Added Authenticode signing to all executables. Several minor fixes and enhancements, mostly for
consistency in displays or behavior. Several PTP improvements. One fix for Windows Time compatibility.
Added ability for DTDrift to convert binary to text from the command line. Update if you experience
any of the problems described, or if you'd like the new behavior.
Control Panel applet
Added domain number to the "Allow this machine to become a PTP Master server" line of
the Master Configuration dialog (DTServer only). Also added profile type(s) and delay measurement
transport type(s) that will be supported. These values are drawn from the main PTP configuration page,
and presented on the Master Configuration dialog to help admins understand what values will take effect
if the node becomes a master. See DTServer below.
Fixed several small inconsistencies in PTP variables between the Control Panel
applet and DTServer/DTClient. This helps ensure that admins can't use the CPL to set values that
the service will override.
Added validity check on the list of acceptable masters on the main PTP configuration
Changed the effects of the Reset to Defaults button on the Broadcasts and Multicasts
tab to set the multicast IPv4 TTL and IPv6 Hop Count to 4, to conform with the change in defaults introduced in
Allowed PTP management error responses to queries sent to all domains.
Added support for 0xDEEE "AllowedMasterList" PTP management message query.
Changed all Peer-to-Peer multicasts to have a TTL of 1, regardless of TTL
used by other multicasts. This is to conform with IEEE 1588-2008 requirements.
Removed spurious warning about not being able to determine a PTP master's
delay mechanism when using Peer-to-Peer without auto-detect enabled. The warning was a side-effect
of believing the auto-detect mechanism had failed when in fact it was never invoked.
Increase speed and reliability of profile and delay auto-detect routines.
Inlined a few critical PTP-related computations, and also changed them to
use bit-shifting instead of multiplication/division or exponentiation.
DTServer: Enforced profile type and delay measurement transport type when functioning
as a PTP master as well as when functioning as a PTP slave. Our recommendation continues to be to use Auto-Detect unless
you have a very good reason to change.
Auto-Detect: Both End-to-End and Peer-to-Peer supported, either unicast or multicast
End-to-End Default Profile: Only End-to-End supported, either unicast or multicast
End-To-End Enterprise Profile: Only End-to-End supported, only unicast
Peer-To-Peer Default Profile: Only Peer-to-Peer, either unicast or multicast
Disable Link Delay Measurement: No delay requests generated by slaves, or responded to by masters
DTServer: Changed default value (for new installations, or when the Reset to Defaults
button is clicked) of radio button introduced in 5.2.b.20171113 on the PTP Master configuration dialog to
have the reply to a CurrentDS management query tell the truth. This only affects the response to
a CurrentDS query when DTServer is acting as a PTP master.
Added checkbox on PTP advanced properties labeled "Reply to source port of unicast requests instead of port 320."
IEEE 1588-2008 is ambiguous about whether replies to management messages should be sent to the PTP "General" port 320, or
to the requesting node's source port. The informal convention among manufacturers is to direct all management responses
to port 320, whether the request was unicast or multicast. This checkbox tells Domain Time whether to follow the informal
convention for unicast requests (i.e., send the reply to the requestor's IP address, port 320), or whether to follow the
convention used by most other protocols (i.e., send the reply to the requestor's IP addess and source port). Most PTP programs
resolve the ambiguity by sending requests from port 320, thus ensuring that no matter which convention is followed, replies
will return to port 320. Some programs, however, use ephemeral ports for unicast management
queries. Check this box only if you experience interoperability problems with third-party programs that send management
requests using ephemeral source ports.
Changed the delay request timer to be pseudo-randomized so that delay requests are
not sent exactly on the tick. The range is 75% to 125% of the nominal delay request interval. For example,
if the delay request interval is set to once every two seconds, delay requests will be sent no more often than
every 1.5 seconds, and no less often than every 2.5 seconds, with the mean over time coinciding with 1 second.
Decoupling the delay requests from the PPS timer helps reduce the concurrency of delay requests
from multiple machines hitting the network (and therefore the grandmaster) at the same time on
each tick of the protocol.
Changed evaluation of NTP reply when coming from Windows Time on a Windows DC version 2012r2 or above,
and when the domain/forest level is 2012r2 or above. Microsoft changed the behavior of the Windows Time
reply to include a value in the Key Identifier field. Prior versions of MS-SNTP required the reply's Key Identifier
field to be zero in the 68-byte version of an NTP reply.
clients must now ignore the Key Identifier field. (In practice the value now filling the field is the
requesting client's RID.)
Improved detection of duplicate PTP portIdentities on the network.
Improved detection of VM resume from saved state, and added extra debug output in the
in the Clock Sync Status Notices category.
Changed PTP to the listening state upon power resume or VM resume from saved state.
Extended text log lazy write to include syslog. If checked, syslog messages will be
saved and sent at each flush interval.
Added checkbox "Send each PTP data point to syslog (trace or debug level only)" to the
syslog configuration page. If checked, and if the syslog level is set to either trace or debug, then each
PTP data point will be sent to syslog. The format is "PTP sample offset ±0.0000000, mpd 0.0000000, source ipaddress"
where 0.0000000 is that sample's delta and the current meanPathDelay. Syslog log collectors may parse for
trace-level messages beginning with "PTP sample offset" to categorize these messages. Caution: Enabling this
output can create a large number of syslog messages. This option was added for those using syslog to collect
Added support for permissions changes on Win10 regarding querying services.
DTAudit: Added Stand-By replication for Archives subfolder(s) under Synchronization Logs main folder.
DTAudit: Added Stand-By replication for Real-Time Alerts history folder.
DTAudit: Fix for initial Stand-By replication not starting on schedule.
DTAudit: PTP node status change notices in the Audit Server text log file are now info or warning
level instead of trace. If info level, the level column label will be "Status:" instead of "Info:" to help with
log-parsing. Notices referring to PTP master changes (online, upgrade, degrade, or leap change) will begin with "PTP Master,"
while other messages will begin with "PTP Node," in each case followed by the portIdentity and IP address. Note that a master
going offline, or transitioning to slave, will generate a warning. A PTP master coming online or changing its timeQuality
will generate a status notice.
Manager: Added two checkboxes to the Manager interface dialog to control auto-closing of
DTReader (Audit Viewer) and DTDrift (drift graph viewer) when Manager exits. In prior versions, Manager did not
attempt to close instances of DTReader or DTDrift. Manager now closes them at exit. To regain the former behavior,
uncheck the box(es).
Manager: Added checkbox "Send info-level syslog message about each slave after sweeps" to the PTP
Monitor configuration dialog. If checked, data pertaining to each tracked PTP slave is sent (info-level) to syslog
after each sweep. You must have Audit Server's syslog level set to Info for these messages to be sent.
Manager: Added "Open Containing Folder" for Real-Time Alert history folder.
Manager: Added drift files from archives subfolders to list of Synchronization Logs.
Manager: Added Real-Time Alert history folder to Advanced/Data Folders dialog. Changed file data
relocation to be recursive (because drift files may now have Archives subfolders). Changed behavior to stop Audit
Server briefly while files are being relocated.
Manager: Added F5/Refresh for PTP Nodes on Stand-By (shows most recently-replicated data). Also
disabled F5/Refresh and PTP node display on Stand-By when the primary node's PTP Monitor is turned off.
Manager: Changed "Domain Time II Machines" and "NTP Servers" to "Domain Time Nodes" and
"NTP Nodes" respectively. This change only affects displays on Manager, and was introduced at the request of
several customers who found the former labels confusing.
Customer request: Added confirmation notice when disabling an Audit Server alert type
by unchecking the menu item.
Customer request: Added syslog output from Audit Server. You may set up to eight IPv4 or
IPv6 addresses, and choose either RFC 3164 or RFC 5424 format.
Manager: Added "NanoServer" or "ServerCore" to platform type display as appropriate.
Manager: Added a pair of radio buttons to the PTPMonitor configuration dialog so you may choose
to accept a grandmaster at face value if it claims zero stepsRemoved from a primary time source such
as GPS/GNSS. If "Assume Grandmasters with stepsRemoved of 0 have zero deltas" is selected, each master's
delta will not be measured against the local clock, and will show as 0 µs. This is the correct behavior
according to IEEE1588-2008 Table 13. The other option, "Measure all Grandmasters to discover deltas
(estimate ±150µs)," tells PTPMonitor to observe the Sync/Follow-up messages and estimate
each master's delta by comparing it against the local clock, accounting for measured E2E or P2P latency.
The computation of the master's delta is only an estimate because PTPMonitor only observes packets and
does not attempt to syntonize or synchronize with any particular master. It may be following multiple
masters in several domains simultaneously. Previous versions of Domain Time Audit Server always attempted to measure the
deltas, leading to some confusion among admins who expected a grandmaster to be at least as accurate as a
slave and did not realize that master deltas were estimates. The new default is to assume grandmasters are
telling the truth, provided they report stepsRemoved as zero. You may regain the former behavior by choosing
the second radio button. Note that masters that claim stepsRemoved of non-zero are always measured against
the local clock, yielding estimated deltas.
Added support for permissions changes on Win10 regarding querying services.
Synchronization Logs (drift graphs)
Added ability to show sub-seconds when displaying the average interval between samples.
This is useful when your PTP grandmaster is sending more than one sync packet per second and you are looking
at the PTP graph. Values greater than a few seconds will be shown as days, hours, minutes, and whole number of
Added -allowedmasters as an optional parameter to -ptplist.
If -allowedmasters is specified, DTCheck sends management message 0xDEEE instead of 0xDEEF. 0xDEEE returns the
list of acceptable masters.
Added option to filter results of -ptplist or -ptplist -allowedmasters. Use -ptplist
IpAddress or -ptplist hostname to limit output to just that one node. IpAddress may either be
a dotted-quad IPv4, or fully-formed IPv6 address.
Added "NanoServer" or "ServerCore" to platform type display as appropriate.
Added -resetClockId command. Use this if you have cloned your Domain Time
installation and discover duplicate PTP nodes. PTP requires that each node has a unique portIdentity; the clockIdentity
portion is normally created from the NIC's MAC address, but if you clone an installation without using -prepclone, the
clockIdentity will be duplicated.
Added support for permissions changes on Win10 regarding querying services.
Changed list displayed by Discovery Management Messages dialog to be sorted
by management messageId.
Added 0xDEEE "AllowedMasterList" to the list of management messages that can be sent.
The return value is "Any" if no restrictions are in place, or the list of IPs/CIDR masks/names considered
Added "NanoServer" or "ServerCore" to platform type display as appropriate.
Changed all Peer-to-Peer multicasts to have a TTL of 1, regardless of TTL used
for other types of message. This is to conform with IEEE 1588-2008 requirements.
Added auto-elevation for functions that need to access the symmetric secrets keyring. For
example, NTPCheck "mydc.example.com key windows" or NTPCheck "myserver key 1".
If the user does not have sufficient priveleges to access the keyring, the program will relaunch itself in
elevated mode (prompting for an admin username/password if required). The program already did this for
Changed default permissions on Domain Time II Alert Parameters registry key so that
settings are saved when run by a non-administrator.
<--04 Jan 2017-->Added command line parm -convert [-localtime] filespec.
-localtime is optional. If not supplied, UTC will be used.
filespec may be either a fully-qualified path and filename, or a path with *.dt (no other
file extensions are supported). If the path or filename has spaces, you must enclose it in
quotation marks. For exampe, dtdrift -convert "C:\Program Files\Domain Time II\Synchronization Logs\*.dt"
will convert each .dt file in the named folder to its .txt equivalent. The original .dt file is not
Changed synchronization log (drift graph) window to have a title bar with an icon and
system menu. The former appearance was a "toolbar" window containing only a caption.
Fix for inconsistent setting of the hasAllowedMasterList bit in reply to PTP management
messages 0xDEEF (DomainTimeProperties) and 0x201B (AcceptableMasterTableEnabled). In addition, version
5.2.b.20171113 interprets this bit incorrectly in DTCheck -ptplist and in PTPCheck's details display.
Version 5.2.b.20171113's output should be considered meaningless for this particular bit. Upgrade to
obtain consistent behavior in both setting the bit and in interpreting it.
See also addition of 0xDEEE PTP management message described in DTCheck and PTPCheck sections.
Changed display in places that show log2 values as 2^n, where n may range from
-128 to +127 (typically -7 to +7). The former behavior was to display n as 0xNN (two hex digits),
which was fine for positive values, but became confusing for negative values. In most places where a log2
value is displayed, the millisecond interval (or text saying pkts/sec) is also shown beside it. log2 values
are used by NTP and by PTP, and the values usually represent a frequency in seconds. 2^0 is 1 second, or 1000 ms;
2^1 is 2 seconds, or 2000 ms; and 2^-1 is half a second, or 500 ms, and so forth.
Changed various numeric displays and their parenthetical meanings to be the
same in all places.
Added "Patent Pending No. 62-597170" notice to various dialogs and text displays.
This software algorithm applies to DTServer, DTClient, Audit Server, PTP Monitor, DTCheck, and
PTPCheck, and may include other products in the future.
5.2.b.20171113 - Optional Upgrade
One important fix for an error introduced in 5.2.b.20170922. If you are using Domain Time II Monitor (DTMonitor) and
you downloaded between Sep 22nd and Sep 27th 2017, you should upgrade to obtain this fix. Otherwise, this release
is optional; upgrade if you want the new features.
Many minor changes, enhancements, and customer requests. Introduction of PTPCheck, a new utility program.
Fixed invalid memory access in DTMonitor's Control Panel applet. (Only affects version
5.2.b.20170922 downloaded between Sep 22nd and Sep 27th 2017.)
Changed "us" to "µ" or "µs" in logs, reports, and dialogs where possible. µ is
the lower-case Latin Mu character, representing microseconds.
New GUI-based utility program to scan/test PTP nodes for management message
handling. It is a single stand-alone executable, so it may be copied to various machines on
your network in order to compare views.
PTPCheck is installed to the system32 folder along with DTCheck and NTPCheck
during installation/upgrade of either DTClient or DTServer.
PTPCheck is installed to the Manager folder when management tools are installed/upgraded.
Control Panel applet
Added new page, PTP Masters, accessible from the PTP Stats page. The PTP
Masters page shows the same information available from DTCheck -ptpmasters,
but in a graphical format. The new PTP Masters page shows all current and former masters seen
by the selected node, whether being followed or not. A help button is available to explain why
a particular master is not being followed. In many cases, the Help dialog will not only explain
why a master isn't being followed, but offer to automatically adjust settings to allow the master.
Customer request: changed text-log-only trace messages (primarily the summaries of which
servers among a group are selected as time sources) to be forwarded to trace-level syslog output. Sources used
to correct the clock will be listed as Source *sourcename whereas sources not used will be listed as
Source -sourcename; reject reason.
Other warning messages regarding PTP status (such as running but not yet synchronized) are now
also forwarded to syslog. The former behavior was to send these messages only to the text log.
Added ability to use either IPv4 or IPv6 for syslog targets. The former behavior was limited to
IPv4 only. If you use a DNS name instead of an address literal, IPv4 will be favored over IPv6. For example,
if you use localhost as the target on a dual stack machine, the resolver will provide both 127.0.0.1
and ::1 as valid IP addresses corresponding to the localhost. Domain Time will choose the IPv4 version. To
force IPv6, use an IPv6 literal or a DNS name that only resolves to an IPv6 address.
Added support for RFC 5424
syslog format (UDP only). The TLS option for RFC 5424 is not supported. Prior versions of Domain Time
supported only RFC 3154. Syslog
messages are sent from an ephemeral port to the target port 514/udp.
Customer request: Added "Time Sample Errors as Warnings" (REG_SZ, default "False") to the
Changed default IPv4 TTL and IPv6 Hop Count from 1 to 4.
Changed registry security settings for symmetric keys to restrict access to SYSTEM and
the Administrators group.
When acting as PTP Master with a clockClass of 6 (Primary), DTServer now marks the TAI-UTC
offset valid only if it knows the TAI-UTC offset from prior contact with a primary source. If the TAI-UTC offset
if not known, DTServer clockClass 6 behaves like DTServer clockClass 248 (default) - serving UTC timestamps
marked as the ptpTimescale, with a utcOffset of zero. The net effect of this change is to make DTServer's
Announce messages unambiguous, mostly for the benefit of protocol analyzers, If the clockClass is 13 or 255,
DTServer's timestamps will be UTC, timeScale ARBitrary, with a utcOffset of zero. The drop-down on the PTP
Master configuration page has been updated to clarify which timeScale is used with which clockClass.
