles: 224799, 216734, 31054

4. Starting and Stopping Windows Time Service from the Control Panel

To manually start W32Time using the Control Panel:

  1. From the Start menu, point to Settings, and then click Control Panel.

  2. Double-click Administrative Tools, and then double-click Services.

  3. Select Windows Time from the list of services.

  4. On the Action menu, click Start to begin the service.

To manually stop W32Time using the Control Panel:

  1. Follow steps 1 through 3 in the previous procedure.

  2. On the Action menu, click Stop to discontinue the service.

  3. Change the Startup type from 'Automatic' to 'Manual' to prevent Windows time from starting automatically the next time you reboot.


The Windows Time listing in the Services applet of the Windows Control Panel

 

5. Turning on Logging in the Windows Time Service

You can turn on debug logging for the Windows Time service (also known as W32time). Logging provides a detailed trace of what the otherwise stoical time service is doing.  If you are an administrator, you can use the debug logging feature of the Windows time service to help troubleshoot connection and time server issues.

Turn On Debug Logging for the Windows Time Service
To turn logging on you need to add three entries to the Windows Registry on the computer you wish to trace.
 

  1. Start the Registry Editor, regedit
     

  2. Locate and then click the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
     

  3. On the Edit menu, click New Value, and then add the following 3 registry values:
     

  4. Value Name: FileLogSize
    Data Type: DWORD
    Value data: 10000000
    Meaning:  Maximum log file size.

    This registry value specifies the size of the log file in bytes.
    A value of 10000000 bytes will limit the log file to approximately 10 MB.
     

  5. Value name: FileLogName
    Data Type: String
    Value data: C:\Windows\Temp\w32time.log
    Meaning:  Full file and path name of log file.

    This registry value specifies the location of the log file. The path is not fixed. You can use a different path.
     

  6. Value name: FileLogEntries
    Data Type: String
    Value: 0-116
    Meaning:  Debug level: log all entries within the range of 0 and 116.

    This registry value specifies the level of detail of the information in the debug log.
    Note The Data Type value must be of type REG_SZ (String). You must type the value exactly as shown (that is, type 0-116). The highest possible value is 0-300 for most detailed logging.

The log will start immediately. There is lots of information in the log; of specific interest is the NTP packet information.

Here's a sample NTP packet of a Windows time client using ClockWatch Server as a time server:

148402 09:25:56.2316165s - /-- NTP Packet:
148402 09:25:56.2316165s - | LeapIndicator: 0 - no warning; VersionNumber: 3; Mode: 4 - Server; LiVnMode: 0x1C
148402 09:25:56.2316165s - | Stratum: 1 - primary reference (syncd by radio clock)
148402 09:25:56.2316165s - | Poll Interval: 4 - 16s; Precision: -18 - 3.8147æs per tick
148402 09:25:56.2316165s - | RootDelay: 0x0010.0025s - 16.0006s; RootDispersion: 0x0000.0300s - 0.0117188s
148402 09:25:56.2316165s - | ReferenceClockIdentifier: 0x434C4B57 - source name: "CLKW"
148402 09:25:56.2316165s - | ReferenceTimestamp: 0xC9D99CEFE72A6B0D148402 09:25:56.2316165s - - 12821966703902991000ns - 148402 09:25:03.9029910s
148402 09:25:56.2316165s - | OriginateTimestamp: 0xC9D99D24374B2FA9148402 09:25:56.2316165s - - 12821966756215991000ns - 148402 09:25:56.2159910s
148402 09:25:56.2316165s - | ReceiveTimestamp: 0xC9D99D22E7AE0000148402 09:25:56.2316165s - - 12821966754904998800ns - 148402 09:25:54.9049988s
148402 09:25:56.2316165s - | TransmitTimestamp: 0xC9D99D22E7AE0000148402 09:25:56.2316165s - - 12821966754904998800ns - 148402 09:25:54.9049988s
148402 09:25:56.2316165s - >-- Non-packet info:
148402 09:25:56.2316165s - | DestinationTimestamp: 148402 09:25:56.2316165s - 0xC9D99D243B4B380C148402 09:25:56.2316165s - - 12821966756231616500ns148402 09:25:56.2316165s - - 148402 09:25:56.2316165s
148402 09:25:56.2316165s - | RoundtripDelay: 15625500ns (0s)
148402 09:25:56.2316165s - | LocalClockOffset: -1318804900ns - 0:01.318804900s
148402 09:25:56.2316165s - \--

This is a stratum 1 timeserver, that is has been synced to a stratum 0 time source (see below). Also note the reference clock identifier field has "CLKW", this is the server identifier used by ClockWatch. Also note that the timestamps all have values. NTP uses these values to calculate the time difference and the reliability of the timeserver. If your packets show lots of 0s then check to see if your timeserver is working properly.

To turn logging off, simply delete the three entries in the registry.

Reference: Microsoft KB article:  81643

Other w32time Settings

The Windows time service has a lot of functionality but the administration is very nity gritty. By manipulating registry settings for the service, w32time can act as both an SNTP client and server to synchronize other network clients.

Parameter List:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time
Contains a list of parameters for w32time

Protocol:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type
Set value to NTP.

Reliability Factor:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags
Set the value to 5 for reliable time source

Sync Interval:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NTPClient\SpecialPollInterval
Set this to the period in seconds that the Windows machine should poll the NTP server. A recommended value is 900 seconds (decimal) which equates to every 15 minutes.

Turn on NTP Server:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NTPServer\Enabled
Change this value to 1 to enable the NTP server.

Specify list of External Timeservers:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer
In this field you can provide a list of IP address or DNS names, separated by a space, of NTP servers that the Windows machine can synchronize to.
 

