![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後更新: 2018-12-20
介紹
目錄
- Windows sync time Service
- register 與 unregister
- PC Resync Time
- 設定與誰 sync 時間 (external source)
- Status
- 設定幾耐 sync 一次時鍾
- 有關 regetry key
- 在 AD Domain 的 time source
- GPO
- How do I force all clients in domain to syncronize time remotely
- Example
- Other
Windows sync time Service
Service name: W32Time
# Check Service Status
sc query w32time
SERVICE_NAME: w32time TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0
register 與 unregister
register - register to run as a service and add default configuration to the registry.
unregister - unregister service and remove all configuration
C:\>w32tm /register
The following error occurred: Access is denied. (0x80070005)
PC Resync Time
Usage
# Sending resync command to local computer...
# The computer did not resync if no time data was available.
w32tm /resync [/nowait] [/rediscover]
Opts
/nowait - do not wait for the resynchronize to occur; return immediately.
/rediscover - Redetect the network configuration and rediscover network sources, then resynchronize.
i.e.
C:\> w32tm /resync
Sending resync command to local computer The command completed successfully.
設定與誰 sync 時間
External source
# 此設定多數是在 PDC 及 Standalone 機上
# /manualpeerlist 是用 space delimited 每一架 server
# syncfromflags:<source> - sets what sources the NTP client should sync from.
# <source> should be a comma separated list of these keywords
# MANUAL - include peers from the manual peer list
# DOMHIER - sync from a DC in the domain hierarchy
w32tm /config /manualpeerlist:stdtime.gov.hk /syncfromflags:manual /reliable:yes
# update - notifies the time service that the configuration has changed, causing the changes to take effect.
w32tm /config /update
All other DCs
w32tm /config /syncfromflags:domhier /update
Remark
You can check the registry entries if the domain controller is using "NTP" (should be on PDC) or "NT5DS" (on non-PDC):
"Type" under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters"
Status
w32tm /query /status
Leap Indicator: 0(no warning) Stratum: 2 (secondary reference - syncd by (S)NTP) Precision: -6 (15.625ms per tick) Root Delay: 0.0312500s Root Dispersion: 7.7758309s ReferenceId: 0x768F1152 (source IP: 118.143.17.82) Last Successful Sync Time: 1/21/2015 12:53:12 PM Source: stdtime.gov.hk Poll Interval: 10 (1024s)
w32tm /query /configuration
[配置] EventLogFlags: 2 (本地) AnnounceFlags: 10 (本地) TimeJumpAuditOffset: 28800 (本地) MinPollInterval: 10 (本地) MaxPollInterval: 15 (本地) MaxNegPhaseCorrection: 54000 (本地) MaxPosPhaseCorrection: 54000 (本地) MaxAllowedPhaseOffset: 1 (本地) ................................. [TimeProviders] NtpClient (本地) DllName: C:\Windows\system32\w32time.dll (本地) Enabled: 1 (本地) InputProvider: 1 (本地) AllowNonstandardModeCombinations: 1 (本地) ResolvePeerBackoffMinutes: 15 (本地) ResolvePeerBackoffMaxTimes: 7 (本地) CompatibilityFlags: 2147483648 (本地) EventLogFlags: 1 (本地) LargeSampleSkew: 3 (本地) SpecialPollInterval: 900 (本地) Type: NTP (本地) NtpServer: stdtime.gov.hk (本地)
MinPollInterval
The default value for domain controllers is "6" (64 sec)
The default value for domain members is "10" (1024 sec ~ 17.1 min)
The default value for stand-alone clients and servers is "10"
* Unit: units of 2^n seconds
* To make changes to this entry effective, at the command line, type:
w32tm /config /update
MaxPollInterval
Domain controllers: 10 (17.1 min.)
Domain members: 15 (9.1 hr.)
設定幾耐 sync 一次時鍾
所在 regtry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient
SpecialInterval
SpecialInterval = 0x1
When we add the 0x1 we are telling W32Time to use the registry key "SpecialPollInterval"
instead of the automagic MinPollInterval("0xA") and MaxPollInterval("0xF").