Cosmetic fix for dynamic domain statistics display updating incorrectly when admin changes
the default domain using the Control Panel applet, but the selected master does not change as a result (i.e.,
the previously discovered best master in a non-default domain remains the best master.)
Added two radio buttons to the PTP Master configuration dialog. The default choice is
compliance with IEEE1588-2008 Table 13 ("Updates for state decision codes M1 and M2"), which requires all
fields of the currentDS be set to zero. The second radio button allows Domain Time to tell the truth
about these values. The standard presumes that any clock that becomes a master is necessarily
connected directly to a primary time source (GPS/GNSS, atomic clock, etc.), and will always have stepsRemoved,
offsetFromMaster, and meanPathDelay of zero. This is obviously not always the case. For example, a master
relying on an NTP stratum 2 device is one step removed from a primary source, and it will have an
offset and a delay that are meaningful. Even if its source is an NTP stratum 1 (zero stepsRemoved from
a primary time source), it will still have a meaningful offset and delay. The choice (whether to follow the
standard and lie, or ignore the standard and tell the truth) only affects the reply to the CURRENT_DATA_SET
management query; it does not affect clock operation or the BMC algorithm.
Change simple syslog listener (DTCheck -syslog) to listen for both
IPv4 and IPv6 on port 514 using a single dual-stack socket. On XP/2003, dual-stack sockets are not supported,
so if you have IPv6 installed, only IPv6 messages will be seen; if you don't have IPv6 installed, only
IPv4 messages will be seen.
Added -yes to DTCheck's -leapfile command.
If specified, DTCheck will update Domain Time Client or Server with the current TAI-UTC offset derived
from the leap-seconds.list file. Without the -y, DTCheck will only report the information.
Added -ptplist command. This command only works with Domain Time
machines version 5.2.b.20171111 or later. It sends two multicast 0xDEEF management queries (one IPv4,
one IPv6), using an ephemeral source port directed to the IPv4/IPv6 PTP multicast addresses, with a
target port of 320. Replies will have a source port of 320, and a target port of whatever ephemeral
port the operating system has assigned. Your firewalls must allow this traffic in order for -ptplist to
work. The outgoing TTL is fixed at 64, and the boundary hop count is fixed at 8. All Domain Time nodes
within reach of the queries will respond, regardless of PTP domain number or portIdentity. Non-Domain Time
nodes will not reply. The text output from this command is a list of all visible PTP nodes running
Domain Time 20171111 or later, along with useful information about their configuration, current status,
and so forth. The list format designed to be parseable.
Added -ipv4 and -ipv6 switches for use with
either -ptplist or -syslog. The default is to use listen for
both IPv4 and IPv6 packets. If you specify -ipv4, only IPv4 packets will be displayed. If you specify -ipv6,
only IPv6 packets will be displayed. If you specify neither (or both), then both IPv4 and IPv6 packets
will be displayed.
Added PTPCheck to the Management Tools submenu (only shown if management tools are installed).
Allowed PTP Monitor to display management error messages (trace level).
Added PTPCheck to the Utilities menu.
Fix for PTP Monitor drift files occasionally having data point timestamps of zero.
Change for IPv4 broadcast discovery. Symptom: If you had IPv4 Broadcast Discovery enabled on
Manager's Network Discovery dialog, and had selected the Primary subnet only radio button, but had changed the
default broadcast address from 255.255.255.255 to a different broadcast address, Manager and Audit Server would
continue to use 255.255.255.255. This was reflected in the log. As of this version, Manager and Audit Server
will use the specified broadcast address instead of the default.
Change for NTPQ behavior when scanning list of known NTP servers. NTPQ will only be solicited
upon first adding an NTP server, or when a specific server is refreshed from Manager's list. NTPQ will be skipped
for Audit scans, startup scans, and refresh of the entire list. (NTPQ can provide additional information about
an NTP Server, e.g., its operating system and processor. Most organizations have disabled NTPQ due to security flaws
in ntpd's handling of control messages. The queries sent by Manager and Audit Server cannot result in amplification
attacks or other security violations.)
Exposed number of minutes between background drift collection on Synchronization Log dialog.
This was formerly a registry-only setting.
Added ability to collect NTP drift stats more frequently than the normal collection interval.
If background drift collection is enabled, you may now choose to collect NTP stats at the same interval as DT2
and PTP, or at a much shorter interval.
Changed Firmware column of PTP Monitor to reflect x86 or x64 accurately. Under certain circumstances,
an x86 machine could be reported as x64, even though the Hardware column correctly says Win32.
Synchronization Logs (drift graphs)
Changed the max number of records kept by Audit Server to 604800, enough for one
data point per second for one full week (just over 12MB of binary data). If you have disabled the
size limit for drift files, a file that grows larger than the maximum will be moved into an
"Archives/yyyymmdd" subfolder, and then the file restarted. A warning message will appear in Audit
Server's text log. If the file cannot be archived, an error message will appear in the text log and
the older data will be lost.
The graphical viewer for drift graphs will no longer open files larger than
Audit Server will no longer attempt to create textual versions of drift files
with more than 64K records (approximately 6MB). A warning message will appear in Audit Server's log.
Customer request: Added new bracket to the Clock Discipline breakout in the textual
version of all drift graphs, range 10-49 ms.
PTP Enterprise Profile
Internet Draft "PTP Enterprise Profile" has assigned an IETF profile ID of [00-00-5E-00-01-00] to the
still-developing Enterprise profile. Domain Time uses this profile number in response to management requests,
and in dialogs. For clarity, Domain Time refers to this profile as "End-to-End Enterprise Profile."
5.2.b.20170922 - - Optional Upgrade
Added SHA1 hash support for symmetric key authentication. Fixed a few inconsequential bugs. Added several customer requests
for additional capabilities. Added several other enhancements. Upgrade if you experience any of the problems described, or
if you want the new functionality.
Added support for SHA1 symmetric keys as well as MD5. This is primarily for FIPS 140-2 conformance.
SHA1 keys are always exactly forty hex characters (0-9 and A-F) long, producing a 20-byte binary key. MD5 keys are
ASCII text; different implementations of the NTP daemon have allowed different maximum key lengths. In general, an
MD5 key should be composed only from 7-bit ASCII-printable text, excluding space, tab, and the # character. MD5 keys
should be at least 8 characters long, and should not exceed 20 characters. Some versions of NTP daemons allow lengths
of 32, while others have a maximum of 8 or 16. You will need to choose MD5 keys that are interoperable with all of
your various devices and daemons.
SHA1 keys work with NTP, DT2-UDP, DT2-TCP, and DT2-HTTP, including NTP broadcast and DT2-UDP broadcast. Domain Time Servers
or Clients must be upgraded before they will recognize SHA1 entries as SHA1. Older versions of Domain Time will treat an
SHA1 hash like a very long MD5 key (which won't verify). Added "SHA1" or "MD5" to all logs (where possible) to indicate
the type of key used.
Customer request: Added /yes option to perform silent clean. The graphical interface
still shows, but the buttons are clicked automatically.
Customer request: Added option to send PTP Monitor E2E or P2P delay requests by multicast instead of unicast (to
help with hardware devices that don't support hybrid mode).
Customer request: Added option to send PTP Monitor follow-up messages by multicast instead of unicast. Use
this option only if your PTP nodes cannot reply to a unicast request. The default behavior of PTP Monitor is to "sweep" the
networking using mulitcast, then send individual follow-up messages to each node using unicast. Using multicast for follow-ups
may significantly increase network traffic.
Corrected long-standing misbehavior on Manager after installing to or upgrading a remote machine. The prior
behavior was to check that the remote machine's service had started and would reply to a DT2 query, but discard the contents of
the reply. The new behavior is to use the contents of the reply to update the Domain Time II Machines list with the
returned information (version, operating system, status, etc). This may lead to newly installed or upgraded machines showing
"NoSync" in the Alarm column. This is the correct status immediately after starting the service, because the machine, although up
and responding, has not yet synchronized its clock. Use F5 (or right-click and select Refresh) after installing/upgrading. This
change allows you to determine if a machine can or cannot obtain the time. A machine that persists in the "NoSync" state after
a few seconds likely is having trouble.
Added checkbox labeled "Log messages if Audit Server's log is in trace or debug mode" to
the PTP Monitor configuration dialog. If checked, and if Audit Server's log is set to either trace or
debug, Audit Server will log (trace level) all incoming and outgoing management message activity.
Customer request: Added checkbox "Show Non-Responding DT2 Machines" to Manager's View menu. If checked, the
Domain Time II Machines list will show both the results of the current scan and any known DT2 machines
in the cache. Machines from the cache that didn't respond to scan will show "Unknown" in the Alarm
column. Menus and DEL key handling updated to allow removal of machines from the Domain Time II
Machines list. Deleting from the Domain Time II Machines list is the same as selecting "Remove from Cache"
from the Domains and Workgroups list.
Changed the NTP list to show "Unknown" in the Alarm column if a machine does not respond to scan (to match the behavior
of DT2 machines). The NTP list always shows all NTP servers, whether they respond to a scan or not. This change
helps call your attention to machines that are not currently responding.
Deprecated "ReferenceProtocol" and "ReferenceServer" parameters from the Daily Report.
These are holdovers from version 4.1 and are not particularly meaningful. The full reference time, including
all of the sources, protocols, offsets, and strata used for an audit are listed at the top of the Daily Report
(in the comments) and in the main Audit log file as part of the audit summary. Since the reference time applies
to all machines audited, and may consist of multiple sources and protocols, it does not have a separate per-machine
Fix for symmetric key keyring not being pre-loaded for the Reference Time dialog if prior selection was "Use this machine's clock."
On the Help menu, added item for Version History, which opens a browser window to the complete product
history for Domain Time.
Fix for trace-level output from Audit Server regarding received PTP messages: Source and target portIdentities/IPs
were switched in the log output. This did not affect the program logic, but made the trace log difficult to interpret.
Changed behavior of Manager's startup scan (Options/Network Options/Scan Options) to honor the checkbox
for "If a known NTP server does not respond to startup scan, try to contact it directly." The former behavior was to ignore this
flag on startup, but honor it if you pressed F5 (or right-clicked and selected Refresh) while examining the NTP Servers
list. This may mean a longer startup time for Manager if your NTP machines cannot all be queried by broadcast/multicast.
You may uncheck the box to regain original startup speed. Added a new checkbox to the same dialog, "If a known NTP server
does not respond to F5/Refresh, try to contact it directly," which controls the behavior of NTP followups when viewing
the NTP list. You may still right-click/Refresh an individual NTP machine to update just that one machine's status. Note
that these changes do not affect Audit Server, which always sends follow-ups to unresponding machines.
Changed trace and debug logging to make it easier to identify rejected broadcast/multicast
Changed wording from "the server is not known" to "not on list of configured sources"
when ignoring an NTP or DT2 broadcast source.
Fixed case where a broadcast source was listed more than once with differing protocols
(for example, 172.16.30.30 trusted for NTP only, and the same IP also trusted for DT2-UDP only). Symptom: If NTP
was listed first, but a DT2 broadcast packet arrived (or vice versa), the packet would be rejected for not
matching the listed protocol.
Changed saved list of recent broadcast servers to discard any more than a month old. This list is
only used by the Control Panel applet when helping an admin choose from among recently-seen broadcasters.
Changed wording on CPL when entering an MD5 key from "The password secret is longer than
supported by all ntpd implementations" to "The password secret is too long for many older ntpd implementations."
The former wording suggested that no ntpd implementation would accept a long password, whereas the message
was meant to warn that not all will. The reference implementation of NTPv3 limits the length to eight characters,
whereas NTPv4 extends the length to 16 (http://doc.ntp.org/4.2.2/keygen.html).
Domain Time itself has never had an upper limit, and, in the wild, admins often use secrets with lengths of 20 or greater.
Added VM Guest detection for running as a VM under Amazon's AWS-EC2 hypervisor.
Customer request: Added Accept First PTP Timestamp (REG_SZ, default False) to Parameters
key. If set to True and if the first PTP timestamp received is unacceptable (outside allowed range), then the clock will be
STEPPED to match the first PTP timestamp received. Use of this setting is highly discouraged; it is there
solely for isolated systems without reliable CMOS clocks on the motherboard.
Customer request: Added Min Success Interval (seconds) to the Parameters key. This is a REG_DWORD
value. The default is 5. You should not change it.
Customer request: Domain Time no longer counts the first correction after service startup in
the cumulative drift counter. The first correction is often large, and not representative of the overall performance
of the machine over time.
Customer request: Server and Client now support multiple syslog targets. You may list up to eight
IPv4 addresses on the syslog server line. Separate targets with a space. For maximum backward compatibility
with older versions of Domain Time, avoid using a DNS name if you list more than one target. If all of
your machines have been upgraded, then you may use either DNS names or IPv4 addresses.
Fix for DT2-HTTP reporting "unauthenticated" regardless of whether a symmetric key or Windows
authentication was used. This problem only affected the log output, not whether authentication was used.
Added buffer size check when a Domain Time Server in master mode replicates settings to its slaves.
The buffer cannot overflow, and therefore cannot be exploited, but adding the size check ensures that responses
larger than the allowed buffer are not truncated mid-entry.
PTP: Added compensatory control for when a Domain Time Server is set to become a PTP master, but
PTP's "No Master Detect Timeout" is set to a number of seconds lower than required for the first time check to complete (e.g.,
2 seconds). Symptom: DTServer would remain in the PTP Listening state until a sync trigger was applied.
The default No Master Detect Timeout is 8 seconds, but admins who want a quicker convergence often change it to 4. Domain Time
allows the timeout to be any value between 2 and 3600 (inclusive).
Added number of days remaining to the startup banner on eval copies.
Control Panel applet
Added Browse... buttons to import/export dialogs for symmetric keys, time sources, and broadcast souces.
Changed symmetric keys dialog to show SHA1 vs MD5 password types.
Changed symmetric keys dialog list to sort in numeric order for the
key number column, and in text order for the other columns.
Changed maximum symmetric key number ("keyid") from 65535 to 65534 to comply with ntpd version 4.2.x.
Some implementations of NTP, including prior versions of ntpd, use a range of 1 to 65535 (inclusive). Since the keyid is
a 32-bit unsigned integer, there is no technical reason it could not be a much larger number.
Changed symmetric keys dialog broadcast key dropdown to sort numerically instead of alphabetically.
Added choice of line terminators (LF or CRLF) to key export dialog.
The former behavior was to create the file using only LFs, on the assumption that
exporting a file was primarily so it could be imported into a Linux machine. This is
still the default, but you may now choose CRLF if desired. Note that key file import
is not affected by the type of line termination. It has always been able to handle
either CRLF or plain LF line terminators.
Changed key import routine to recognise both SHA1 and MD5 key types.
The former behavior was to ignore any key type not marked MD5.
On the Correction Limits page, removed Minimum Correction ("Deltas smaller than ___ milliseconds will not
cause a correction....) because any value other than the default value of 1 has been deprecated
for over a decade. The presence of the setting and its wording suggested that deltas of
less than 1 millisecond could not be corrected, whereas it really only applies to situations where
slewing is diabled. Stepping the clock has an OS-dependent uncertainty, so Domain Time will not
step a correction of less than 1 millisecond. Removed the same setting from the recommendations
page on Domain Time Server operating in Master mode.
On the Support page, changed Online Documentation Index link to go to the overall Domain Time index page
instead of the client or server index page.
On the Support Page, added link to Version History, which opens a browser window to the complete product
history for Domain Time.
On the server test results dialog, restored the green/red/yellow indicator at the bottom-left corner.
The code for displaying the indicator had been inadvertently commented out.
On the PTP Master configuration dialog, added prompts to ensure the admin chooses legitimate
timeout and priority values.
Some 15-year+ old routines inexplicably thought that because there were 60 seconds in a minute,
and 60 minutes in an hour, there must also be 60 hours in a day. We have educated these routines. The error only
affected a few displays, not any timing calculation or function.
