Windows Time and Virtual Machines

Configuring the Windows Time service

Starting with Windows server 2016 Microsoft updated how to setup syncing with external NTP servers. This update was ported back to Window 7 and Windows Server 2008 R2. The biggest change is the manualpeerlist option no longer requires a hex code identifier.

  1. Open a Command Console
  2. Type in the command below to restart the time service
net stop w32time & net start w32time
  1. Set the Time Service to get updates from external NTP servers. These are the three I use.
w32tm /config /update /manualpeerlist:"pool.ntp.org time.windows.com time.apple.com time.google.com"
  1. Force the time service to sync and display the results
w32tm /resync
w32tm /query /peers

Testing the Time Service

W32TM has a built in test tool. Use the command below. Remember to change teh name of the NTP to the one you want to test. The parameter supports IP addressing too.

w32tm /monitor /computers:pool.ntp.org

You will get output like this

pool.ntp.org[216.229.0.49:123]:
    ICMP: error IP_REQ_TIMED_OUT - no response in 1000ms
    NTP: +3.7161757s offset from local clock
        RefID: tick.usshc.com [199.102.46.70]
        Stratum: 2

The first line is a reverse DNS look-up of the given IP address

The next line tells the ICMP result. The error shown is very common as most time servers are behind a firewall. Without a firewall blocking the ICMP packet you will get the delay response time similar to a ping packet.

Final the last bit is the NTP information. First it tells you the offset from the queried server. Then it gives you the upstream NTP server along with the Stratum number for that upstream server.

Domain computer systems will list the DC they are currently syncing too, while non-PDC domain controls should list the PDC. It is possible to override the default settings.

Additional testing steps

For domains first verify FSMO roles and that all domain controls are syncing properly

netdom query fsmo

Next test to make sure ports are open on all firewalls

portqry –n <server FQDN> –e 123 –p UDP

Check the following registries for inconsistencies with your time server hierarchy

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer
HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type
HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags

Stop and restart the service

Check the Default Domain Controllers group policy and the Default Domain group policy and any others that could affect the PDCe or other DCs. Check the following areas:

Computer configuration/Administrative Templates/System/Windows Time service/Time Providers

Finally try resetting everything

W23tm /dumpreg > dump1.txt
W32tm /unregister
W32tm /register
W23tm /dumpreg > dump2.txt

The first command dumps all settings so you can review them. The second one removes all w32time service registry keys, settings, and unregisters the service. The third command will register the service and set it up with default settings. Final the fourth line shows you the default config for comparing to the broken config.

You can also use REGEDT to dump the config

To use an internal hardware clock

  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags  
  3. In the right pane, right-click AnnounceFlags, and then click Modify.
  4. In Edit DWORD Value, type A in the Value data box, and then click OK.
  5. Quit Registry Editor.
  6. At the command prompt, type the following command to restart the Windows Time service, and then press ENTER: net stop w32time && net start w32time

To use an external time source

To configure an internal time server to synchronize with an external time source, follow these steps:

Changing the server type to NTP.

Basic steps

  1. Change the source type to NTP
  2. Change the AnnouceFlags
  3. Enable NTPServer
  4. Enable the Windows NTPServer
  5. Specify the time sources.
  6. Select the poll interval
  7. Configure the time correction settings
Changing the source type
  1. Click Start, click Run, type REGEDIT, and then click OK.
  2. Locate and click the registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type
  1. In the right pane, right-click Type, and then click Modify.
  2. In Edit Value, type NTP in the Value data box, and then click OK.
Change AnnounceFlags 
  1. Click Start, click Run, type REGEDIT, and then click OK.
  2. Locate and then click the registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags
  1. In the right pane, right-click AnnounceFlags, and then click Modify.
  2. In Edit DWORD Value, type 5 in the Value data box, and then click OK.
Important Notes on behavior

If an authoritative time server that is configured to use an AnnounceFlag value of 0x5 does not synchronize with an upstream time server, a client server may not correctly synchronize with the authoritative time server when the time synchronization between the authoritative time server and the upstream time server resumes. Therefore, if you have a poor network connection or other concerns that may cause time synchronization failure of the authoritative server to an upstream server, set the AnnounceFlag value to 0xA instead of to 0x5.

If an authoritative time server that is configured to use an AnnounceFlag value of 0x5 and to synchronize with an upstream time server at a fixed interval that is specified in SpecialPollInterval, a client server may not correctly synchronize with the authoritative time server after the authoritative time server restarts. Therefore, if you configure your authoritative time server to synchronize with an upstream NTP server at a fixed interval that is specified in SpecialPollInterval, set the AnnounceFlag value to 0xA instead of 0x5.

Enable the Windows NTPServer
  1. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer
  1. In the right pane, right-click Enabled, and then click Modify.
  2. In Edit DWORD Value, type 1 in the Value data box, and then click OK.
Specify the time sources.

You need to get time from an external source.  Ideally use the worldwide DNS record “pool.ntp.org” but regional pools work well.

RegionDNS
Asiaasia.pool.ntp.org
Europe
 europe.pool.ntp.org
North Americanorth-america.pool.ntp.org
Oceaniaoceania.pool.ntp.org
South America south-america.pool.ntp.org
  1. Locate and click the registry subkey:
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
  1. In the right pane, right-click NtpServer, and then click Modify.
  2. In Edit Value, type Peers in the Value data box, and then click OK.
Very Important

Peers is a placeholder for a space-delimited list of peers from which your computer obtains time stamps. Each DNS name that is listed must be unique. You must append “,0x1” without the quotation marks (“”) to the end of each DNS name. If you do not append “,0x1” to the end of each DNS name, the changes made in step 5 will not take effect.

