Top of Page

 Documentation\Technical\Network\Co-existing with W32Time

Co-exist with W32Time

    The information on this page applies to
    Domain Time II Version 4.1
    For information that applies to older versions of Domain Time II,
    see the Co-Existing with Windows Time - Older Versions page.

      Versions of Windows starting with Windows 2000 come with a basic built-in time synchronization service called the Windows Time service (W32Time), intended primarily to synchronize time on machines close enough for Kerberos login authentication to work. Although it cannot compete with Domain Time II's capabilities (see the Issues with Windows Time page), Windows Time is implemented in such a way that it cannot always be disabled. This page discusses how Domain Time II co-exists with Windows Time in order to provide maximum performance while keeping complete compatibility with Windows operations.

    Conflicts of Interest

    Although most Windows applications operate correctly whether or not the Windows Time service is running, some machines in special roles, such as Domain Controllers on Active Directory domains, or Cluster Servers, need to have the Windows Time service running even if it's not managing the system clock. These machines check at startup or during certain operations to see if Windows Time is running, but they don't directly use it to obtain or provide the time. This simple-minded approach to verifying the clock causes complications when installing a third-party time service because there's no mechanism for telling the operating system that the clock is being managed by something other than Windows Time.

      Letting two time services manage the system clock simultaneously results in conflicts and unpredictable behavior. There are workarounds, however, that let the Windows Time service run but prevent it from (mis)managing the system clock. During installation, Domain Time II automatically makes these adjustments to the default operation of Windows Time in order to co-exist harmoniously with it.

      .  The good news is that under most circumstances, you can just install Domain Time II on all of your machines and let Domain Time II handle the complexity for you. We highly recommend this approach.

      However, if you will be running some machines with Domain Time II and others using only Windows Time, then you need to understand the information on this page in order to make intelligent configuration decisions for your time-distribution hierarchy.

    Windows Time service basics


    Each version of Windows since Windows 2000 has the Windows Time service, but each version has a different flavor of it. The methods of controlling Windows Time, of verifying its operations, and even triggering a synchronization vary by operating system.

      This discussion focuses on the interaction of Domain Time II 4.x and the Windows Time service as implemented on Windows XP/2003/Vista/Win7/2008/Win8/2012. For information about older versions of either Domain Time II or Windows Time/W32Time, please see the Older Versions page.

      The Windows Time service has two basic capabilities: NTP Time Server and NTP Time Client.

      • NTP Time Server
        Responsible for providing signed or unsigned time to other machines. If enabled, it requires ownership of port 123/UDP, preventing any other process from serving time via NTP.

      • NTP Time Client
        Responsible for obtaining the time from another machine and managing the system clock. If enabled (even when set to "NoSync" mode), it requires ownership of port 123/UDP, preventing any other process from serving time via NTP.

      These two functions are mostly independent of each other. That is, the NTP Time Client can be configured to obtain the time without having the NTP Server enabled. Conversely, the NTP Server function can be enabled while the NTP Client is disabled.

      Windows Time's default ownership grab of port 123/UDP causes problems for any third-party time provider trying to co-exist with Windows Time. Even if the Windows Time NTP Time Server is disabled, the third-party program can't provide time via NTP as long as the NTP Time Client is enabled. If the NTP Time Client is disabled, the NTP Server may refuse to serve time, even if another program is managing the local clock.

      The sensible approach is to shut off the Windows Time service entirely, and let the third-party program manage everything. However, this approach causes problems for machines that expect to have the Windows Time service running such as domain controllers and cluster servers. In particular, by default, domain members using Windows Time to synchronize with domain controllers require Windows Time's NTP Server be running on the DCs. Please see below for more details about Active Directory server requirements and the NT5DS time mode.

      Conflict Resolution
      In order to resolve the problems discussed above, it is necessary to make changes to the default behavior of Windows Time. Fortunately, there are ways to configure Windows Time to allow Domain Time to function correctly even when the Windows Time service is running.

      Windows 2000 has a mode called "NoSync" which lets the NTP Client portion of Windows Time continue running, but prevents it from owning port 123/UDP or managing the system clock. XP and above still have a "NoSync" mode, but the XP-style of "NoSync" keeps ownership of port 123/UDP and monkeys with the system time adjustment even though it isn't managing the clock. Fortunately, on XP and above the NTP Client can be completely disabled even though the Windows Time service itself is still running.

      Windows 2000 Domain Controllers always serve NTP time if the Windows Time service is running. There is nothing equivalent to the NTP Client's "NoSync" mode for the NTP Server on Windows 2000. It is not possible, therefore, to run a third-party NTP server on Windows 2000 without disabling the entire Windows Time service. On XP and above, the NTP Server portion of Windows Time can be either enabled or disabled independently of other settings.