Added -leapfile command. This fetches and parses the default leap-seconds.list
file from http://www.ietf.org/timezones/data/leap-seconds.list. If you want to use a different source, use
-leapfile:http://location. Only HTTP is supported. The file, if successfully fetched, is placed
in the system32 folder. If the file in system32 does not exist, or is older than the version on the server, it will be
updated. If the file in system32 is the same as or newer than the version on the server, the file in system32 will not
be updated. In either case, the output shows the last leap second and its TAI-UTC offset, as well as the next leap
second to come (if one has been scheduled). Domain Time does not use the leap-seconds.list file. This command is present
only to let you check the current TAI-UTC offset and any scheduled leap seconds. Since it writes to the system32 folder,
you must run DTCheck with admin privileges for this command.
5.2.b.20170522 - Optional Upgrade
One important fix for Manager. Several minor improvements elsewhere. NOTE: If you
upgrade the Management Tools, you should also upgrade Audit Server. Mismatched
versions may produce unwanted results (see description of changes below).
Widened the precision of remembered deltas from milliseconds (10^-3) to hectonanoseconds (10^-7,
or tenths of a microsecond). The information was already being sent to Audit Server in hectonanoseconds, and displayed
to that precision in the log files, but was being truncated to milliseconds in Audit Server's database and in emailed
Real-Time Alert messages. The truncation was a holdover from 2009 (version 5.1), when all reports were limited to
milliseconds. This change allows you to see sub-millisecond deltas that are being sent by Client or Server without
having to examine the log file.
Also changed the threshold scale for raising alerts from milliseconds to microseconds. The threshold is kept internally
as microseconds, and expressed in alert emails or logs as ±s.nnnnn second(s) when practical. For example, if your threshold is
1.5 seconds, the program will display "±1.5 seconds"; for 15 milliseconds, the program will display "±0.015 seconds";
for 100 microseconds, it will display "±100 microseconds," and so forth. Changed Manager to allow you to express the threshold
as seconds, milliseconds, or microseconds.
Note: If you upgrade Audit Server but do not upgrade Manager and Alert Viewer, Manager and Alert
Viewer will display incorrect values in the delta column. The display will be correct if you upgrade Manager and Alert Viewer
without also upgrading Audit Server, but a mismatch between Audit Server and Manager is not supported. Alert Viewer,
which can connect to multiple Audit Servers, will display the precision supported by each of its servers (as long as
you upgrade Alert Viewer).
Changed drift graph stratum to display the source's stratum rather than the machine's stratum.
This change affects NTP and PTP graphs; DT2 graphs already displayed the source's stratum. This change is for
consistency among protocols, and only affects graphs displayed in Manager or by the stand-alone DTDrift program.
Changed Audit Viewer's reporting of strata to match what's shown in the drift graph. Audit Viewer
already reported the correct stratum on the summary dialog page, but did not use each source's stratum in either
the details dialog or the textual report.
Fixed quoted-printable encoding to prevent inserting a soft CRLF between the CR and LF
of a hard CRLF. Symptoms: None known; this fix is to ensure strict compliance with RFC2821 and RFC2045.
Added workaround for non-conformant SMTP smarthosts. Symptom: Email session would
terminate with a timeout after sending the email data but before seeing a 235 from the smarthost. These
non-conformant servers are expecting an extra CRLF at the end of data.
Changed charset from US-ASCII to Windows-1252 to support 8-bit characters.
Widened display of real-time alert deltas as noted above under Real-Time Alerts.
Changed display of strata as noted above in Stratum Reporting.
Changed real-time alert threshold from milliseconds to your choice of seconds, milliseconds,
or microseconds, as noted above.
Added checkbox to Real-Time Alert configuration dialog to allow choice of whether to raise
alerts for all machines or only audited machines.
Fix for Manager freezing when NTP list is emptied. Symptom: Manager would pop up a blank
message box (no text or buttons), and wait for you to click on the non-existent button to continue. The
problem only exists in versions 5.2.b.20170101 and 5.2.b.20170331.
Added optimization for computer name enumeration in AD forests. If enumeration fails
due to global catalogue errors, you may disable this optimization by changing the registry value
Optimize Computer Enumeration to False in Manager's Parameters subkey.
Added History... to right-click menu for items in the real-time alert list. Also added
F6 accelerator key to perform the same function.
Added real-time alert history settings to Real-Time Alert configuration dialog.
Added Email Setup... to Audit Server menu for convenience (the same dialog is available
from locations where you enable or disable email).
Added "Time Traceable" and "Frequency Traceable" fields in detail view of PTP nodes.
For masters, this is their own traceability status. Time traceability propagates to slaves, but frequency
traceability for slave is implementation-dependent and may not be meaningful.
Colorized PTP node detail display to match other protocol detail displays.
Changed default for View - Show Grid Lines to false (only affects new installs).
Real-Time Alert Viewer
Fixed the audio alert to honor the state of the checkmark on the pop-up menu. Symptoms: Sounds
were continuing to play when the checkmark was unchecked.
Widened display of real-time alert deltas as noted above.
Widened display of real-time alert deltas as noted above.
Added abiltity to customize the subject line in email alerts and summaries (only for this
version or newer). To change, edit the HKLM\Software\Greyware\Domain Time II Audit Server\Logs and Alerts\SMTP
key and change any of the Email Subject... values. Changes take effect upon service restart.
Ignoring excessive deltas upon receipt of a Status Report (Real-Time Alert) from a
machine that has just resumed from standby is now treated as if the machine had just booted.
Changed wording on alert dialog from "after boot" to "after startup" to reflect the above change.
Added ability to skip raising an alert for unaudited machines.
Added code to skip updating Status Report delta when a Status Report is only a notification of
PTP status change. Symptom: The "Last Status" column in Manager would change to zero for approximately five
seconds after a PTP master was lost or gained.
Changed "PTPv2" to just "PTP" in audit debug logs.
Added real-time alert history folder and logfiles for each reporting machine.
Changed real-time alert logging to show deltas on machines that are in the PTP-lost-master state.
Changed display for masters who are zero "stepsRemoved" from a primary
source to show an effective NTP stratum of 1 instead of 0.
Added ability to track number of seconds since a resume-from-standby event.
This data is sent in Status Reports (Real-Time Alerts) so that Audit Server can decide whether or not to
ignore excessive startup deltas. A recent resume from standby also counts as a "startup" event for
the purposes of overriding the min/max correction allowed. This change allows laptops or similar
devices that use sleep or hybernate to resume synchronization and avoid being flagged as out of
tolerance when they resume operation.
Increased IOCP worker thread count to help prevent starvation of UDP service requests
while TCP teardown is occupying a worker.
DTServer: Changed error message to "Access Denied" when DT2-HTTP is disabled for the
type of access requested. Also streamlined HTTP request processing to reduce transaction duration.
Added secondary audit server value to the domtime.adm GPO. To obtain this functionality,
you need to update the GPO with the new domtime.adm file, and set the value secondary audit server value
using your normal policy editor. You must also update any DTClient or DTServer set to use the policy (previous
versions will ignore the new value).
Corrected auditdata command response to include all time sources (up to eight) if
multiple sources were used to steer the clock. If multiple samples from the same source are
used, only the first sample from that server is included. Previous versions did not always show the
individual source data.
Added source's stratum (if known) to the auditdata command response. This value
is displayed by DTCheck or the Audit Viewer.
Added caller's IP/port and listening IP/port to debug-level messages for TCP hang-ups due to
inactivity or error.
Improved overall socket server shutdown time for very busy DTServers with many
concurrent TCP connections.
Fixed logic error in the Domain Time II Update Server service which allowed installation
to newly-discovered machines when the Administrator had selected only upgrades, not new installations.
Added each source's stratum (if known) to the output of dtcheck -cmd=auditdata when multiple
sources were used by the queried machine.
Changed -ptpmasters output for two-step clocks to add count of missing Sync Follow-ups.
An occasional Sync without its Follow-up is not an error, but a sufficient number in a row can lead a
slave to abandon a master.
Changed -ptpmasters output for one-step clocks to omit showing zero Sync Follow-ups received.
Changed display of strata as noted above in Stratum Reporting.
Reduced redundant registry reads.
DTLockdn & DTClean
Fixed code that disabled filesystem redirection and then failed to re-enabled it. This
affects only 32-bit versions of the programs when running on 64-bit operating systems. Symptoms: None.
In all cases, the programs perform correctly. This change is for consistency's sake, in case the programs
are ever rewritten to operate recursively.
5.2.b.20170331 - Optional Upgrade
This version adds new features to Audit Server, especially for large networks where an audit can
take a significant amount of time to complete. Added a fix for sleep problems on Windows 10
machines. Updated Denial-of-Service (DoS) protection algorithm. Several other minor enhancements
and features at customer request. Upgrade if you are affected by any of the problems fixed, or if
you want the new functionality.
Fixed problem with weekly text log rollover. Symptom: Log would roll at the first Sunday, then never again, unless
you switched to monthly or daily, then back to weekly.
Changed wording on Audit Server/Alerts/Configure page to say "anomalous test results"
instead of "anomalous scan results" because the double-check occurs for both NTP and DT2 sources after
obtaining a result, whether it was obtained from either a scan or a directed query.
Added Cancel Audit menu option to cancel a running audit.
Disabled critical timing processor lock on machines with invariant TSCs.
Added checkbox to Audit Server/Audit Tasks dialog: "Scan the network before contacting individual machines" (default checked).
If checked, Audit Server will use Manager's scan settings to collect data by multicast/broadcast before attempting to check with each
machine. If unchecked, Audit Server will skip the initial scan.
Added checkbox to Audit Server/Audit Tasks dialog: "Use multicast to locate DT2 machines that may have changed IPs or names" (default checked).
This checkbox exposes an existing registry setting that controls how Audit Server locates machines that may have changed NetBIOS names or IP addresses
since the last audit.
Added version mismatch warning to the Conflicts and Problems display. If Audit Server is installed and is not the same version
as Manager, a notice will appear advising you to upgrade the incorrect component.
Real-Time Alert Viewer
Added ability to play sounds when the overall status changes to red or yellow. You may turn this functionality on or
off by checking/unchecking the right-click menu item titled, "Audio Alert Enabled." To change the .wav files played for each
type of alert, edit the registry: HKEY_LOCAL_MACHINE\Software\Greyware\Domain Time II Alert\Parameters, and change
the "Realtime Alert Sound Error" and "Realtime Alert Sound Warning" values to whatever you want. The full file path and name
must be provided.
Added method for Manager to signal that a currently-running audit should be cancelled.
Added dynamic scan timeout value based on size of the recordset being audited.
Split unicast follow-ups to non-responding audited machines into multiple threads.
Disabled critical timing processor lock on machines with invariant TSCs.
Added ability to skip initial audit scan and do only unicast queries.
Split auto-acknowledge of Real-Time Alerts into a separate task; this change
prevents auto-acknowledgement from being starved for CPU on busy Audit Servers.
PTP Monitor Logging
Added trace-level log event if a PTP master upgrades or downgrades its time quality.
Added trace-level log event if a PTP master changes its leap status flags.
Added DNS name, if known, on display and reports of NTP servers. Prior behavior was to
say either "N/A" or the IP address in the name field.
Added work-around for Windows 10 machines with sleep function enabled. Symptom of problem: When sleep mode exits,
the main thread may not resume. This is due to the Windows 10 kernel not sending matching pairs of APM up/down
events to the service handler.
Added trace-level log messages for APM signals.
Changed default interpolator behavior to avoid unneeded cycles when using the kernel interpolator (Windows 8 or above).
Changed Denial-of-Service (DoS) behavior to not restart DoS timer with hits from poisoned sources during the rehabilitation window.
The former behavior required n second to pass without any hits from a poisoned source before absolution would be
granted. The new behavior grants absolution n seconds after the first excess. This makes the DoS protection more
of a rate limiter than a block.
PTP Master Mode
Corrected inconsistency between announced and queried time quality, so that queries via
management messages are dynamic using the same algorithm used for announces when Domain
Time Server is operating as a PTP master.
5.2.b.20170101 - Recommended Upgrade
Introduced PTP Monitor, a component
of Audit Server integrated with Manager. Several minor bug fixes; many performance
enhancements. Added support for the "PTP Enterprise Profile." Added preliminary support for PTPv3
(subject to modification as the specification evolves).
Changed log file and dialog mentions of "variance" to "delta" where the
value being referenced is a simple ±Δ (delta). The term "variance" is now used only it its
strict mathematical sense (squared deviation from a set's mean). The former use of "variance" to
mean "delta" was a holdover from when variances were exposed directly.
Changed most messages and prompts to say PTP instead of PTPv2. Messages
specific to v2 (IEEE 1588-2008) as opposed to v3 (forthcoming) will have v2 or v3 appended
when v3 is released and supported. Since much of v3 will be interoperable with v2 in terms of message
types and formats, the version number is important only when a difference must be distinguished for
debugging purposes. Certain instances of PTPv2 will be retained for backward compatibility (such
as the names of keys and values in the registry).
Changed PTP node portIdentity textual representations to use a period instead of a colon
to separate the clockIdentity from the portNumber. (There is no standard for textual representations of
portIdentities. An 80-bit hex string is difficult for humans to read, so we split the clockIdentity into
three portions using dashes, and separate the portNumber from the rest using a period.)
Introduced PTP Monitor, a component of Audit Server that works in conjunction with Manager.
Changed internal audit delta value for alerts from milliseconds to microseconds.
Manager shows a radio button to allow selection of seconds, milliseconds, or microseconds. The
value will be converted to microseconds when the dialog is closed. Internal time is still kept
in hectonanoseconds (tenths of a microsecond).
Added check for wsnmp32.dll before allowing install to or upgrade of a remote
machine. All versions of Windows from XP up have this DLL installed, execpt for Windws Server 2016 Nano Server, where it
is optional. The admin must install SNMP trap support on Nano Server before installing Domain Time.
Changed default display precision for deltas and latencies from milliseconds to microseconds.
This value is still adjustable from the Options/Appearance/Format Options/Significant digits dropdown.
Several customers were unaware that the number of significant digits displayed was adjustable, and thought
that Manager was only able to measure to the millisecond.
Changed the default sort order for deltas to use absolute value (magnitude). This may
be changed on the same dialog box as the number of significant digits.
Added multicast interface enumeration to scanner functions used by Audit Server, Manager,
Added tooltips over list column headers to make it easier to read a column header's
label without widening the column (with additional information for columns with obscure or potentially-confusing
Added right-click item "Details" on lists to switch to the corresponding tree node's details view.
Added "Leap" column to Domain Time II Machines list.
Added "(UTC±HH:MM)" after timezone name in Domain Time II Machines details view.
Fixed slow redraw when deleting Audit Results or Synchronization Logs. Also fixed count of
items shown on the status bar to reflect remaining items after deletion.
Fix for scan receive timeout resetting to 1500 on Manager's Options/Network Options/Network Discovery
page. This value affects both Manager and Audit Server. Also applied fix to ensure that values entered are within
the minimum and maximums allowed.
Fixed Alarm column on the Domain Time II Machine's list to reflect "NoSync" if a Domain Time
machine has not been able to set its clock since startup. This information is already available via Audit Server's
Real-Time Alerts and reports, but was not shown in the machine's list.
Added "PortIdentity" column to command-line DTMan EXPORT column, showing blank if the
entry is not a PTP node, else showing the node's PortIdentity. For PTP nodes that are slaves, the existing
PTPStatus column will show the master's IP address if available, else it will show the master's PortIdentity.
Fix for long Manager startup time when database size is large.
Improved Manager's exclusion of unwanted Organizational Units (OUs) to include both AD
enumeration and tree/list display. The former behavior was to include all machines in the database, and
excluded unwanted ones from the display.
Added number of elements and memory used by each of the major indices to the System Information page.
Added secondary sort by common name (DNS name for NTP servers) when sorting by other columns, so that
machines in the same group are listed alphabetically within that group.
Changed display name for domtimed Domain Time II role from "Full Client" to "Linux Client" to make
them sort separately from Windows clients.
Introduced PTP Monitor, a component of Audit Server that works in conjunction with Manager.
Fix for scan receive timeout resetting to 1500 in error.
Added info-level timing information for each phase of an audit. This helps identify which phase (if any)
is consuming too much time for users with a very large number of machines being audited.
Added "lazy" write to the text log output (same mechanism as available for DTClient/DTServer). This helps
improve accuracy of time-sensitive operations that must log their output.
Added "Delta" column.
Added NTP stratum (or equivalent) to display of a machine's time source.
Strata only apply to NTP servers, but an effective stratum may be determined in most situations. In cases where there
is no equivalent, or the information is missing, the stratum is not displayed.
Added UTC±HH:MM where applicable.
Added support for PTP Nodes (as opposed to Domain Time machines using PTP to obtain the time).