Time Hierarchy

W32Time synchronizes clocks within a forest using a time hierarchy that begins with the PDC Emulator in the forest root domain, which is considered the stratum 2 time source for the forest. This domain controller can have its own clock controlled several ways:

  • By synching to a reliable time server on the Internet.
  • By synching to an locally-connected hardware time source such as an atomic clock.
  • By relying on its own internal CMOS clock for reliable time.

In the first two examples above, the Internet time server or atomic clock is considered a stratum 1 time source. Other domain controllers in the forest root domain and PDC Emulators in child domains use W32Time to poll the PDC Emulator in the forest root domain periodically to ensure their clocks remain synchronized. Workstations and member servers then poll domain controllers in their domains to synchronize their own clocks, with the result being that all computers in the forest synchronize their clocks, either directly or indirectly, with the PDC Emulator in the forest root domain (and hence the external time server or atomic clock, if present). The following table summarizes how the W32Time hierarchy works, starting from the external source.

Stratum Description
1 Locally connected hardware clock (optional)

Internet time server (optional)
2 PDC Emulator in forest root domain
3 Other domain controllers in forest root domain

PDC Emulators in child domains
4 Workstations and member servers in forest root domain

Other domain controllers in child domains
5 Workstations and member servers in child domains

The polling process is initiated when W32Time starts on the client and is repeated every 45 minutes by default. If clocks are determined to be synchronized for three consecutive polls, the polling interval is increased to every 8 hours.

Note
Because of changes in the operation of the Windows time service, the remainder of this article focuses on time synchronization in an Active Directory environment where domain controllers are running Windows Server 2003. For information about configuring W32Time in a Windows 2000 domain controller environment, see the following white paper from Microsoft.

Synching to an Internal Time Source

The simplest solution to time synchronization in an Active Directory environment is to let the PDC Emulator in the forest root domain use its own CMOS clock as the source of reliable time for the forest. To do this, you can simply take no action. The only annoying result is that you will occasionally see the following event logged to the System log in Event Viewer:

Event ID: 12

Event source: W32Time

Event description: Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.

Basically, what this event means is that the PDC Emulator in the forest root domain has not been configured to synchronize its clock with an external stratum 1 time source, and as a result the clocks on all machines in your forest cannot be considered reliable. Now this may be an issue if employees rely upon their workstations’ CMOS clocks for signing in and out, but as far as Kerberos is concerned it’s a non-issue because Kerberos only requires that clocks on clients and authenticators agree with each other, not that they display accurate time. So if every machine’s clock in the forest is one hour late, Kerberos will still work fine and replay attacks will be prevented, which is the purpose of W32Time anyway.

Synching to an External Time Source

If you want to ensure that the clocks on your machines are more accurate in terms of absolute (and not just relative) time, you can sync the PDC Emulator in your forest root domain to one of the reliable time servers available on the Internet. This is a good idea if your company is a large enterprise with sites spanning several countries, or if your organization has two or more forests linked by forest trusts. The procedure for doing this on a PDC Emulator running Windows Server 2003 in the forest root domain is as follows. Open Registry Editor (regedit.exe) and configure the following registry entries:

HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type

This registry entry determines which peers W32Time will accept synchronization from. Change this REG_SZ value from NT5DS to NTP so the PDC Emulator synchronizes from the list of reliable time servers specified in the NtpServer registry entry described below.

HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags

This registry entry controls whether the local computer is marked as a reliable time server (which is only possible if the previous registry entry is set to NTP as described above). Change this REG_DWORD value from 10 to 5 here.

HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer

This registry entry specifies a space-delimited list of stratum 1 time servers from which the local computer can obtain reliable time stamps. The list may consist of one or more DNS names or IP addresses (if DNS names are used then you must append ,0x1 to the end of each DNS name). For example, to synchronize the PDC Emulator in your forest root domain with tock.usno.navy.mil, an open-access SNTP time server run by the United States Naval Observatory, change the value of the NtpServer registry entry from time.microsoft.com,0x1 to tock.usno.navy.mil,0x1 here. Alternatively, you can specify the IP address of this time server, which is 192.5.41.209 instead.

Now stop and restart the Windows Time service using the following commands:

net stop w32time

net start w32time

It may take an hour or so for the PDC Emulator to fully synchronize with the external time server because of the nature of the polling method W32Time uses. Depending on the latency of your Internet connection, the accuracy of the CMOS clock on your forest root PDC Emulator may be within a second or two of UTC. If you need more accurate time however, you can purchase a hardware time source like an atomic clock and connect it to your PDC emulator.

Alternatively, if you don’t want to wait for time convergence to occur between your stratum 2 time server (your forest root PDC Emulator) and the external stratum 1 time server, you can run the following command on your PDC Emulator:

w32tm /resync /rediscover

Tip
There are additional registry settings you can configure to ensure external time synchronization operates effectively, see this article in the Microsoft Knowledge Base for details.

Additional Resources

The following resources can be of use in configuring and troubleshooting operation of the Windows Time service in Windows-based environments:

Final Tip

Be sure to open UDP port 123 on the firewall at your network’s edge if you are syncing your forest root PDC Emulator to an external time source on the Internet. This is because UDP port 123 is the default port used by SNTP, which is the protocol used by W32Time for time synchronization over a network. Furthermore, if you have deployed Windows XP Service Pack 2 then you need to ensure UDP port 123 is also opened on Windows Firewall on your desktop machines as well.

Links:
ClockWatch Client/Server - Main Page
 Frequently Asked Questions about Client/Server
 Multi-platform time synchronization (including IBM, Mac, Novell, Linux and Unix)
 ClockWatch - Product Index

  Products | Specials | Site Map | Support | Tech Info | Contact | Search | Search
Copyright © 2012 Beagle Software. All rights reserved
Last reviewed April 06, 2012