SpecialPollInterval
Default: 604800, Unit: second
Example 1: 設定每 3600 秒 sync 一次時間
net stop w32time
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters]
"NtpServer"="time.google.com,0x1"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient]
"SpecialPollInterval"=dword:00000e10
net start w32time
Remark
- 0x01 SpecialInterval
- 0x02 UseAsFallbackOnly
- 0x04 SymmetricActive
- 0x08 Client
Example 2: 用 MaxPollInterval 及 SpecialPollInterval 去 polling
# Server 後不加 "0x1"
net stop w32time
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters] "NtpServer"="time.google.com"
net start w32time
有關 regetry key
HKLM\SYSTEM\CurrentControlSet\services\W32Time\Parameters
# 設定與什麼 Server 去 sync 時間
NtpServer # String
HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config
MaxPollInterval
Hex (Value "a" ~ 17min)
在 AD Domain 的 time source
在 domain 環境內, Time Source 由 PDC 提供
PC <--- DC <--- DC (PDC emulator ) <--- forest root DC (PDC emulator ) <--- Internet time source
找出那架機是 PDC
netdom /query fsmo
Remark
Netdom is a command-line tool that is built into Windows Server 2008.
Server 2003 SP2
domain to monitor
To configure a domain controller in the parent domain as a reliable time source:
w32tm /config /reliable:yes /update
monitor
# domain to monitor
C:\>w32tm /monitor
ns1.mydomain *** PDC *** [10.0.203.21]:
ICMP: 0ms delay.
NTP: +0.0000000s offset from ns1.mydomain
RefID: 'LOCL' [76.79.67.76]P.S.
XP 及 Server03 的 default time.windows.com 已不存在 (20130710)
GPO
The allowed time skew can be configured using the Maximum tolerance for computer clock synchronization GPO setting
Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy
It determines the maximum time skew (in minutes) that Windows will tolerate between client and a server clocks in a Windows Kerberos environment. Default 5 min.
Setting the time skew too high creates a higher risk for replay attacks.
How do I force all clients in domain to syncronize time remotely
a startup script containing:
w32tm /config /syncfromflags:domhier /update ;After that you have to run: net stop w32time net start w32time
Example
# 在 DC 設定 NTP Source
w32tm /config /syncfromflags:manual /manualpeerlist:"time.google.com" /reliable:yes /update
# 套用 Setting
net restart w32time
# 查看現在的設定
w32tm /query /status
# AD output
Leap Indicator: 0(no warning)
Stratum: 2 (secondary reference - syncd by (S)NTP)
Precision: -23 (119.209ns per tick)
Root Delay: 0.0379524s
Root Dispersion: 51.6594092s
ReferenceId: 0xD8EF2304 (source IP: 216.239.35.4)
Last Successful Sync Time: 12/17/2018 12:45:07
Source: time.google.com
Poll Interval: 6 (64s)# DC Member output
Leap Indicator: 0(no warning) Stratum: 3 (secondary reference - syncd by (S)NTP) Precision: -23 (119.209ns per tick) Root Delay: 0.0408734s Root Dispersion: 0.1270583s ReferenceId: 0xC0A85064 (source IP: 192.168.80.100) Last Successful Sync Time: 12/17/2018 3:14:46 PM Source: ad01.local Poll Interval: 8 (256s)
Spike
LargePhaseOffset
Specifies that a time offset greater than or equal to this value in 10^7 seconds is considered a spike.
A network disruption such as a large amount of traffic might cause a spike.
The default value on domain members is 50000000.
HoldPeriod
Controls the period of time for which spike detection is disabled in order to bring the local clock into synchronization quickly.
A spike is a time sample indicating that time is off a number of seconds,
and is usually received after good time samples have been returned consistently.
The default value on domain members is 5. The default value on stand-alone clients and servers is 5.
SpikeWatchPeriod
Specifies how long, in seconds, that a suspicious time offset must persist before it is accepted as correct.
if the client gets into SPIKE state, the client does not sync its time.
Regetry Setting - MaxPosPhaseCorrection and MaxNegPhaseCorrection
If the service determines that a change larger than this is required, it logs an event instead.
Specifies the largest positive time correction in seconds that the service makes.
The default value for domain members is 0xFFFFFFFF.
The default value for stand-alone clients and servers is 54,000 (15 hrs).
Regetry Setting - MaxAllowedPhaseOffset
Specifies the maximum offset (in seconds) for which W32Time attempts to adjust the computer clock by using the clock rate.
When the offset exceeds this rate, W32Time sets the computer clock directly. The default value for domain members is 300.
The default value for stand-alone clients and servers is 1.
Other
# To synchronize the DC's current system time with an external time server
W32tm /resync /computer:time.windows.com /nowait
# To force a computer to synchronize its time with a specific DC
net time \\<DC_name_or_IP> /set /y