Note that you may audit by more than one protocol (NTP, DT2, or PTP, or any combination); each shows up as a
separate entry in the audit list.
Added support for showing last correction in sub-milliseconds (if provided by DTClient or DTServer;
previous versions reported deltas to the hectonanosecond, but corrections only in milliseconds).
Added dynamic reset of outgoing socket TTL (IPv4) and hop count (IPv6) when changed
on the Control Panel applet (former versions required a service restart).
Added links in all users start menu, similar to those created by
installing management tools.
Fix for negative delta not firing SNMP trap for bounds exceeded.
Added shared memory section for PTP statistics (used by DTCheck and the Control Panel applet).
Added ability to keep NTP4-style loopstats and peerstats files, including symlinks
to the current file, plus several other internal changes for ntpq and nptd-compatibility. Please see
Increased the maximum number of drift records kept by each machine. This provides a
longer span of history; this is particularly important for PTP drift, which can accumulate one or more points
Added socket drain for TCP connections after sending FIN but before closing socket. This
helps prevent spurious connection reset errors on the peer.
Added non-zero values roughly equivalent to ntpd's concepts of root delay and root dispersion
to NTP reply packets (DTServer only). Note that Domain Time does not keep internal statistics in the same fashion as ntpd, so there are
no exact equivalents.
Added poll value to nearest power of two to NTP reply packets; this value was formerly fixed
at the default interval, whereas now it reflects the anticipated number of seconds between time checks. Note that Domain
Time does not calculate or maintain polling intervals in the same fashion as ntpd, so the poll interval reported
is approximate. In particular, the state machine itself has a value, but not individual time sources. Domain Time
is not restricted to ntpd's minimum, maximum, or power-of-two intervals, but reports as if it were for ntpd compatibility.
Changed precision value in NTP reply packets (DTServer only) from -23 to -22. 2^-23 (0.000000119 seconds)
is the nearest approximation of Domain Time's actual granularity, but 2^-22 (0.000000238 seconds) is closer to the
standard deviation representing Domain Time's best-case ability to measure the clock.
Changed default value for "Enumerate multicast interfaces..." and "Initiate rebind and resync..." to
Fixed log message format error after applying leap-second. The bug was
introduced in version 5.2.b.20160922, and only affected machines running at trace-level or debug-level
text log output.
Changed "Service Notify Time Change" log messages from debug level to trace level.
Added PTP grandmaster's offsetScaledLogVariance (oslv) to log lines that display the master's
general attributes. This value is a four-digit hex number.
Added error-level output to log if PTP calibration fails due to invalid timestamps from the
grandmaster. This information is also available in debug mode if the PTP packet rejection category is enabled,
and will fire with every rejected packet. The new error-level information does not fire with each Sync packet,
and does not require debug mode.
Control Panel applet
Further simplified and clarified the wording for Delay Transport on the Control Panel
applet's PTP configuration dialog.
Added checkbox and configuration link for PTP to DTServer's "Serve the Time"
page. This is a shortcut to the same PTP configuration dialogs on the "Obtain the Time" page,
but put on the Serve the Time page for convenience. Unlike other protocols, PTP will be either a slave
or a master depending on the overall network conditions.
Added checkboxes on the Logs and Status page for enabling NTP4 loopstats and peerstats. Added
display of the NTP Stats folder. This display will be "N/A" for earlier versions of Domain Time, and "Not set yet"
if you haven't enabled loopstats or peerstats. The folder path, if not set manually, is determined the first
time Domain Time collects loopstats or peerstats. Close and reopen the Control Panel applet in order to see
the path after first enabling loopstats or peerstats.
Removed Refresh and Autorefresh control from PTP Stats display when operating on the local
machine using shared memory. The title bar includes either "shared memory" or "network" for your reference.
Added dropdown selection for "End-to-End Enterprise Profile" on the PTP configuration page.
See PTP Profiles for details.
Added support for slaves choosing a master from among multiple domains, whether or not
the Enterprise Profile is selected. This is controlled by a checkbox labeled "Dynamic (allow any domain when slave)"
on the PTP Options page. On the PTP Status page, older versions will display "Domain Number" and the domain number. Newer versions
will display either "Dynamic Domain" and the domain number currently in use, or "Operating Domain" and
the domain number chosen on the Options page. See Dynamic Domain on the PTP Profiles page.
Shortened or eliminated the delay time for recalibration when switching from one master to
another if multiple masters are advertising simultaneously (for example, when a master in domain 0 and another
in domain 1, are both visible to the slave, and the slave has Dynamic Domain available, it will have already
pre-qualified both masters, and be able to switch without reentering the listening state when the master it
has chosen goes offline).
Added support for management GET of the PTP fault log.
Added support for management COMMAND to clear the PTP fault log.
Increased incoming buffer size to accommodate receipt of large fault log packets.
Changed reply to management requests sent to all domains (0xFF) to indicate the clock's true operating domain
instead of copying the incoming request's domain. Note that management requests addressed to all domains are not part of the
PTPv2 specification (although they will likely be part of v3); this functionality is included in Domain Time in emulation of
PTP's "all clock identities" and "all clock ports" concepts. Domain Time does not send these requests, but will respond
appropriately if so queried. Prior versions responded from domain 0xFF, as required by a strict interpretation of PTPv2.
Added prompt before -test and other options that may affect the clock,
requiring confirmation before beginning the procedure. Added -yes parameter to skip the confirmation.
Added -driftfiles parameter to fetch drift files. If no machine name or IP address is specified,
the local machine is targeted. The files are placed in the current directory. Example: dtcheck 10.1.2.3 -driftfiles
Added display of precision, poll, root delay, and root dispersion to -raw output. Note that
sources providing a zero for root delay or root dispersion is valid but undefined; the value is either omitted
(typical with appliances and previous version of Domain Time) or too small to represent in the fixed-point
field provided. NTPCheck will display root delay and root dispersion, but only convert to seconds and fractions
of a second if non-zero values are provided.
Added automatic backup of audit server database during upgrade.
5.2.b.20160922 - Optional Upgrade
Preliminary support for Windows Server 2016 Nano Server. Contact tech support for instructions
Several enhancements for UTC traceability. Several enhancements to Audit Server and Manager.
Minor bug fixes or enhancements for the Daytime protocol, for NTPQ, and for PTPv2 Peer-to-Peer.
Upgrade if you need the new functionality, or are affected by the minor bugs.
UTC Traceability Enhancements
Added reference time type and details to the comments section of the Daily Report.
Added reference time type and details to audit data files and dtreader.exe.
Widened reference time offset and latency results to hectonanoseconds in Audit Server's log.
Changed reference time list from trace- or debug- to info-level in Audit Server's log.
Added display of timezone UTC offset in standard "UTC±HH:MM" format to the end of timezone names.
Nano Server and ServerCore Headless
Preliminary support for DTClient and DTServer on Windows Server 2016 Nano Server. Contact tech support for instructions.
Preliminary support for DTCheck and NTPCheck on Nano Server (via Powershell remoting).
Disabled automatic start of the system tray icon when running on ServerCore (if headless) and on Nano Server.
Disabled Clock Change Monitor when running on Nano Server.
Disabled Virtual NIC Reconection Monitor when running on Nano Server.
Disabled Time Change Event Monitor when running on Nano Server.
Changed to static link for iphlpapi.dll (required for Nano Server).
Allowed Monitor service and Audit Server service to run on Win10/Win2016 platform.
Fixed %LocalTime% and %LocalTime#% reporting in the Daily Report output.
Corrected Manager's debug level output for ntp reference time field obtained during scan.
Added "Configure..." option to Manager's right-click pop-up menu on the tree side that goes directly
to the configuration dialog for the type of item selected. This is just a shortcut to subitems on the main menu.
Improved detection and startup of Domain Time Server if not already running when
Manager or Audit Server starts. Changed text log message from error level to warning level if Domain Time Server
is not already started.
Gave reference time check its own separate timeout value to improve reliability.
It was formerly using the overall scan timeout value, which could be set too short for some time sources to respond.
Customer request: Added doctype, xmlns, and viewport to HTML emails for improved experience on handhelds.
Customer request: Added ability to direct Audit Summaries and Real-Time Alerts to their own group of email
recipients instead of to the standard To/CC/BCC lists used by Audit Alerts.
Customer request: Added HTML support to the Daily Report file. If the filename extension is either .htm or .html,
then Audit Server will wrap the output in minimal HTML tags sufficient for viewing with a browser.
Fixed bug in debug-level log output for missing PTPv2 messages.
Fixed bug in creation of IPv6 generic unicast outgoing socket.
Fixed bug introduced in version 5.2.b.20160415 that prevented PTPv2 Peer-To-Peer (P2P) delay measurement from working correctly.
Changed wording in warning log message for real-time status alerts to indicate if the
problem was ICMP related, rather than UDP or TCP.
Customer request: Added padding bytes to ntpq responses to reach a 32-bit boundary. Some implementations of
ntpq interpret the March 1992 RFC 1305 to mean padding is required, even though Appendix B says that padding
is required only if an authenticator is used. This change is a concession to those using overly-strict versions
of ntpq, and should not affect other versions.
Changed PTPv2 master Announce message "timeTraceable" flag to true if the machine is synchronizing
to a timesource that claims to be GPS-derived (i.e., a stratum 1 NTP server, or a PTPv2 grandmaster claiming stepsAway
of zero). This does not affect the BMC decision; it only provides additional information for auditing and monitoring
Changed PTPv2 one- and two-step sync processing to reject timestamps more than a day off from the
machine's current time. This is a sanity check, implemented due to customers whose grandmaster is either misconfigured
Added registry parm TAI-UTC Offset Locked (default False) to the PTPv2 section of
the registry. If changed to True, DT will not adjust its discovered TAI-UTC offset to match a new master advertising a
different offset. The service must be stopped/restarted for this change to take effect. You should use this setting only
if you have a broken PTPv2 master.
Added registry value Current Offset Enabled to the PTPv2 subkey. This value defaults to
false, and changes the behavior introduced in 5.2.b.20160415. When false, Domain Time will not update the current offset in
the registry or fire the offset-changed event. To regain this behavior, set Current Offset Enabled to true, then trigger a sync
or issue dtcheck -reload. See sdk.doc for details.
Control Panel Applet
Added "(deprecated)" to the Get the Time's radio button "Set this machine's time from broadcast or multicast sources"
label. Distributing and receiving time by broadcast/multicast DT2/NTP is still supported, but seldom used, primarily because client-server
requests and PTPv2 are much more accurate. The only change is in the label, to help customers select the correct option.
Added "(recommended)" to other Get the Time page options, for reasons similar to the above change.
Removed checkbox "Allow Non-exclusive bind for PTPv2 sockets" from the Network page. The default state is true,
and corresponds to the registry setting "Non-exclusive bind" in the PTPv2 subkey. This should almost never be set to false, since
it prevents other PTPv2 multicast listeners from binding.
Added warning prompt if user sets the Minimum Correction on the Correction Limits page to anything other than
the default value of 1 millisecond.
Changed PTPv2 drop-down label from "Unicast Support" to "Delay Transport," and changed drop-down item text to clarify
the choices: Auto-Detect, Only support unicast..., and Only support multicast... (cosmetic change only).
DTServer Daytime Protocol (RFC867)
Customer request: Added "NISTLF" as an alternative to "NIST" or a ddd MMM yyyy format string for the Daytime Format
registry setting. If set to NISTLF, the output consists of an LF, followed by the normal NIST format string, followed by a space and
then a terminating LF. If set to plain NIST, there is no leading LF, and the terminator is a CRLF (no extra space). For other options,
any legal combination of specifiers in Microsoft's GetDateFormat API are acceptable.
Fixed the "H" digit (http://www.nist.gov/pml/div688/grp40/its.cfm) in the NIST or NISTLF output format so that
zero indicates healthy, and 4 indicates unhealthy. These two values were formerly reversed. No other H digits are used by Domain Time.
Removed "Daytime Identifier String" value from registry. This value is not used in version 5.x.
Added Lost Master Reason (if known) to output for -ptpstats and
Rearranged output of -ptpmasters option to put Priority 1 and Priority 2
on separate lines.
Added -ptpmasters -noexpired option. If -noexpired is specified, then
the output list of known masters will not include masters that have stopped announcing but are still in the
Changed output for -ptpmasters so that former masters who are still
advertising show as Former Master rather than Current Master or Potential Master.
Added information regarding syncs and follow-ups to the -ptpmasters command.
Changed the -cmd= option to allow commands containing spaces to be specified
without the spaces. For example, previous version required quotation marks for -cmd="Audit Data"
because the command name contains a space. You may now skip the quotation marks and spaces: -cmd=AuditData.
Added (UTC±HH:MM) after name of time zone if known.
Added IPv6 listen to -ptptest
Customer request: Added implicit -nopause argument if output is redirected or program is remoted.
Extended explicit -nopause argument to all commands that loop with "Press any key..." prompts.
5.2.b.20160711 - Optional Upgrade
One major new debugging tool available through DTCheck. One major usability change to UAC's interaction with Control Panel applets.
Several visual/usability enhancements to DTCheck and NTPCheck. A few minor OEM changes, and one obscure bug fix.
Several minor enhancements to SMTP sending. Upgrade if you want the new functionality, or are experiencing any
of the problems addressed by this release.
Added -ptpmasters option. This displays the table of PTPv2
masters seen on the network by the node you query. The information is drawn from a cache of announce messages.
Each master will be shown as Current, Potential, or will have an error message showing why the announces
from that master are being rejected (wrong domain, invalid UTC settings, etc.). This is helpful for debugging
when PTPv2 won't slave to a master. Masters who sent announce messages, then stopped, will remain in the list,
but be shown as expired.
DTCheck and NTPCheck
Added "Press any key to close..." prompt at end of program output when the
command-line programs are run from a shortcut, Explorer, the start button, or another GUI method.
This prevents the window from flashing up, running, and disappearing. The prompt to close does not
appear when you start these programs from a command-line prompt.
Added -nopause parameter to defeat the above behavior.
This is primarily useful for those who don't care to see the results or are running either
DTCheck or NTPCheck from within a batch file.
Changed manifest from requireAdministrator to asInvoker. For operations
not requiring admin privileges, you no longer need to launch from an elevated command prompt (or
select Run as Adminstrator). For operations requiring admin privileges or requiring elevation,
the programs will prompt you to elevate unless UAC is turned entirely off. Successful elevation
will cause the program to run in a separate window. If you are using DTCheck in
a batch file, you should elevate the original command prompt that runs the batch; otherwise,
depending on the operation, you may be prompted for each invocation of DTCheck.
Control Panel Applets
Improved launching of CPLs when UAC is enabled but the user either isn't an
administrator, or is an administrator without already being elevated. When possible, the normal
UAC prompt to run elevated (or provide a username/password) is presented instead of a popup
explaining what to do. Note that is is still not possible to run an administrative CPL as an
ordinary user when UAC is disabled completely. You need to log on as an administrator, use the
command-line RUNAS, or administer the machine remotely.
Fixed rare condition that allowed you to make a change, then click OK to
close the CPL, but the change was not saved.
Added prompt to save changes when a user checks the box to enable PTPv2,
and then wants to view the PTPv2 stats without having first clicked Apply.
Added DWORD registry value "Send Port Generic" in the Parameters subkey. The
default is zero. Domain Time uses several sockets for generic outgoing messages. By default,
the port used is an ephemeral port assigned by the system. This is the proper behavior for
client-server systems; only the server should have a fixed listening port, and clients should
use ephemeral ports. However, in rare cases, applications have high-number ephemeral ports
hard-coded as their communications ports. If Domain Time happens to start first, and happens
to obtain those particular ports, the hard-coded application may fail. Set this value to the
beginning port number (n) of a range you want Domain Time to use for its generic outgoing sockets.
Domain Time will attempt to use (n) through (n + 50) to bind its generic outgoing sockets.
If none of the ports (n) through (n + 50) are available, Domain Time will revert to letting
the system choose an ephemeral port. Be very careful not to specify any well-known ports or
IANA-registered ports for your range, and only set this value if you have a specific problem
that you know will be solved by changing the ephemeral ports Domain Time uses.
Fixed problem with DHCP auto-discovery option hanging if no DHCP server is
present on the network, or if it replies with an unrecognized format.
Improved handling of derived stratum changes when using samples from multiple
sources with different strata. Clarified log message to indicate if a registry override is in
effect. Changed broadcast DT2/NTP time to honor the registry override if present.