Select the poll interval
  1. Locate and click the registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollInterval
  1. In the right pane, right-click SpecialPollInterval, and then click Modify.
  2. In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.
Important Note

TimeInSeconds is a placeholder for the number of seconds that you want between each poll. A recommended value is 900 Decimal. This value configures the Time Server to poll every 15 minutes.

Configure the time correction settings
  1. Locate and then click the following registry subkey:
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\
  1. We will be editing two values MaxPosPhaseCorrection and  MaxNegPhaseCorrection
  2. In the right pane, right-click MaxPosPhaseCorrection, and then click Modify.
  3. In Edit DWORD Value, click to select Decimal in the Base box.
  4. In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.
  5. In the right pane, right-click MaxNegPhaseCorrection, and then click Modify.
  6. In Edit DWORD Value, click to select Decimal in the Base box.
  7. In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.
Important behavior note

For both of these registry values the TimeInSeconds is a placeholder for a reasonable value, such as 1 hour (3600) or 30 minutes (1800). The value that you select will depend upon the poll interval, network condition, and external time source.

Final Steps
  • Quit Registry Editor.
  • Open a Administrative Command prompt
  • To restart the Windows Time service type the following command
    and then press ENTER:
 net stop w32time && net start w32time

Alternative method to synchronize with an external time source

This uses the command line opened in an Administrative Command Console.

  • Run the commands on the PDC in each domain.
  • Use a text editor, like Notepad or Notepad++ to edit the commands before pasting them into the command window.
  • Open a Administrative Command prompt.  
  • One line per command and press ENTER to run.
  • You should get a message that the command completed successfully.

Set the Peer list

w32tm /config /manualpeerlist:$PEERS /syncfromflags:MANUAL
w32tm /config /update w32tm /resync
exit

$PEERS is  a comma-separated list of IP addresses or FQDN DNS records of the appropriate time sources.  The time sources you choose depend on your time zone. No spaces are allowed in the $PEERS variable. If you can use the IPv4 address of the timeserver instead of the fully qualified domain name for security purposes and shorter command line.

Quick notes on W32TIME

W32time uses a variable poll interval based on the quality of timesync with the server. On Domain Controllers the interval ranges between 64 and 1024 seconds. 

The /resync switch will immediately synchronize with the external time server.

Common Errors

Time differential greater than a few seconds between servers.

  • You receive Windows Time Service event IDs 24, 29, and 38 on a virtualized DC
  • Windows Time Services Debug logging on the domain controller, information that resembles the following is logged in the Debug log:
    149040 14:15:14.2970940s – Logging information: The time service is now synchronizing the system time with the time source VM IC Time Synchronization provider.
  • Time drift rapidly increases causing the Time service to stop syncing clocks with external sources

To resolve this issue, disable time synchronization on the host by using Integration Services, and then configure the virtualized domain controller to accept the default Windows Time Service (W32time) domain hierarchy time synchronization.

Using Hyper-V Manager

This is the preferred method

  1. Open Hyper-V Manager.
  2. Click Settings.Click Integration services.
  3. Clear the Time Synchronization option.
  4. Exit Hyper-V Manager.
  5. Restart the server.
  6. Make sure all domain servers receive time updates from from the PDC and the PDC is syncing to an External source.

Use the registry to partially disable the Hyper-V Real Time Clock

This is for older versions of Hyper-V but can work for other hypervisors without the ability to disable the Real Time Clock (RTC) sync between host and virtual machine. This method is not 100% reliable for non-Hyper-V hosts.

  1. Open an administrative command prompt on the Virtual Machine
  2. Run the following commands one at a time. The W32TM commands will tell you they completed successfully if they normally do not have an output.
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider /v Enabled /t reg_dword /d 0
w32tm /config /syncfromflags:DOMHIER /update
net stop w32time & net start w32time
w32tm /resync /force
w32tm /query /source

These five commands do the following 5 tasks, respectively;

  • Disable the virtual time provider
  • This makes sure the virtual DC is taking time from the Domain and not an external source. Other options exist for this line depending on your network setup.  See the Microsoft W32TM command page or look at my page.
  • Stops and restarts the time service
  • Forces a sync from the new time source.
  • Checks that it works.  The sync can take several seconds to complete so wait about a minute.  If your network is slow wait a few minutes.

Original Peer list configuration notes

The mode that Windows Time uses to send requests is set by the following registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServerIf the value of the Enabled entry in this subkey is 1, Windows Time uses symmetric active mode. Otherwise, Windows Time uses client mode.

The 0x8 setting that is referenced in the command in the “Resolution” section sets Windows Time to use client mode.

The valid settings for the mode used with the /manualpeerlist switch include the following:

  • 0x01 – use special poll interval SpecialInterval
  • 0x02 – UseAsFallbackOnly
  • 0x04 – send request as SymmetricActive mode
  • 0x08 – send request as Client mode

Reference List

Did you get a clue?

If you got a clue and want to thank me, then visit the thank me page. It’s the best way to keep me publishing articles and keeping this site operation.

This site uses affiliate links. When you go to another site from here the link typically will have an affiliate code attached to it. Your actions on that site may earn a small commission for me. Read our affiliate link policy for more details.

{fin}

Scroll to Top