Managing Internet Time in Vista

System time has an increasingly important role as the Windows operating system matures, particularly with regard to Kerberos security, which is the default Windows Vista authentication mechanism. With NTLM version 2 and Kerberos version 5 security, the network depends on system clocks being in close synchronization. If the clocks on different systems aren't closely synchronized, authentication tickets can become invalid before they reach a destination host, which can prevent logon and authentication.

Internet Time Overview

Keeping the system synchronized with the actual time isn't easy. System clocks can lose time, users can accidentally set the system clock to the wrong time, and other things can also go wrong. To help resolve problems with system time and time synchronization, Windows Vista uses Windows Time service to set a consistent Internet time based on the time at an Internet time server. Windows Time service allows synchronization within 100 milliseconds of world time. Here's a basic overview of how Windows Time service works:

• Windows Vista systems are configured to synchronize with an Internet time server automatically. This time server is referred to as the authoritative time server. The default time servers are http://www.time.microsoft.com and http://www.time.nist.gov. Administrators can specify either of these servers or type in the name of another time server.

Real World

The authoritative time server for a domain is the domain controller that authenticates a server or workstation in the domain, and all member servers and workstations in a domain automatically sync their clocks with this server. In most cases, you'll want Windows Vista computers configured in workgroups to sync with a local time server (one located on your network, for instance) and then have the local time server synchronize with an authoritative time server, such as time.nist.gov. This reduces network traffic and can improve performance for time synchronization.

• The Windows Time service uses the Simple Network Time Protocol (SNTP) to poll the authoritative time server. The global settings MinPollInterval and Max-PollInterval control the exact rates.

• If there are differences in time between the time server and the system, the Windows Time service slowly corrects the time. The global settings UpdateInterval and FrequencyCorrectRate control the exact correction rate.

Note

SNTP defaults to using User Datagram Protocol (UDP) port 123. If this port is not open to the Internet, you can't synchronize the system with an Internet time server.

You can configure the Windows Time service via the Registry or Group Policy. Table 1 provides detailed information on the most used time service settings. The related Group Policy settings are under Computer Configuration\Administrative Templates\System\Windows Time Service\Global Configuration Settings. If the Global Configuration Settings policy is enabled, its settings take precedence over local registry settings. The related registry settings are under HKLM\SYSTEM\CurrentControl Set\Services\W32Time\Config. If you change registry values for time services, you can apply them by typing the following command at the command prompt:

w32tm /config /update

Table 1: Global Configuration Settings for Windows Time Services

Setting	Description	Accepted Values/Flags
AnnounceFlags	Default value: 10 (8 + 2). Sets the time server classification. A computer must be classified first as a time server to be subsequently classified as a reliable time server. This is why the default flag is 10 (meaning flags 2 and 8 are applied). This setting is only used by domain controllers and determines how the time service is advertised by the Netlogon service.	10 (default with 8 + 2 flags) 0; the domain controller doesn't advertise time service. 1; the domain controller always advertises time service. 2; the domain controller is a time server and automatically determines whether it should advertise time service. 4; the domain controller will always advertise reliable time service. 8; the domain controller is a reliable time server and automatically determines whether it should advertise reliable time service.
EventLogFlags	Determines the types of events that the time service logs. Default value: 2.	1; logs when the time service must make a discontinuous change to the clock. 2; logs when the time service chooses a new source of time information. 3; logs when the time service hasn't acquired time samples for a period of 1.5 times the maximum poll interval and no longer trusts the local clock's accuracy.
FrequencyCorrectRate	Modifies the rate at which the time service corrects (synchronizes) the system clock. The value used is multiplied by the number of clock ticks in 64 seconds to come up with the base gain used to correct the system time. Generally, the smaller the value, the more responsive the system is to time changes. However, if the value is too small, the system time can change too frequently to be stable. A value of 3–5 is generally a stable range.	4 (default)
HoldPeriod	Determines the number of seconds the last consistently read time sample is held. It is essentially designed to prevent frequent time changes due to inconsistent time samples. During this period, time synchronization (as determined by the FrequencyCorrectRate) and spike detection (for consistent time samples) are switched off to allow for faster time correction (convergence).	5 (default)
LargePhaseOffset	Determines the time offset, in milliseconds, that triggers direct setting of the system clock. If the system clock is off by more than this amount, system time is set directly to the appropriate time rather than using time correction (convergence). Set the offset to a higher value to make it less likely that the system time will be set directly. However, if you do this, it is more likely that bad time samples will be considered good.	128,000 (default)
LocalClockDispersion	Indicates the relative reliability of the local CMOS clock when it's used as a time source for other computers but isn't synchronized with another network time source. The dispersion value is the number of seconds by which the time service should consider the local CMOS clock to be off from the estimated true time at any given time. The higher the reliability by which the local CMOS should be considered, the lower the dispersion value should be set. If the clock is synchronized from a network time source, the dispersion applies to that time source.	10 (default)
MaxAllowedPhaseOffset	Specifies the maximum time correction allowed when convergence is used (rather than direct time setting). If the system clock is off by more than this number of seconds, the time is corrected over multiple convergence intervals. This value is designed to prevent sudden large changes in time.	300 (default for DCs) 1 (default for other computers)
MaxNegPhaseCorrection	Specifies the largest negative time correction the time service is allowed to make. If the time is off by more than this amount, the required change is logged rather than corrected. For example, if the clock is set to 5:00 P.M. but it is really 1:59 A.M. of that same day (an earlier time), the required time change would be logged rather than corrected. An administrator would then need to set the time manually. A smaller value is considered more secure because it could prevent malicious time servers from changing system times erroneously.	54,000 (default)
MaxPollInterval	Determines the longest time interval to be used for checking the time. The value is set in units of 2n seconds where n is the value for this setting. The default value is 215 (32,768 seconds). The Windows Time service will consider itself to be in an unsynchronized state when 1.5 times the MaxPollInterval has elapsed and it is unable to obtain a time reading from a reliable time server. This value is also referred to as the maximum clock age and in the Network Time Protocol, the maximum clock age allowed is 86,400 seconds. Thus, if you set MaxPollInterval to a value greater than 15, the time server may be ignored completely by peers.	15 (default)
MaxPosPhaseCorrection	Specifies the largest positive time correction the time service is allowed to make. If the time is off by more than this amount, the required change is logged rather than corrected. For example, if the clock is set to 1:59 A.M. but it is really 5:00 P.M. of that same day (a later time), the required time change would be logged rather than corrected. An administrator would then need to set the time manually. A smaller value is considered more secure because it could prevent malicious time servers from changing system times erroneously.	54,000 (default)
MinPollInterval	Determines the shortest time interval to be used for checking the time. The value is set in units of 2n seconds where n is the value for this setting. The default value for DCs is 26 (64 seconds) because time synchronization is more important and 210 (1,024 seconds) for other computers to reduce the number of network accesses. Windows Vista and Windows Server 2003 won't poll more frequently than once every 16 seconds regardless of the MinPollInterval used.	6 (default for DCs) 10 (default for other computers)
PhaseCorrectionRate	Specifies the time correction interval in seconds. This is the interval for time correction when convergence is used. With the default value, the time can be corrected once every second.	1 (default)
PollAdjustFactor	Sets an adjustment interval for polling the time. The value is set in units of 2n seconds, where n is the value for this setting.	5 (default)
SpikeWatchPeriod	Sets the period in seconds during which suspicious time changes are watched before they are accepted as valid. If you lower this value, you allow the time server to correct time spikes (sudden changes in time) more quickly, but you also make it more likely that bad time samples will be considered good.	90 (default)
UpdateInterval	Determines the interval used for phase correction adjustments. The lower the value, the more accurate the time. The higher the value, the more efficient the time sampling. Thus there is a trade to be made between accuracy and efficiency. On DCs, you want more accuracy and can use more system resources to maintain the system clock because clock accuracy is very important. On other computers, you balance the need for efficiency against the need for accuracy.	100 (DCs), 30,000 (member servers), 360,000 (standalone computers)

Configuring Internet Time in Workgroups

Most organizations will want to use Internet time so that computers can easily synchronize with external time servers. Because enabling Internet time is the default setting for Windows Vista, the real challenge lies in opening UDP port 123 on your firewall to allow the flow of Windows Time service traffic. Once you open this port on your firewall, the time service should operate normally.