Changed SMTP SSL/TLS default registry value TLSIgnoreCertErrors (introduced in 5.2.b.20140922)
from zero (ignore no errors) to 0x3100 (accept certs that are self-signed, expired, or have the wrong CN). SMTP
encryption is opportunistic in nature, and many, if not most, SMTP hosts use self-signed certs, or certs copied from
a web server, or certs whose common name does not match the name you must use in order to contact it. You may set the
value to 0x10000000 in order to regain strict certificate checking, 0x0000FFFF to disable certificate checking altogether,
or any combination of values documented in the release notes for 5.2.b.20140922 for specific checks.
Added registry value TLSAcceptableProtocols (same registry key as TLSIgnoreCertErrors). This is a
bitmask of acceptable encryption protocols. The default value is 0x0AA0. Use a logical OR to combine multiple values.
0x00000002 - PTC1 (not recommended)
0x00000008 - SSL2 (not recommended)
0x00000020 - SSL3 (not recommended, but included in default for backward compatibility)
0x00000080 - TLS 1.0 (not recommended, but included in default for backward compatibility)
0x00000200 - TLS 1.1
0x00000800 - TLS 1.2
0xFFFFFFFF - any available protocol (not recommended)
Added registry value FQDN (same registry key as TLSIgnoreCertErrors). This REG_SZ (string)
value contains the name to use during SMTP envelope negotiations; specifically, it is the name presented as the EHLO or HELO name
immediately after receiving the server's greeting. In previous versions, the name used was the sending machine's fully-qualified
host name. However, workgroup members or machines just starting may only have a bald hostname available. This new value is set the
first time an email is sent, and used thereafter for all subsequent emails. If a fully-qualified name is not discoverable,
then Domain Time will use either a dotted-quad IP enclosed in brackets, or the computer name followed by .smtp.local.
RFC 2821 section 126.96.36.199 requires one of these two forms. You may change the name if your particular email server requires
an externally-verifiable DNS name to be presented.
5.2.b.20160415 - Optional Upgrade
Minor changes to accommodate non-compliant PTPv2 nodes, and to accommodate PTPv2
grandmasters that send signals in an unexpected order. Added check for duplicate
PTPv2 portIdentities on the network.
Changed graphics and links for OEM partners.
Changed calibration check for PTPv2 to work around rare race condition where
an announce arrives between a sync and its followup.
Changed debug output for wrong packet size on PortDS Management reply to indicate
the count of TLV bytes received and the count expected.
Changed handler for PortDS Management reply to allow incorrect value in TLV length
member for non-compliant masters.
Added outgoing delay request sequence numbers to debug output.
Added incoming delay response sequence numbers to debug output.
Added bias count to MeanPathDelay smoothing debug output
Added check for delay replies received outside of reasonable round-trip times.
Changed category for out-of-sequence or invalid delay responses from ignored packets to delay calculation packets.
Added multicast at startup to check for duplicate PTPv2 portIdentity nodes on the network. If a duplicate is
detected, PTPv2 will switch to the "faulty" state and refuse to run until the problem is corrected. This condition can only
happen if an admin clones an installation and neglects to run DTCheck -prepclone, or otherwise produces
a network with duplicate node IDs. PTPv2 requires each node to have a unique portIdentity. An error-level text log message
includes the other node's IP address and portIdentity. This check may be disabled by setting the "Duplicate Node Detection Enabled"
registry entry in the PTPv2 subkey to false.
Updated the DTCheck -eventmonitor function to monitor the two new PTPv2 events.
5.2.b.20151127 - Optional Upgrade
One important fix for SDK users. Several minor improvements to system timer detection,
mostly for Windows 10, but also affecting earlier systems. Many improvements for Audit
Server behavior and Manager's interface.
Fixed handling of non-conformant performance counters when using
GetDomainTimeAsFileTime() and internal routines that use it inside the DLL. In rare circumstances,
earlier versions of the DLL could return incorrect time if the performance counter misbehaved when the
DLL was queried in very rapid succession over long periods of time. Upgrading the DLL to the new
version is highly recommended for SDK users. You should not have to recompile your application.
Amended the list of documented error codes in the comments of DTHRes.h.
Improved system timer detection and calculation of timing variables. In particular,
recalculation of non-dependent variables is skipped when possible. On Win8 and later versions, unneeded
recalibration is skipped when other processes raise the timer resolution in a way that doesn't affect
Improved handling of non-conformant performance counters. On DTClient and DTServer,
a misbehaving system timer does not cause calculation errors, but can reduce the accuracy of interpolated
time until the performance counter renormalizes.
Fix for the Control Panel applet not saving the "Force Timeset Success Messages" value
in the registry when the corresponding checkbox on the Text Log configuration dialog was checked or
Added Periodic Interval (minutes) to both the
Drift Collection and Ephemera Collection subkeys. The default value is 60. In previous
versions, this value was hard-coded to 60 minutes. You may change it to a shorter or
longer interval. Changes are recognized only after you stop/restart the Audit Server service.
Note that an audit always triggers Drift Collection (if Drift Collection is enabled),
regardless of the background periodic interval.
Removed duplicate entries in the drift data recorded by Audit Server
for NTP machines when asynchronous (background) data collection is enabled.
Changed drift graph text report for NTP servers to indicate leap
indicator ("L-I") and stratum ("Strat") instead of irrelevant or unavailable DT2 data.
This information also appears on the graph display when you click on a data point to see
its value. Note that this change may cause an erroneous display of phase or interphase
values when viewing a new drift file using an older version of the drift viewer.
Fixed bug in NTP drift logs collected by Audit Server that caused the
time source displayed to be the IP of the audited machine instead of its source. The new
version of the drift graph viewer correctly interprets this value as meaning "unavailable,"
whereas prior versions might show a dotted-quad that represents either the audited machine
itself, or the dotted-quad equivalent of "GPS" or other stratum-1 text string.
Fixed Manager's Audit Server/Synchronization Logs/Configure dialog to
leave Log Filename Format dropdown enabled regardless of whether Expand is checked. The
filename format controls all drift logs, whether or not expansion of binary files to text
is enabled, and they all use the selected format (but with different extensions).
Added new column "Type" to Manager's Synchronization Logs list display.
The type reflects the underlying data: "Drift" for DT2 machine drift records; "NTP" for NTP server
audit data; "PTPv2" for PTPv2 Offset data.
Added support for DEL key to Manager's Synchronization Logs list display.
Changed background color and text on drift graph viewer when examining an NTP
audit data file (PTPv2 and normal drift data already had separate background colors).
Increased size of drift graph window and changed number of points to correspond
to the larger size.
Added new drift collection filename format choice called "Default (recommended)"
to the Log Filename Format dropdown. This new choice is the default for new installations. If you are upgrading, you
should switch to "Default (recommended)" if you can, since the new format resolves most
naming ambiguities in the old format choices.
Default (recommended) uses "NTP Server - DNSName - IPAddress" for NTP servers (with DNSName
and IPAddress replaced with the actual DNS name and IP address), and uses "SerialNumber - CommonName"
for DT2 machines (with SerialNumber and CommonName replaced by the xxxx-xxxx serial number and
the NetBIOS name).
Serial - Name - IPAddress uses "NTP Server - DNSName - IPAddress" for NTP servers, and
"SerialNumber - CommonName - IPAddress" for DT2 machines. This can lead to unnecessary file
proliferation with data spread amongst multiple files for DT2 machines that use DHCP or are
multihomed with the ability to respond from multiple IP addresses.
This format is no longer supported except for backward compatibility.
NetBIOS name only uses the first node of the DNS name for NTP servers, and the NetBIOS name
for DT2 machines. This can lead to data corruption of NTP server records if more than one NTP
server has the same first node for the DNS name.
This format is no longer supported except for backward compatibility.
DNS name only uses the full DNS name only for both types of records, but does not guarantee
against data corruption if rDNS is static but IPs are dynamic. The machine corresponding to a.b.c.d
may change with each DCHP allocation, but if the rDNS remains the same, data from multiple machines
may be mingled in a single file.
This format is no longer supported except for backward compatibility.
IP Address only uses only the IP address to format the filename, but does not guarantee against
data corruption unless all audited machines have statically-assigned IP addresses. Even if this is
true, if you have multihomed machines able to respond from multiple IP addresses, data may be spread
across multiple files.
This format is no longer supported except for backward compatibility.
Added code to prevent command-line triggering of audit, drift collection, or
ephemera collection during an audit run. The return code is ERROR_SERVICE_ALREADY_RUNNING (1056).
Added deletion of old drift data files if all records have expired. Expiry of
old records is optional; if selected, and all records are too old, then the zero-length file
will now be deleted.
Added Ctrl-A, Ctrl-S, Ctrl-L, and Ctrl-W handlers for Manager's Real-Time Alerts list
display. These items were documented on the right-click menu as shortcuts, but never implemented.
5.2.b.20151102 - Optional Upgrade
Several minor unreported bug fixes. Several enhancements to Manager's display and properties. One important
fix for PTPv2 cross-check functionality. Exposed new functionality for DTServer and DTClient on the
Control Panel applet. Improved continuous interphase steering (PTPv2) and sampling filter.
Upgrade if you are affected by any of the bugs, or if you want the new functionality.
Optimized syslog writing for lower latency by pre-creating a send socket and setting the target
address only when changed rather than every time syslog output is called. This affects all services that have a
syslog output option. The syslog format continues to be RFC 3164. RFC 5424 is not supported.
Changed load-order for services (DTServer, DTClient, DTMonitor, DTUpdate, and DTAudit) so
that some initializations are delayed until after informing the Service Control Manager (SCM) that the service
had started correctly. This step eliminates an extremely rare race condition that can occur during the boot
sequence, when Domain Time is waiting for other services to start.
Added upper and lower bounds lines (dark blue) and average line (green, red, or yellow) to drift graphs
if the highest/lowest points are sufficiently far from the zero line. Lines that would go through points off-screen are
drawn at the screen edges instead. Double-click any blank area of the graph to toggle bounds and average lines on and off.
Added "Domain derived from" and "DNS Name" to DT2 item detail display.
Changed item list display for computers and DT2 list to say "workgroup" instead of "domain" if domain
membership has not established.
Changed double-click action on columns in list views. If you double-click the IP address, Manager will try
to connect to the IP address first. If you double-click the DNS name, Manager will try the DNS name first. If you double-click
the Common Name, Manager will try the Common Name first (unless you have FavorIP set for that record). This new behavior helps
in situations where machines don't have rDNS, or are workgroup members, or cannot resolve by the NetBIOS name, or have
multiple IPs that respond to queries but are not necessarily open for connection attempts.
Changed all list columns called "Name" to "Common Name" to help distinguish CNs from DNS names
or other types of names. A common name is usually the bald NetBIOS name of a computer.
Fixed unreported bug in manual editing of NTP node's Time Software field via right-click on list item.
Fixed unreported bug that prevented v5.x Manager from remotely setting a v4.x machine's timezone.
Removed leading plus sign ("+") from all columns reporting latency, since latencies are always positive
Clarified text of debug-level messages during scans to indicate both the from and to addresses, as
well as unicast, broadcast, or multicast.
Clarified text of trace-level messages during maintenance work when purging old records.
Added delta smoothing to PTPv2 calculations. Delta smoothing moderates the steering mechanism, and helps
improve overall accuracy. The PTPv2 offset graph shows the smoothed deltas; moment-by-moment deltas can still be seen on
the statistics page. The new behavior is enabled by default, but can be disabled by unchecking the
Use smoothing for delta calculations checkbox. The existing Use smoothing to reduce jitter
has been renamed Use smoothing for meanPathDelay for clarity. Delta smoothing can dramatically reduce spikes
and overall clock offset from the PTPv2 grandmaster.
Fix for skipping cross-check when PTPv2 time exceeds the specified bounds (default 55ms). In the release
notes for 5.2.b.20150828, we reported "This change does not disable the 'crosscheck' functionality introduced in
5.2.b.20120117." In rare circumstances, however, the change introduced in 5.2.b.20150828 does indeed bypass the cross-check
function. This version fixes that problem.
Fix for SNMP traps that stop sending if the first attempt at DNS resolution fails. Also added support for
IPv6-literal trap destinations on operating systems that support WinSNMP with IPv6.
Allowed extended reply to the Query Timezone command from DTCheck (see DTCheck section below).
Added "Wait for Network Startup" (REG_SZ, String, default value "True") to the Parameters subkey. If
present and set to True, Domain Time will wait up to 30 seconds after boot for an IPv4 address to appear. At boot time,
some network adapter drivers report ready before assigning IP addresses to an interface, even if the IPs are pre-configured
as fixed addresses. DHCP-obtained addresses can take several seconds longer. The new wait period helps ensure that Domain Time's initial enumeration of adapters and IPs is
correct before protocol listeners or timechecks are started.
Changed log message "NtTimerResolution changed" from warning level to trace level due to Win10's
practice of changing the timer resolution on the fly for performance boosts. In previous versions of Windows, an unexpected
change of the NtTimerResolution was unusual enough to warrant a warning message.
Fixed unreported bug that could prevent syslog output from starting until after a manual change in the
Control Panel applet (or other action causing a reload) occurred.
Added NTP Era to the startup banner. This is calculated based on the date/time at startup. NTP eras span
68 years. The NTP era is currently 0, but will change to 1 on Feb 8, 2036. NTP delta calculations across adjacent eras
work correctly, but only the difference between clocks is available. To convert an NTP time stamp to wall-clock time, the
era must be known. This entry in the startup banner is for informational purposes only; Domain Time recalculates the era
of received NTP timestamps dynamically during runtime, so crossing the 2036 boundary will not affect time-of-day
calculations among different time protocols. Only NTP requires a calculated era; other time protocols have a range of
thousands of years.
Added check for advanced clock training while using broadcast NTP or DT2 time sources. Clock training is
not applicable when using broadcast time, and does not occur even if enabled, since Domain Time has no control over the
receipt of broadcast samples and cannot predict or control their frequency. Enabling advanced clock training when using
broadcast time had no effect other than reporting training was running without the iteration counter ever changing.
This fix informs the user via an info-level log message that training is inapplicable, and sets the training iteration
to zero periods left.
Added check for advanced clock training while in the PTPv2 slave state with continuous interphase
enabled. Although (unlike with broadcast sources) the training iterations would count down correctly, advanced clock
training is inapplicable under PTPv2. Therefore, when detected, advanced clock training is cancelled.
Changed trace-level log message about ignoring disabled DT2/udp commands to warning level (but suppressed
unless client access logging is enabled). This change makes DT2/udp conform with the existing behavior of DT2/tcp.
Changed default for interphase recovery on new installs to true for OS versions Vista, 2008, Win7, and
2008r2. The default on new installs remains false for all other operating system versions.
Exposed alternate profile on Security tab of the control panel applet. The alternate profile allows you to
permit specific DT2 commands from trusted networks when the main profile denies those commands. In general, you shouldn't
touch these settings. The alternate profile is primarily of use when your server is public-facing and you want to limit
commands from external sources, but want to allow them from internal sources. Note that the command prohibitions cannot
protect against UDP source address spoofing. Your boundary firewall should be set to prevent transit of internal IP addresses.
Exposed checkbox on Logs and Status tab (text log) labeled "Include info-level timeset success messages
in warning- and error-level logs. If checked, and the log level is set to either Warning or Errors, then the info-level
message for a successful timeset will be logged, too. This allows you to set the log level to the minimum needed while still
seeing that the clock has been set successfully.
Denial-of-Service log messages must now be explicitly enabled by changing the log level to Debug and
checking the box for Denial-of-Service messages (checked by default). They are still trace-level messages, but only occur
when the log is set to Debug level.
Speeded up Denial-of-Service protection check; increased size of offenders list to the 2048 most recent.
Added debug category "Uncategorized debug messages," which covers miscellaneous debug-level output not
included in other categories.
Changed bind error 10049 ("address unavailable") to a debug-level error when trying to enable multicast
reception on an interface that does not support direct interface bindings despite being marked by Winsock as multicast-capable.
This applies primarily to RRAS servers and other special situations where an IP with a netmask of 255.255.255.255 is actually
a gateway rather than an interface.
Corrected "stepsRemoved" value in PTPv2 master-mode announce messages to reflect the zero-based PTPv2 steps
rather than the one-based NTP stratum (i.e., if the server's derived stratum is 2 because it is synchronizing to a stratum 1
source, it should report stratum 2 via NTP, but "stepsRemoved" 1 via PTPv2, since it is only 1 step away from a primary source).