    Domain Time Installation Defaults

    During installation and at every service startup, Domain Time II inspects the system and makes sure that the Windows Time configuration is compatible with what the administrator wants. By using various combinations of Sync/NoSync/enabled/disabled for Windows Time components, Domain Time II permits the Windows Time service to keep running for compatibility purposes without sacrificing the advanced high-accuracy features of Domain Time II.

      During installation, Domain Time II Servers and Clients will configure Windows Time in the following manner:

      Note: In these tables "Enabled/Disabled" only refers to the internal client or server function of Windows Time, not to the overall startup setting for the Windows Time Service (Automatic/Manual/Disabled) in the Windows Services Database.

      Domain Time II Server on Windows XP/2003/Vista/Win7/2008/Win8/2012

      w32time Function Conditions Actions Taken
      NTP Client If Domain Time II Server is set to get time from external sources: . Windows Time's NTP Time Client is disabled and also set to NoSync mode.
      If Domain Time II Server is not set to get time from external sources: . Windows Time's NTP Time Client's sync mode and status is not changed. When Domain Time II is told that another process should obtain and manage the clock, it assumes that this is true, but has no way to know if Windows Time, a hardware clock driver, or another third-party product is managing the clock. Therefore, Domain Time II does not change how Windows Time's NTP Time Client is set.
      NTP Server If the machine is a Domain Controller (or otherwise marked as a reliable time source): . Windows Time's NTP Time Server is enabled and marked as a reliable time source
      . Domain Time II Server's NTP Time Server is disabled
      Other machines: . Windows Time's NTP Time Server is disabled
      . Domain Time II Server's NTP Time Server operates as configured on its control panel applet

       

      Domain Time II Server on Windows 2000
      w32time Function Conditions Actions Taken
      SNTP Client If Domain Time II Server is set to get time from external sources: . Windows Time's NTP Time Client is set to NoSync mode
      If Domain Time II Server is not set to get time from external sources: . Windows Time's NTP Time Client sync mode is not touched
      SNTP Server If the machine is a Domain Controller or Cluster Server (or otherwise marked as a reliable time source): . Windows Time's NTP Time Server is enabled and marked as a reliable time source
      . Domain Time II's NTP Time Server is disabled
      Other machines: . Windows Time's NTP Time Server is disabled
      . Domain Time II's NTP Time Server operates as configured on its control panel applet

       

      Domain Time II Clients (Full, Thin, and Ultra Thin)
      Windows Time Function Conditions Actions Taken
      NTP Client On Windows XP/2003/Vista/Win7/2008/Win8/2012 machines: . Windows Time's NTP Time Client is disabled and also set to NoSync mode *
      Other Machines: . Windows Time Client is set to NoSync mode
      NTP Server All machines: . Windows Time Server is not touched

      * On Full Client, the Windows Time Service is set according to the Windows Time Startup setting on the Advanced tab of the Control Panel applet. By default, this is set to Disabled. If you are running Full Client on a Domain Controller or Cluster Server, you should change this setting to NoSync.

       

      Domain Time II Windows Time Agent
      As of version 4.1, Domain Time II includes a special utility called the Windows Time Agent that allows you to configure the behavior of the Client and Server functions of the Windows Time service easily. It also provides many other features to assist you with Windows Time, such as drift reporting, graphing, variance reports, logging and more. The Windows Time Agent is installed by default with any Domain Time II Server or Client, or it can be installed as a stand-alone applet on any Windows XP/2003/Vista/Win7/2008/Win8/2012 machine. You may also use the Windows Time Agent as a control panel applet for Windows Time on Windows 2000 machines, but the agent functionality will be disabled.

      The Windows Time Agent is free and does not interfere with the operation of Windows Time. You should install Windows Time Agent on every machine running the Windows Time Service that does not have Domain Time Client or Server installed (you can use Domain Time II Manager to do this to many machines at once). You can use Agent to easily check the configuration of Windows Time, and verify that it is operating correctly. You can also use Domain Time II Audit Server to alert you if your Windows Time machines are not synchronizing.

     

    Domain Time II on Active Directory machines

    We strongly recommend that you install Domain Time II on all of your machines (Domain Time II Server on Domain Controllers and Domain Time II Clients on all other machines). Domain Time II is finely-tuned to provide high-accuracy, reliable, audited time distribution. Using Domain Time II ensures that your network time will always be accurate and robust.

    However, if you plan to use Domain Time to synchronize only your Domain Time Controllers, and continue using the Windows Time service to synchronize your other machines, there are complications and accuracy problems you need to be aware of and account for.

    This section describes how Domain Time II integrates with Active Directory Domain Controllers and Clients when there are Active Directory clients present on the network instead of Domain Time II Clients.