You can enable or disable Internet time for individual systems in a workgroup by completing the following steps:

1. In Control Panel, click Clock, Language, And Region and then click Date And Time.

2. Select the Internet Time tab and then click Change Settings.

3. To enable Internet time, select Automatically Synchronize With An Internet Time Server and then select the time server you want to use. You should also ensure that the Windows Time service is running in the Services utility.

4. To disable Internet time, clear the Automatically Synchronize With An Internet Time Server check box.

5. Use the Server field to specify the Internet time server to use. Several default time servers are listed, including http://www.time.windows.com and http://www.time.nist.gov. You can select one of these or type in the fully qualified domain name of another time server to use.

6. Click OK.

When you use Internet time, keep in mind that on large networks, it's much more efficient to set up a local time server. With a local time server, SNTP messages from work-stations and servers are broadcast locally and don't go out to the Internet. The messages sent between the local time server and the external time servers are the only external time traffic.

If a computer isn't set to the correct time, network access is usually the problem. Computers must have access to the network to access a local time server. They must have access to the Internet to access an Internet time server, which also requires that UDP port 123 be open to the computer on the organization's firewall or proxy server.

You can check the status of time synchronization at any time, and you can force a computer to update the time immediately as well. If you suspect that time synchronization is failing, you can check the status of the last synchronization by following these steps:

1. In Control Panel, click Clock, Language, And Region and then double-click Date And Time.

2. Select the Internet Time tab.

3. Any error encountered during the last synchronization attempt will be displayed.

You can troubleshoot the configuration by following these steps:

1. In Control Panel, click Clock, Language, And Region and then double-click Date And Time.

2. Select the Internet Time tab and then click Change Settings.

3. Ensure that the time server is set correctly. If necessary, retype the value.

4. Click Update Now to force Windows Vista to attempt to synchronize with the specified time server.

5. If an error occurs, check the network connectivity as well as the status of the Windows Time service. Again, the computer must have appropriate network or Internet access, and the Windows Time service must be running for this feature to work properly.

Configuring Internet Time in Domains

In Microsoft Active Directory directory service domains, a domain controller is chosen automatically as the reliable time source for the domain, and other computers in the domain synchronize time with this server. Should this server be unavailable to provide time services, another domain controller takes over. You cannot, however, change the Windows Time configuration. If you want to manage Windows Time in a different way, you must first enable and configure Internet Time through Group Policy. The related policies are found under Computer Configuration\Administrative Templates\ System\Windows Time Service\Time Providers and include the following settings:

• Enable Windows NTP Client When this setting is enabled, this computer can synchronize its clock with designated NTP servers.

• Enable Windows NTP Server When this setting is enabled, this computer can service NTP requests from other computers.

• Configure Windows NTP Client When you enable this setting, you are able to set the Internet time configuration options, including the name of the time server to use.

You can also configure global time services options using Global Configuration Settings under Computer Configuration\Administrative Templates\System\Windows Time Service.

With this in mind, you configure Internet Time in a domain by completing the following steps:

1. Access policy for the appropriate domain, site, or OU.

2. Expand Computer Configuration, Administrative Templates, System, Windows Time Service, Time Providers.

3. Double-click Enable Windows NTP Server, select Enabled, and then click OK.

4. Access the appropriate domain, site, or organizational unit Group Policy Object in the Group Policy Object Editor.

5. Expand Computer Configuration, Administrative Templates, System, Windows Time Service, Time Providers.

6. Double-click Enable Windows NTP Client, select Enabled, and then click OK.

7. Double-click Configure Windows NTP Client and then select Enabled. Use the fields available to set the default NTP settings, including the name of the time server to use. Click OK when you are finished.