Added "UTC" to the end of the time string reported by DT2-HTTP queries. This is for documentation purposes
only, since DT2-HTTP has only ever served time in UTC.
Added time source header to DT2-HTTP replies; only used for filling in data for ntpq. If the server is
using multiple time sources, the resultant NTP reference ID will be 0.0.0.0. If the server's last source was a name or IPv6
source rather than an IPv4 number, the resultant NTP reference ID will be 255.255.255.255. If the server's last time source
was an IPv4 address, it will be reported as a standard dotted-quad IPv4 address.
Fixed timing issue with sending RTAlerts when becoming a PTPv2 master; depending on which thread had priority
at the moment of the change, DTServer could either send "became master" or "internal failure" as the state-change reason. It
still reported itself correctly as a PTPv2 master, so only the log messages on Audit Server were affected.
Changed auto-dismiss of lost connection pop-up from 10 seconds to 5 seconds.
Added code to help ensure the "Stay on Top" option keeps the window on top, regardless of
Control Panel Applet
Enhanced Problem Report to include registry settings for all Domain Time products installed, rather
than just Domain Time Server or Domain Time Client.
Disabled advanced training button when using broadcast time sources (see DTServer/DTClient above for
Modified the security dialog (see DTServer/DTClient above for more information).
Added checkbox "DNS Lookups Enabled" to the setup page of Monitor's Control Panel applet.
By default, the box is unchecked. This is a change in behavior. Earlier versions always tried to look up the DNS
name for all IPs encountered. You may regain the former behavior by checking the "DNS Lookups Enabled" box. Scans
without DNS lookups enabled run very quickly, usually in under 1 second. DNS lookups, especially if responding
machines don't have rDNS records, can take an arbitrary amount of time. If you have dozens or hundreds of machines
that don't have rDNS records, or if your network isn't configured to allow bald NetBIOS names to resolve to IP
addresses, the time for a scan to complete can be quite long.
Added code to allow -Cmd="Query Timezone" to show all available timezone
information, whether or not the machine is DTServer set up to share timezone information. The extended query sent
by DTCheck will not be recognized as extended by older versions of DTServer or DTClient (they will reply, but the
timezone information will be limited to that provided by older versions).
Added -interfaces command. This is similar to the -adapters
command, but provides more detailed information.
Changed parser to emit "argument not understood" message instead of defaulting to -stats if the
argument was unknown.
5.2.b.20150828 - Optional Upgrade
Windows 10 officially supported. Added preliminary support for Windows 2016 Server preview versions.
Improved functionality for ICMP, audit retries, analysis of time samples, client automatic server discovery,
and ntpq responses. Corrected or added previously-documented Windows Event Viewer messages. Several enhancements
for checking pending leap second status without having to look through the text log files. Upgraded reporting
abilities for both DTCheck and NTPCheck. Fixed one unreported minor bug. Added automatic management of
Windows Firewall to Client, Server, and Audit Server. Upgrade if you want the new functionality.
Customer request: Added SNMP trap from Audit Server upon successful completion of an audit with no errors
SNMP traps from Audit Server are free-form text. An all-okay message will read
"Audit completed without errors" and the domtimeMachinename field will be the NetBIOS name of the Audit Server
itself. The default value for sending this trap is false, but can be changed to true on Manager's Configure Alerts
dialog. Note that the all-okay trap may only be sent if overall SNMP traps are enabled for Audit Server.
Fixed follow-up procedure for non-responding machines to use the machine's name first, and the last-known
IP address only if the machine name fails. This allows Audit Server to discover machines whose names resolve
but whose IP address has changed since the last successful contact.
Added Multicast by Serial Number to locate non-responding audited machines to the
HKLM\Software\Greyware\Domain Time II Audit Server\Logs and Alerts\Audit Data Collection key. This value can be either
"True" or "False" (default "True") and controls whether Audit Server tries to locate non-responding audited machines
by sending a DT2 multicast using the audited machine's serial number. In prior versions (and in the documentation),
this action was automatic; however, it was broken in the past several releases. Now that the function is working as
documented, we made using it optional, since if the audited machine were going to respond to multicast, it probably
did so during the initial audit scan. If a machine is not going to respond to multicast, this check adds extra time
waiting for the timeout to the follow-up sequence. Change this value to "False" if your network does not allow
multicast. Changes take effect at the next scan; you do not need to restart any services. Note that his function is
valuable on networks that allow DT2 multicasting, since a non-responding machine may have changed its name or IP
since the last successful contact.
Added "Retries on Contact Failure (range 1-5, default 1)" DWORD value to the
HKLM\Software\Greyware\Domain Time II Audit Server\Logs and Alerts\Audit Data Collection key. Until now,
DTAudit has always retried once to contact a machine that fails to respond to scanning broadcasts/multicasts.
You may now change how many times Manager and Audit Server will retry. Multiple retries are generally a
bad idea, since if a machine fails to respond to a unicast once, it is unlikely to respond a second later.
However, in some circumstances, such as auditing remote offices or dealing with a congested switch or router
that is discarding packets, you may want to increase the retries. Changes take effect at the next scan; you
do not need to restart any services.
Added support for LDAP_OPT_AREC_EXCLUSIVE in LDAP domain enumeration when an IP address or
machine name is entered in the LDAP Server field of the Computer Enumeration dialog. This can speed up LDAP
domain enumeration by 3-6 seconds in mixed-level AD networks, or DCs that have been upgraded. You should
normally leave the LDAP Server field blank. The only time it is needed is when your network is set up so
that your Manager/Audit machine cannot enumerate the list of domains without being directed to a specific
Added ICMP TTL (hop limit) to the Parameters subkey of DTManager (which
controls both DTManager and DTAudit's behavior). The default value is 32. The allowed range is 1 to 255.
Previous versions of Domain Time had a hard-coded value of 10.
This value controls the number of router hops an ICMP echo ("ping") will be allowed. ICMP is used to verify
reachability, primarily prior to trying to establish a TCP connection. Establishing a TCP connection can
take an arbitrary amount of time depending on network topology and number of retries. Domain Time pings
machines first to help eliminate long waits for machines that are unreachable. You should only need to
adjust this value if you have an LAN/WAN configuration requiring more than the default 32 hops.
Added dynamic restart for RTAlert sharing if the port number is changed. This eliminates the
need to stop and restart the Audit service.
Set default value of "Allow Multiple Instances" to true instead of false. This value may be
found in the tray's parameters subkey. If true, then on terminal servers, or on individual machines using the
Switch User functionality, the notification area icon will appear on all instances. If set to false, only the
first logon session will show the tray icon. Each instance of DTTray knows if it is a clone instance or not.
Only the first instance will play chimes, although you may control them from any instance. Exposed this setting
as a new checkbox on the Advanced tab of the Control Panel applet.
Changed behavior of the Analyze time samples from all servers and choose the best
feature to stop iterating the time sources list if PTPv2 is currently a slave. This prevents NTP or DT2 samples from being
collected during scheduled timechecks, since they are not desired when a PTPv2 slave is locked to its master. In prior
versions, we recommended unchecking the analyze checkbox when using PTPv2, which had the drawback of preventing sample
analysis of listed NTP/DT2 sources when PTPv2 fails. This change makes it as if you had unchecked the analyze checkbox
only when PTPv2 is functioning as a slave. This change does not disable the "crosscheck" functionality introduced in
Changed log message about not being able to start the system tray icon from error level to trace level
to accommodate headless servers.
Added Time Sample PreFilters to the Parameters subkey for both DTClient and
DTServer. This parameter is a REG_SZ (string), default value HighLow. This value controls the prefilters
used to discard samples before applying statistical analysis. Prefilters only operate when there are five or more samples
available for analysis, and are chiefly useful when the number of samples is very large, or the sources are unstable.
It is best to leave this value at the default, which eliminates only egregious spikes. Statistical analysis
of the entire group of samples usually performs better than prefiltering more samples out of the mix. Allowed options are
HighLow, Latency, Delta, and Stratum.
Prefilters are applied in the order listed; separate filter names with a comma or semi-colon. For example,
HighLow,Latency would apply first the Highlow filter, then if at least five samples remain,
the latency filter. Stratum,Latency,Delta would first apply the Stratum filter; then if at
least five samples remain, the Latency filter; then, if at least five samples remain, the Delta filter. Changes to
the list of prefilters are recognized only when parameters are reloaded (server stop/restart, machine reboot, a CPL-initiated
sync, or a DTCheck /reload).
Prefilter operations are:
HighLow (default) - Rejects the most extreme samples, based on absolute magnitude delta (max of 2 samples rejected)
Stratum - Rejects all but the lowest-stratum samples present. Be very careful
with this filter. Example 1: If your selection of samples includes one sample from a stratum 1 server, and
ten more from a mix of stratum 2 and stratum 3 servers, then all but the single stratum 1 sample
would be rejected. Example 2: If your lowest-stratum samples are a mix of stratum 2 servers, then all the stratum 2
samples would survive, but all your samples from strata 3 and up would be rejected. It is probably
better to use the "NTP Client Max Stratum" value introduced in version 5.2.b.20110224 to control
the highest stratum acceptable for NTP sources. The Stratum filter introduced here applies to
all sources that report a stratum, including NTP, DT2, and PTPv2 (the PTPv2 "stepsRemoved" value is
used to mimic NTP strata, as documented in the release notes for 5.2.b.20150516). Samples that
do not report a stratum are not eliminated by this filter.
Added pending leap second status to the global stats structure used to display stats in the
Control Panel, in problem reports, and on the output of DTCheck /stats command. You must upgrade
in order to obtain this new functionality.
Fixed unreported bug in the tLocalTime member of audit stamps. This member was the same as UTC time,
but is not used for any functions; it was present for potential future use. If you need to know the time on
a client or server, use either DTCheck [machine] /cmd=localtime for a display according to the
target machine's local time, or DTCheck [machine] /cmd=systemtime for a display of UTC on the
Added near-future timecheck after the machine becomes a PTPv2 slave. Since it takes a few seconds
to acquire and calibrate to a PTPv2 master after startup (or after you enable the option while the service is running),
the machine can become a slave either during or immediately after the startup timecheck. In previous versions, this
wouldn't be reflected in the stats of real-time alerts until after the next scheduled timecheck occurrs. From now
on, the machine will schedule a timecheck for up to 15 seconds in the future, to allow the new slave to acquire
sufficient time samples to report its status accurately. The delay is calculated based on the machine's state at the
moment the machine becomes a slave.
Added Windows Event Viewer warning Event ID 3007 for when a time zone change is detected. Event ID
3008 still refers to a change only in Daylight Saving (a transition from standard to DST or back).
Corrected Server and Client to emit event log error codes 3000 and 3009 as documented.
Allowed the DT2-HTTP protocol time sampler to honor one level of redirection (HTTP response codes 301-307).
If a redirection is indicated, the trace log will note that the time did not come from the source specified. This functionality
is chiefly useful for admins who want to install IIS or Apache on the same machine as DTServer, but already have DTServer
providing DT2-HTTP on port 80. They can change DTServer to serve on some random port (say 82), and set up IIS or Apache
with a simple redirect to the same machine:82. Domain Time treats all 3xx redirects as absolute; that is, they should
be set up with a full http://fullDnsNameOrIp:port rather than a /relativeToServer:port path.
Changed default UDP/ICMP receive timeout from 125ms to 1000ms (1 second). This value is used for all
ICMP tests, and for most scanning and timecheck waits. The value is not changed on existing installations, but may be
changed manually by editing UDP Recv Timeout (milliseconds) in the Parameters subkey of DTClient
or DTServer. Change this value only if you are seeing timeouts due to slow LAN/WAN problems. The standard dtclient.reg
and dtserver.reg files distributed with Domain Time set this value to 2000ms (2 seconds), so the new default only
applies to new installations using customized template files with UDP Recv Timeout (milliseconds)
either not included or included but set to zero.
Added ICMP TTL (hop limit) to the Parameters subkey of DTClient and DTServer.
The default value is 32. Previous versions of Domain Time had a hard-coded value of 10. The allowed range is 1 to 255.
This value controls the number of router hops an ICMP echo ("ping")
will be allowed. ICMP is used to verify reachability, primarily prior to trying to establish a TCP connection.
Establishing a TCP connection can take an arbitrary amount of time depending on network topology and number of retries.
Domain Time pings machines first to help eliminate long waits for machines that are unreachable. You should only need
to adjust this value if you have an LAN/WAN configuration requiring more than the default 32 hops.
Increased width of "Server name or IP address" column in trace-mode text log; added ellipsis to
any server name truncated to fit.
Added faked-up NTP precision member to PTPv2 and DT2 time samples so ntpq results show a better
representation of the server, even though the protocol wasn't NTP. Also fixed case where the RefID sometimes
reported 0.0.0.0 for peers depending on which protocol was used.
Changed two startup warnings to go only to the text log (not event viewer, syslog, or SNMP),
because they are a normal function of the startup process. The two warnings are "Server will NOT provide the time
to clients until its own clock has been set" (DTServer only), and "PTPv2 is running, but has not yet synchronized;
no samples are available" (DTServer or DTClient).
Improved detection, from within a VM guest, that the machine has been resumed from the pause
state or restarted from the saved state. Prior versions only detected resumption by examining TSC irregularities.
These irregularities do not occur if the host is Win2012 or later with a CPU supporting invariant TSCs. Only guests
running Win2003r2 or later can benefit from the improved detection, and only when running under Hyper-V. Earlier
operating system guests, or guests running under VMWare, are not aware they have been paused unless the TSC misbehaves.
Changed wording on CPL's Advanced tab to reflect the new functionality.
Added invalidation of accumulated PTPv2 samples upon resume from standby or resume from hibernation.
Note that if the machine is a VM guest, and if time synchronization integration services are disabled, the clock will
be wrong after resume from pause (standby), or restart from save (hibernation), by approximately the amount of time
you had the guest paused or saved. Even though previously-collected PTPv2 samples are discarded and PTPv2 is skipped
as a time source during the next timecheck, the PTPv2 state machine does not know it has been suspended, and therefore
may take some time to recalibrate.
Added code to allow a machine set to serve the time without having its own time set first to
update the pending leap settings. This information is normally updated after each successful timecheck, but since
a server set to use only its own clock as the time source will never have a successful timecheck, the code needed
to be modified to ensure compliance with the new stats structure and remote queries.
Added code to support becoming PTPv2 master when clock is first successfully set, after
the initial announce timeout waiting period has already elapsed. This change covers rare instances when
the machine's normal time sources do not provide the time during service startup, and the machine is eligible
to become a PTPv2 master once its own clock has been set.
Added server's current leap second status to the headers of a DT2/HTTP response.
Added server's current leap second status to the output of web page statistics.
Added registry setting Display Network Info (REG_SZ, string, default "True") to the HTML
section. If you change this value to False and restart DTServer, then the webpage will not disclose any information
about your network or timesources.
Changed the default HTTP listen port back to 80 (for new installs only). We had set the default
port to 90 to avoid clashes with web servers running on the same machine (only one process may "own" a port), but this
caused more confusion than it solved because an admin wanting to server DT2-HTTP would need to remember to configure
all clients using it to use a non-HTTP port. This change only affects new installations.
Added ability for client to use the configured list of time sources in addition to searching the local
network when "Discover sources automatically" is selected on the Obtain the Time page. Click the Discovery Options... button
to see the list of discovery methods. If the "Use servers in configured list of time sources" checkbox is checked, and if
there are any enabled time sources in the configuration list, they will be added to the list of discovered sources. This
checkbox will be checked by default on new installs; upgrades will not see the new behavior unless you choose to enable it.
Domain Time Client comes pre-configured with a list of internet time sources, but also pre-configured to auto-discover
servers locally instead of using the list. This new behavior will allow machines on networks without local time sources to
use the configured list.
Added checkbox "Ignore DT2 masters, slaves, or independent servers observed via cascades"
to the Discovery Options dialog to ignore masters, slaves, or independent servers discovered by overhearing their cascade signals.
The default behavior, since version 4.1 until now, is for the discovery process to remember the last master, slave, or indie
that had broadcast a cascade, and to use those (if present) instead of doing an active broadcast/multicast to locate a master,
slave, or indie. You may now force the broadcast/multicast process by checking the new checkbox.