      Active Directory Clients and NT5DS mode
      By default, the Windows Time service on member machines of an Active Directory domain are set to a special sync mode called NT5DS mode. This mode sends a specially-signed NTP time request to Active Directory Domain Controllers and it rejects any time response that does not include a comparably-signed reply. This means the NT5DS mode is incompatible with any NTP server other than a Windows Time server on a DC.

      If you will be using Windows Time Clients on your network in the default NT5DS mode, Domain Time II Server on Domain Controllers must be installed so that it allows the Windows Time service to respond to NTP requests (this is the default, see below). Although this ensures compatibility, using Windows Time in this mode is problematic and inaccurate, so you should consider changing the sync mode of your Windows Time clients to NTP (good), AllSync (better), or install Domain Time II Client (best).

      Domain Controllers
      By default, the Windows Time service on Active Directory Domain Controllers will attempt to operate as an NTP server. This presents potential conflicts with Domain Time II Server, since only one program can own the NTP port 123 UDP at a time. If both services are running on a Domain Controller, either the Windows Time NTP Server function or Domain Time's NTP server function must be disabled.

        To provide compatibility with Active Directory clients in NT5DS mode (see above), Domain Time II Server on a Domain Controller will by default:
        1. disable its own NTP Server function.
        2. ensure the NTP Server function of Windows Time is enabled.
        3. set the NTP Client mode of Windows Time to NoSync.

          In this default configuration, the Windows Time service will only respond to NTP time requests. Domain Time II Server will:
          1. obtain the time from it time source(s) and manage the system clock.
          2. respond to all time protocols requests except NTP.
          3. participate correctly in the Domain Time II time hierarchy.

          Important Note:
          The NET TIME /setsntp command should not be used on a Domain Controller or Cluster Server, since this changes Windows Time Client from NoSync back to NTP sync mode causing a conflict with Domain Time II. See KB2001.002 for more information. Domain Time II Server can be set to force the W32Time State to NoSync avoid this issue. See the Advanced tab of Domain Time II Server for more info.

          Use the Domain Time II Windows Time Agent control panel applet to make changes to Windows Time instead of using NET TIME or the w32tm.exe utility.

           

          Changing Active Directory machines to use Domain Time II NTP Services

          Since The Windows Time service is not particularly accurate, the NTP performance of a Domain Controller in the default configuration can only be as accurate as the Windows Time service itself. The inaccuracy of Windows Time will negatively affect the accuracy of both Windows Time clients and any other machines that synchronize with the DC using NTP (such as routers, Linux or Unix machines, etc.).

          A much more accurate option is to disable the NTP Server function of Windows Time on Domain Controllers and enable the NTP Server function of Domain Time II Server instead. IMPORTANT: This configuration change requires that any Windows Time clients using the NT5DS sync mode type will need to be changed to NTP Client (or AllSync) mode instead.

          Make the NTP Client change first on Client Machines:

            If you only have a few client machines, you can use Windows Time Agent to enable NTP Sync mode on each Windows Time client machine on the network, specifying the Domain Controllers as the time source(s):

            Enable NTP Sync mode of the Windows Time Client

            If you have a larger network, you will want to configure a Group Policy to enforce the correct Windows Time NTP Client settings on all domain members. Note that this Windows Sever 2003 policy setting is only compatible with XP and above. Check the Windows documentation for setting domain-wide Windows Time NTP Client policies on Windows 2000 systems. (You can also export the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time registry key from a properly configured machine to a .reg file and then import it on other systems.)

            1. Start MMC (type MMC into the Start --> Run Open: box)
            2. Load the Group Policy Object Editor (File --> Add/Remove Snap-In)

              Adding the Group Policy Object Editor to MMC

            3. Use the Browse button the Group Policy Wizard to select the Default Domain Policy for your domain.

              Browse for the Default Domain Policy

            4. Drill down the Default Domain Policy tree to the Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers policy. Double-click the Enable NTP Client item to bring up the Enable Windows NT Client Properties window. Select Enable.

          Enable the Windows Time NTP Client Policy

          • Then, set the name of a Domain Controller on the Configure Windows Time Client policy page:

            Configure the Windows Time NTP Client Policy

          Next, make the NTP protocol changes on all Domain Controllers:

          Pull up the Domain Time II Server control panel applet and enable the NTP protocol. This will also automatically turn off the Windows Time NTP Server.

        Enabling the NTP protocol in Domain Time II Server

          You'll be asked to confirm the change:

        Confirm the change to the NTP protocol

          You can also verify that the Windows Time Server is disabled by pulling up the Windows Time Agent:

        Disabling the Windows Time Server

          Be sure to check the Domain Time II Server logs and the Windows Time Agent on your Windows Time Clients to be sure they are synchronizing correctly after making the above changes.

         

      Domain Time II Software distributed by Microsemi, Inc.
      Documentation copyright © 1995-2024 Greyware Automation Products, Inc.
      All Rights Reserved
      All Trademarks mentioned are the properties of their respective owners.