Added check for leap second status in headers of reply to a DT2/HTTP request.
Control Panel Applet
Added checkbox "Use servers in configured list of time sources" to the Discovery Options dialog (see DTClient for
Changed the drift graph's raw data report to say "UTC" instead of "GMT" in the date format.
Fixed text label to show "Service is running" or "Service is stopped" as appropriate.
Added ICMP test prior to establishing a TCP connection when testing Real-Time Alerts on the Status Reports
page. This additional test makes the Control Panel applet's test function match what DTClient and DTServer already do.
Enhanced the error message information from failed testing on the Status Reports page to help diagnose problems.
Corrected unreported bug where a text log line could appear in the wrong color (green) for warning messages.
Changed text of checkbox on Advanced tab from "Signal resync if TSC indicates resume from pause (VM guest only)"
to "Signal resync if VM guest resumes from paused or saved state"
Added checkbox "Allow multiple instances of tray icon" beside the checkbox for "Show system tray icon" (see
DTTray section above for a description of what this checkbox controls).
Changed from version 4.x to version 5.x request for DTCheck [machine] /cmd="Audit Data". This
provides more information, including pending leap second status. Note that the machine being queried must be
version 5.2.b.20150516 or later in order for the leap second information to be present. You may continue using
DTCheck [machine] /leapcheck against a Domain Time Server without upgrading, but this command will not
work with Domain Time Client. If you don't upgrade your machines and want to know the pending leap status on
Domain Time Client, you must examine the client's log file.
Enhanced output of DTCheck [machine] /cmd="Query Timezone" to show more information, such
as the names for standard vs. daylight saving time, and the zone's changeover dates (if the zone observes DST and it
hasn't been disabled). Note that this extra information is never available from DTClient, and is deliberately withheld
by DTServer if the Allow clients to match this server's timezone checkbox is unchecked on the
Updated /? documentation to show that either - or / may be used for switches, and to explain how the firewall
commands operate. Please see
Auto-Manage Windows Firewall for details.
Enhanced search (when you issue ntpcheck.exe with no parameters) to use the same discovery
techniques used by the dtcheck /variance search.
Widened first column of multi-column reports to accommodate IPv6 addresses more gracefully.
5.2.b.20150516 - Optional Upgrade
Several enhancements to deal with misbehaving PTPv2 grandmasters. One typo fix on the Control Panel Applet. Minor additions to NTPCheck. Several
new features in DTServer and DTClient. One important change for those using DTServer on a 2012 or higher Domain Controller with Windows Time
Clients if the domain functional level is set to 2012 or higher. Upgrade if you want the new features.
Added additional support for Windows 10 preview (calling itself version 10.0 instead of 6.3).
Changed default compiler option to /fp:fast instead of /fp:precise. This change only affects
the use of floating point variables used for display or logging purposes.
Added countdown timer for two-step grandmasters to catch missing Sync Follow-Ups. Prior
behavior left the machine in the Slave state, but with no time samples if the Follow-Ups did not arrive.
New behavior is to call this an error condition.
Changed "Calibrating" mode (1588-2008 portState 8) to track incoming Sync and Sync Follow-Ups as
well as Announces. Machines will not progress to Slave unless the grandmaster is also sending Syncs (and Sync
Follow-Ups in the case of two-step clocks). Instead the machine will report it has failed to calibrate, and will
revert to Listening. A grandmaster that sends Announces but does not send Syncs and Sync Follow-ups is either
misconfigured or broken, and cannot be used as a time source.
Added extra PTPv2 debugging option PTPv2 timestamps, which displays the
offset, packet arrival timestamp, ingressEvent timestamp, and origin (or preciseOrigin for two-step clocks)
timestamps. It also shows the meanPathDelay and correction (or cor1 and cor2 for two-step clocks) at the arrival
of each Sync (or Sync Follow-Up for two-step clocks). As with all debugging options, use this only when required
to solve a particular problem, and turn it off again immediately thereafter. Debug logging during delicate
time packet processing can significantly affect accuracy.
Added syntax check for invalid parameters to display which parameter was wrong.
Added symmetric key (or Windows RID if using "key windows") number to -raw display output.
Added -help as a synonym for the standard ? parameter.
Added additional samples for help's output and clarified the general instructions.
Added more information for when either Windows or NTP Symmetric Key authentication fails
Added additional rate history information to the startup banner
Added NTP version, stratum number, and reference source to trace-level log display
"Time sample from..." if the source was NTP. This is for informational purposes only.
Changed NTP "Kiss-o-Death" detail display to trace-level output. An "Access Denied" error-level line
will still be generated, since the server's time is unusable regardless of the reason.
Changed NTP client default request version from 3 to 4. This can be overridden by changing the
NTP Client Version value in the Parameters section of the registry. Any value from 1 to 7 is legal, although
using anything but 3 or 4 is not recommended. Note that the change will only affect new installations, since the
NTP Client Version value will already be set to 3 in existing installations.
Reduced threshold for determining phase "runaway" to allow extremely unstable machines (or
machines with extremely unstable networks or time sources) to recover more quickly from false analyses.
Added registry parm (REG_MULTI_SZ) Dependent Services in the Parameters key. Any services
listed here will be started by Domain Time after the first successful timecheck, as long as the services
are set to manual start. This is an alternative to using the built-in service database's dependencies. If you
use the built-in functions, dependent services will wait for Domain Time to start, but won't know to wait until
the first synchronization has completed. You may list services by their display names (e.g. "Disk Defragmenter")
or by their internal service names (e.g. "defragsvc"). List services one per line, without quotation marks.
Domain Time will only attempt to start services that are listed, not yet running, and set to manual startup.
Note: If Domain Time cannot set the clock for some reason (invalid sources, firewall settings, etc.), then
services you have set to manual start will not be started.
Added registry parm (REG_SZ) Clock Adjustment Statistical Method in the Parameters key. The
default value is Automatic. Domain Time uses the calculated performance to evaluate and remember each integral
rate it tries. Changes to this setting take effect immediately after the next group of samples is ready for analysis. You do not
need to restart the service. You should clear your clock history using dtcheck -resettimings
before changing this value. Allowed values are:
Automatic - On Vista/2008/Win7/2008r2 machines, Automatic will use the median value
from each group of samples. On all other versions of Windows, it will use the arithmetic mean
(average) of each group of samples.
Average - The arithmetic mean of values
Median - The median number in the array of values
Toss (same as Toss Hi-Lo) - average of values excluding the highest high and lowest low
RMS - the quadratic mean (signed root-mean-square) of the array of values
Disabled - no statistical analysis is retained for future comparison
Added extra debug output for phase change calculations and bucket summarization, including the type
of analysis used, and the statistical range.
Added registry parm (REG_DWORD) Clock Adjustment Bucket Size in the Parmeters key. The default
value is 7, although 5 (not configurable) is used during clock training. The bucket size is the number of samples
collected before a particular rate is evaluated. The minimum value allowed is 3, and the maximum is 32. You should
not change this number unless instructed by techsupport.
Added dynamic determination of NTP-style stratum level, based on strata reported by sources (including
PTPv2, which uses "stepsRemoved" to correspond, roughly, with NTP strata). Since Domain Time can use multiple sources with
multiple protocols, there may not be an ultimate single stratum from which time was received. In these cases, Domain
Time takes the highest-level stratum of all used sources (discarded sources are not counted), and adds one to derive its
own stratum number. So, for example, if Domain Time obtains its time from a PTPv2 grandmaster directly, it will report
itself as stratum 2. If it receives its time from three NTP sources, two of which report stratum 1, and one of which
reports stratum 2, Domain Time will report itself as stratum 3. If all three NTP sources reported stratum 1, Domain Time
would report stratum 2, and so forth. Domain Time caps its stratum at 15, reserving 16 as an error, and 17-255 as
meaningless (per the NTP RFCs). The reported stratum is now included in audit data as well as time responses. It is
mainly of use in Domain Time Server, where other machines may choose to use the reported stratum to choose clocks (a
configurable option in certain Linux ntpd implementations).
The prior behavior was for Domain Time Server in the master role to report itself as stratum 2, presuming that it got
its information from a stratum 1 device like a hardware appliance. Domain Time Server in the slave role reported itself
as level 3, on the assumption that it got its time from a Domain Time Server Master. Clients internally considered
themselves stratum 2, but since they don't serve the time, this wouldn't affect clock selection algorithms.
The registry DWORD NTP Server Stratum in the Parameters key on Domain Time Server
defaults to zero, which means that Domain Time itself should determine what stratum it reports. Setting this to any
value between 1 and 15 will force Domain Time Server to skip derivation and simply use the stratum provided in all cases.
Added NTP support for 120-byte requests. These requests come from Windows Time clients in
a domain environment, where the domain functional level is 2012 or above, and where the client is also
Windows 2012 or above. See Microsoft's "[MS-SNTP] — v20140502 - Network Time Protocol (NTP) Authentication Extensions"
for details. Domain Time does not attempt to honor the bit-flags; upon recognizing an ExtendedAuthenticator
request, it sends the standard 68-byte signed reply. Clients use the reply to decide dynamically how to
query the server on future requests. This support may not work in all circumstances. Our advice remains
to avoid using the Windows Time service as a client, since it uses proprietary extensions to the NTP RFCs,
and does not keep accurate time.
Control Panel Applet
Fixed unreported typo in prompt on main Security dialog.
Added PTPv2 timestamps to the scrollable list of checkboxes of types of debug details.
5.2.b.20150307 - Optional Upgrade
Several small bug fixes and enhancements. Upgrade if you are affected by any of the bugs, or if you want the new functionality.
Changed sync log collection for audited NTP machines to use hectonanoseconds instead of milliseconds.
Added ability to collect PTPv2 offset data during collection of synchronization logs.
Fixed unreported bug that could cause false alert if double-checking is enabled and the second check failed.
Changed debug output of NTP queries to show ASCII for Kiss-o-Death and Primary machines, IP addresses for others.
Changed log output when pruning old records from "drift file" to actual filename for disambiguation.
Added checkbox "Add machines discovered by receipt of startup Real-Time Alerts" to Advanced/Audit List Management dialog.
If checked, and a previously-unknown machine sends a Real-Time Alert shortly after boot or service restart, Audit Server will attempt to add
the machine to the audit list. The sending machine must respond to Audit Server's query before it can be added. Audit Server will only try
unknown machines a few times before giving up.
Fixed failure to load symmetric keys when using the host machine's list of time sources.
Made "lost connection" dialog auto-dismiss after 10 seconds.
Corrected Server and Client to emit event log error code 4009 as documented.
Enhanced MD5 symmetric key import/export to support more formats.
Added extra debug output for PTPv2 master selection sample validation.
Added workaround for invalid PTPv2 Announce packet logMessageInterval outside allowed range of 0-4.
Added ability to supply PTPv2 offset data during remote collection of synchronization logs.
Added UDP reset and outgoing TTL/hopcount to generic outgoing sockets used as helpers when the
correct outgoing interface is known (as opposed to the server listening sockets, or dynamically-created sockets for
client-server transactions). The generic outgoing sockets are primarily used by PTPv2, but occasionally by other
5.2.b.20140922 - Optional Upgrade
Support for Windows 10 pre-release. Optional encryption for email. Several small bug fixes and enhancements. Upgrade if you are affected
by any of the bugs, or if you want the new functionality.
Added support for Windows 10 workstation and server pre-release (Windows internal version 6.4) to
all components. Complete support is not possible until the RTM versions become available.
Added dropdown beside server port box to select the type of security/encryption. The options are
no encryption (default), STARTTLS if available, STARTTLS required, and SSL/TLS (end-to-end
encryption). When you change the dropdown, it will automatically update the server port number to the
default for that type of connection. If you are using a non-standard port, you may change the port
number manually after selecting the type of security desired. Note: For STARTTLS or SSL/TLS
to work, the server must have a working certificate installed and support either SSL/TLS or STARTTLS.
Added registry value HKEY_CLASSES_ROOT\Gap\GWServiceSMTP\TLSIgnoreCertErrors (default 0). If this value
is zero, the server cert must pass all tests. If the value is non-zero, it is a bitmask specifying which
particular types of errors may be ignored. See Microsoft's documentation
for a list of certificate errors that may be ignored. Use a logical OR to combine multiple values.
0x00000080 - Ignore errors associated with certificate revocation
0x00000100 - Ignore errors associated with an unknown (or self-signed) certificate authority
0x00000200 - Ignore errors associated with wrong use of a certificate
0x00001000 - Ignore errors associated with an invalid/mismatched common name
0x00002000 - Ignore errors associated with an expired certificate
Corrected Daily Report output field "LastVariance" to show by how many milliseconds the audited machine
corrected its clock (conforms with documentation). It was showing a truncated version of the delta at the moment of audit
instead. Sub-millisecond correction data is only available from the text log or drift graph on each machine.
Changed trace-level log output of Real-Time Alert status changes to indicate all changes, not just changes
to warning or error status. In earlier versions, one must use debug-level logging to infer upgrades in status rather than having
them called out specifically.
Fixed routine that purges old history data files. Also added immediate purge when CPL values for retention are changed.
Added up to 30 second delay before startup scan, so that the first scan after a reboot doesn't run until after the machine has
a chance to set its clock. The amount of time depends on whether DTMon is able to determine that DTServer or DTClient is installed, and, if so,
its synchronization status.
Added check for invalid stGlobal member of audit stamp reply from versions 1-4 (inclusive). These older versions of Domain Time
can sometimes return either zeros or unconvertable values if audited during a timecheck.
Added command-line option EXPORT filename to dtman.exe. This produces a rudimentary comma-separated-value output file
containing the contents of Manager's database. For example, dtman export c:\machinelist.csv would write the contents of the
database to the file c:\machinelist.csv. If the file already exists, it will be overwritten. The first line contains the field names:
"Type", "Audited", "Domain", "Name", "IPAddress", "LastContactUTC", "RTStatus", "PTPStatus" and a CRLF. Each subsequent line will represent
one entry from the database. All fields are enclosed in double quotation marks, and each line is terminated by a CRLF. The "Type" field will be
one of DT2, NTP, PTP, W32, or UNK(nown). "Audited" will be either "Yes" or "No". The "RTStatus" field will be "None" if the machine is not reporting via Real-Time Alerts. The PTPStatus field will
be blank if no PTPv2 information is available. The "LastContactUTC" field will be in yyyy-mm-dd hh:mm:ss format if contact has ever been established,
otherwise it will be blank.
Updated XML-format output for compatibility with more versions of Microsoft Excel and OpenOffice. Added extra xmlns schemas, and
corrected format of cells with string content. XML output now passes all XML Validity checks.
Updated to allow firewall options to work with Windows 10.
Changed NTP Client to recognize NTPv4 "Kiss of Death" packets. If a response from a server is valid, but claims
stratum zero, then the server should not be used. Domain Time puts a message in the log.
Changed NTP Server to send Stratum 16 (unsynchronized) as well as setting the leap indicator to 3 (unsynchronized) when
the server has not yet synchronized.
Changed NTP Server to allow malformed NTPv1 requests for compatability with very old embedded systems.
5.2.b.20140707 - Optional Upgrade
Several enhancements and minor bug fixes. New features and behavior for Audit Server's Daily Reports and Standby Mode. Better handling
of PTPv2 automatic settings. Improved distribtion of pseudo-random numbers throughout very small ranges (used to keep multiple machines
busy synchronizing the time rather than their packet-sending activity).
DTAudit - Daily Reports
Fixed reported bug in LocalTime field (was displaying UTC, not local, time)
Added LocalTime# field (displays in yyyy-mm-dd hh:mm:ss format)
Added LastContact# field (displays in yyyy-mm-dd hh:mm:ss format)
Added InstallDate# field (displays in yyyy-mm-dd hh:mm:ss format)
Added UnixTime# field (displays in yyyy-mm-dd hh:mm:ss format)
Added LastSet# field (displays in yyyy-mm-dd hh:mm:ss format)
Added LastStartup# field (displays in yyyy-mm-dd hh:mm:ss format)
Added VarianceHNS field (displays unsigned variance as fractions of a second with 7 significant digits)
Added sVarianceHNS field (displays signed variance as fractions of a second with 7 significant digits)
Added PTPState field (displays "Listening" or "Slave" or "Master" etc)
Added PTPMaster field (if machine is a slave, displays the master's IP address if known)
Increased height of field selection dialog box to make it easier to find available fields
DTAudit - Standby Mode
Fixed unreported bug where the number of allowed standby replication failures was not being saved
in the registry. Upon reboot, or upon exiting/reentering standby mode, it would reassume the default value of 5.
Fixed bug introduced in the 5.2.b.20140523 release that caused Monitor to always report zero machines
discovered on the network.
Added an option to have each excessive variance reported individually to the Event Viewer log. This
option emulates version 4.1's behavior. A new checkbox on the DTMonitor Control Panel applet, Alerts tab, "Summary Event Only"
is checked by default. Uncheck this box to obtain a warning (Event ID 1001) in the Event Viewer log for each machine whose variance exceeds
Fixed "View..." menu item on the Daily Reports menu so that it provides an Open File box with a
default of *.* instead of *.txt. In the 5.2.b.20131101 release, we made the daily report filename's extension
configurable (so that users could name the file .csv instead of .txt, for example). The Open File dialog was never
updated to display files named with any other extension, forcing the user to type *.*[Enter] in order to see the
Fixed bug introduced on 26 Dec 2013 that defaulted the UDP and ICMP receive
timeout to 1 millisecond. The minimum allowed value is 2, and 55 is the default for a "fast" local LAN. When Manager
loads, if it finds the receive timeout set to 1, it will change it to 55. If you want a lower value, you may adjust
it down again.
Changed method of validation used to verify the domain/username/password used when changing Audit Server
into Standby Mode. This change does not affect Audit Server itself, but only how Manager interprets the information when
you are interacting with the dialog box. Audit Server normally operates under the LocalSystem account credentials, and
it can therefore use the supplied credentials in a way that a foreground user cannot. The dialog now does its best to
determine whether or not Audit Server will accept the credentials, rather than trying to use them the way Audit Server
does as its test. This change only affects interactions between stand-alone workgroup machines and domain machines, or between
domains where no transitive trust has been created.
Control Panel Applet
Changed the behavior after stopping/restarting the service using the "About" page of the Control
Panel applet. Instead of waiting until the service has completely finished starting and is answering network requests,
it now waits only until the service has started successfully without also waiting to refresh the statistics display
(which may not be available for several seconds after the service starts).
Fixed server statistics display from DTTray.
Log File Viewer
Added some right-click options; fixed search so that the first find scrolls the found text into view;
added F5 for refresh when not set to auto-refresh; showed keyboard shortcuts on menus and popups.
Fixed unreported bug in CIDR mask evaluation for IPv6 where all link-local addresses were matching the
keyword "localhost" (only [::1] should match).
Rewrote IP enumeration routine and triggers for it, so that IPs are only reenumerated after all change
notifications have been received (delay of up to 3 seconds after first IP change notification).
Changed getaddrinfo() inside local socket enumeration (prior to bind) to use "..localmachine" instead of ""
(a zero-length null-terminated string) when querying with the AI_PASSIVE flag for non-XP machines.
Removed unneeded "Found IP ... in list of bindable addresses" debug-level messages during bind. If binding
to all IPs, it doesn't matter. If binding to a specified list, each IP is already mentioned as either matching or not
matching the specification.
Removed unneeded sockets enumeration log messages when re-enumerating as a result of a change notification;
only the newly-added or just-removed IP addresses are mentioned.
Added port number to protocol name in debug-level "Stopping all listeners for..." messages.
Added UDP or TCP to debug-level socket creation messages.
Added internal flag to suppress outgoing Real-Time Alert messages during rebinding caused by IP change
or a change in allowed listen addresses, only if Audit Server is running on the same machine (because the node is likely
set to report to Audit Server, and won't be able to during the rebind operation).
Added ICMP check before using TCP for sending Real-Time Alerts; this helps identify whether the target is
up more quickly than just connecting. (Note: It also means your Audit Server must be PINGable from each reporting machine if
you are using TCP for Real-Time Alerts. If you are using UDP, Domain Time simply sends the report, waits for a reply, and
calls it a timeout if no reply is seen.)
Moved sending of Real-Time Alerts into a work item, so that if connects (or failures to connect) take a
long time, it will not interfere with normal responsiveness of the service to external signals).
Changed startup banner (the startup display in the text log that shows settings) to indicate if the admin
has overridden the default number of IOCP handler threads.
Fixed automatic calculation of required IOCP handler threads to a minimum of two (instead of one) for DTServer,
regardless of the number of processors. The minimum of one thread for DTClient remains unchanged, but the default is now two on
Added check on DTServer that, when running as a master or slave, looks to see if the PDC-Emulator role has changed at each
timecheck. In prior versions, the new PDC-Emulator would notice immediately, but the old one might believe it was still the PDC-
Emulator until queried. Note that due to Active Directory propagation delay, a transferred PDC-Emulator role may not be seen by
all slaves at the same time.
Fixed Status Monitor (default port 9911), which, due to a typographical error in the code, stopped working
after version 20140303.
Changed behavior when no machine name is specified on the command line. Instead of using the machine's NetBIOS
name as the default, DTCheck looks at the list of IPs on which the service (either DTClient or DTServer) is listening, and selects
the first one in the list (normally 127.0.0.1). This allows DTCheck to work when you have the service set to listen to only certain
IP addresses. You may regain the original behavior by using the NetBIOS name on the command line.
Increased the speed of -hammer2 test by several hundred-fold to stress-test a server more
severely. When -hammer2 is used with the -noreply option, NTPCheck will
send request packets as fast as possible on a single UDP socket. Use with caution.
Changed startup sequence so that PTPv2 isn't considered "running" until all PTPv2 listeners have finished
initializing. This prevents a race condition where the PTPv2 "Event" port is up and an announce arrives and the timer is
set, but the "General" port is still initializing, so the timer could expire too soon. This conditional is entirely
theoretical, and has never been observed outside of deliberately causing it by artifically blocking the initialization
process. However, saving the "running" state until both listeners are up cuts down on ignored debug messages if full
PTPv2 debug-level logging is enabled, so addressing the theoretical flaw has a practical benefit.
Added retries if no reply from master on management PORT_DATA_SET request. Enhanced debug output from
reply processing to show which settings were ignored (no change), accepted (automatic settings, and information
from master differs from current settings), or rejected (differences, but not using automatic settings). Also updated
PTPv2 Stats dialog to show error reason if unable to obtain the master's PortDS information.
Addressed subtle race condition in processing messages from two-step grandmasters. UDP packets are not
guaranteed to arrive in order, but a Sync message must be processed before its corresponding Sync Follow-up message in order
to produce a valid offset. Because two-step grandmasters send the Sync Follow-up message within microseconds of the Sync, it's possible
for any given machine to receive them either simultaneously (on different threads), or out of order. This fix also addresses
the Peer-to-Peer delay measurement mechanism if the peer sends a two-step reply.
Changed default PORT_DATA_SET method to use multicast instead of auto-detect. Added option on PTPv2 Advanced
page of the Control Panel applet to control this behavior. The drop-down offers "auto," "unicast," and "multicast" for the send
method. The former default was auto-detect. Clicking the Reset to Default button on the dialog will change the drop-down to
5.2.b.20140523 - Optional Upgrade
One minor bug fix in DTServer; one minor bug fix in DTAudit; several minor enhancements and changes throughout. Added code to
DTClient and DTServer to support forthcoming enhancements to Manager. Important: Upgrade your management workstation
before deploying upgrades to DTServer or DTClient. This will prevent backward-compatibility problems with Real-Time Alerts.
Older version of Audit Server may misinterpret the PTPv2 "lost master" Real-Time Alert as an excessive delta. Our recommendation
for those using Audit Server/Manager has always been to upgrade the management workstation first, then deploy upgrades to
clients and servers.
Added DTHRes32.dll and DTHRes64.dll to all distro zips. They were formerly included in only the eval version,
which contains all files, and in the SDK distro, which contains only SDK files (SDK license still required for use). Added support for updating copies in the main Manager
folder during installation/upgrade of Management tools. Setup does not attempt to locate and update copies elsewhere.
Added signals between Audit Server, Manager, and Update Server to notify each other of database (cache)
extension operations. This allows components to remap their shared view of the database immediately instead of waiting for the
next audit/refresh/discovery cycle.
Updated Audit Viewer (dtreader.exe) to show NTP version used for NTP Servers on the summary page.
Updated Audit Viewer's details page: the entry "NTP Protocol Used" was changed to "NTP Time Software,"
and the value displayed is whatever shows in the "Time Software" column in Manager. This data is automatically
collected if available, or may be overridden by the admin.
Added ability for Daily Reports to show %LastSet% and %UTC% variables for NTP Servers.
Fixed invalid date in Real-Time Alert emails. Email notifications are sent after all pending Real-Time Alerts
are handled. Prior to this fix, if an admin had Manager open at the time of an alert, and acknowledged it before before the corresponding
email was sent, the email would show an invalid date (normally midnight 01 Jan 1970, corrected for local time). This fix allows the date
to persist after an alert is acknowledged.
Added checkbox on the display Format Options dialog option to sort columns showing variance (deltas,
latencies, or offsets) by absolute value rather than by signed value. If checked, and if sorting on one of these columns,
the list will be sorted by magnitude. If unchecked, negative values come before positive values.
Modified -resettimings and other reset routines so that only -prepclone deletes the PTPv2
cached clockIdentity value. Removing the cached clockIdentity is very important for preparing to clone, but inappropriate for any
other kind of reset.
Removed DNS lookup from replies to broadcast/multicast commands. Changed to displaying only the IP of the
Allowed symmetric key authentication to work with DT2-TCP as well as with DT2-UDP. Clients would send the auth
information, but server rejected the packet size as being too big because it wasn't expecting the extra auth information. Bug
reported by customer.
Undid change in 5.2.b.20140404 to discovery commands. The extra information is only used for debugging purposes
on 5.1 forward, and older versions of Domain Time can't understand IPv6 addresses.
Changed log level for becoming a PTPv2 master from trace to info (to match becoming a slave).
Control Panel Applet
Added an "Advanced" button to the PTPv2 options dialog, and moved seldom-used items there. Also added options
on the new advanced dialog to control handling of management messages and for manually setting the machine's clock identity.
Changed PTPv2 stats collection to reflect only packets applicable to the machine's current state. Announces for
the current domain are always counted, but announces for other domains are not. Similarly, if multiple masters are online, only syncs
from the chosen master increment the count of syncs.
Added new debug-level output option to show all incoming PTPv2 announce messages, even if they are ineligible
for selection as master. You should use it in conjunction with the master selection process option, to see which announces are being
ignored and which are considered master candidates. Added pop-up to remind users to switch back to trace or info level after debugging.
Added new counters to PTPv2 stats display.
Added right-click copy selection to clipboard on the log file viewer (Ctrl-C has always worked, but newer users may
not know the historical keyboard shortcuts). Also added Ctrl-O as a keyboard shortcut to open the file in Notepad. Ctrl-F (find) unchanged.
5.2.b.20140404 - Recommended Upgrade
One important bug-fix (upgrade recommended: see below); several minor enhancements to the visual aspects of DTManager; one minor enhancement to
Domain Time Server; several internal changes to PTPv2 handling and capabilities.
Important: Fixed unreported bug that could trigger a Denial of Service attack if a malicious or inadvertently
malformed PTPv2 packet is received. Versions of Domain Time between 5.2.b.20121111 and 5.2.b.20140303 (inclusive) are vulnerable.
Although we have no reports of this potential being exploited, you should upgrade vulnerable versions.
Added checkbox to the Control Panel applet's Security tab to expose whether or not remote time zone changes
are allowed (formerly a registry-only setting).
Added thread and CPU counters to list of debug categories selected when you click the "most essential" preset.
Added debug category for dropped PTPv2 announce and sync packets. Occasional dropped packets are normal and do
not interfere with PTPv2's operation. This category of debugging lets you see when an expected packet doesn't arrive on time, to
help debug unexpected state transitions. These debug messages show how many expected packets in a row were dropped, up to the point
where the lost-master state begins.
Added debug-level logging category for PTPv2 state changes; this includes internal logical changes, and also whether or not
a notification was sent as a Real-Time Alert due to the state-change.
Added IPv6 addresses to the list returned by the DT2 discovery commands. Also changed the order of returned IPv4
addresses so that the one most likely to be useful to the caller (based on the network class of the request's source address) is
presented first. The former behavior was to present the machine's primary IP first.
Fixed unreported bug that prevented Manager from setting the time zone on DTServer if DTServer wasn't also
allowed to provide time zone information to clients.
Added help command to DTAlert telnet-like protocol
Added support for remembering the PTPv2 state on each reporting machine; this information also
appears in the debug-level text log file.
Corrected problem deleting domains on the left-hand side (tree) using right-click followed by Remove Domain from Cache.
Added version string to uninstall information.
Fixed unreported bug that sometimes prevented Manager's status bar from being redrawn every time the main windows was
dragged to resize.
Added column to Real-Time Alerts list showing current PTPv2 state. In order for this information to be fully-reliable,
reporting machines need to be upgraded, too. If you upgrade Manager and Audit Server without also upgrading the reporting machines,
Manager will display limited, possibly stale, information in the PTPv2 state column.
Fixed display of upcoming leap second deletion from "58" to "59" as the number of seconds in the last minute of the
last hour of the last day of the month in which the leap second is to be subtracted. Since there has never been a leap second subtraction
since the inception of leap seconds (they have all been additions), this was an invisible bug.
Changed the Interface Colors dialog so that changes are shown immediately when chosen, rather than after the
Apply button is clicked.
Added two new interface color choices, used when displaying the Domain Time version. Now machines with older (or newer)
versions of DT than Manager's version are visually identified as different. This makes selecting machines for upgrade easier.
Added "hand" cursor when hovering over the name or IP address of a machine to indicate visually that double-clicking will invoke
the Control Panel applet (or other behavior if the machine isn't controllable).
Fixed lack of color and "hand" cursor in the Audited column of the Real-Time Alerts list. The Audited column has
always been double-clickable (in all lists), but wasn't showing color in the Real-Time Alerts list.
Fixed unreported bug in output from -cmd="query timezone". DTCheck now reports whether or not the machine allows
clients to match the server's time zone. The same bug prevented DTCheck from displaying the name of the server's time zone.
Widened internal calculations of Unix time from 32 to 64 bits to prevent January 2038 rollover. Also enforced
interpretation of on-the-wire 32-bit representations to unsigned (extends rollover by 68 years). This change allows for test
situations with the system clock set to 2038 or beyond; it has no effect on date/time calculations in other circumstances.
Added "Slave Packet Receipt Grace Period (milliseconds)" registry value, default 500. This value is added to the
master's reported packet frequency (ANNOUNCE and SYNC/SYNC_FOLLOW_UP messages) to determine whether a subsequent packet is late.
Added support for CIDR masks as well as full IPs in the Best Master Clock list of acceptable servers. Admins may
mix/match specific IPs and CIDR masks in IPv4 or IPv6. The use of hostnames in this list is allowed but strongly discouraged. "Localhost"
or 127.0.0.1 or ::1 should never appear in the list of possible masters.
Added support for COMMAND/ACKNOWLEDGE and SET/RESPONSE to the PTPv2 NULL_MANAGEMENT TLV. All other management
TLVs only respond to GET commands, as before.
Changed meaning of "Slave PortDataSet Check Interval (seconds)" to allow a setting of 0xFFFFFFFF (decimal 4294967295)
to mean the master's Port Data Set should only be requested once, when first calibrating a master before entering the slave state. The
new range is therefore 0 through 0xFFFFFFFF, with zero meaning "never," 0xFFFFFFFF meaning "one-shot," and any other number meaning
once when calibrating, then every x seconds thereafter. The default remains 3600 seconds, which means when first calibrating and then
hourly thereafter. This is a registry setting not exposed via the Control Panel applet. You must either restart the service or issue
dtcheck -reload for the service to recognize the change.
Started using registry value "TAI-UTC Offset Discovered (seconds)" to determine whether to send PTPv2 timestamps in
proper ptpTimescale (that is, sending TAI and specifying a non-zero utcOffset), or in faked-up ptpTimescale (that is, sending
the current UTC time-of-day including cumulative leap seconds, while saying the offset is valid but zero). If set to a non-zero value,
proper ptpTimescale will be used. If zero, faked-up ptpTimescale will be used. At any time, if the node becomes a slave to a grandmaster
using proper ptpTimescale, then the registry value will be updated to reflect the current cumulative leap seconds since the PTPv2 epoch.
If the node then transitions to master, it will know the current offset and use it. If the node never synchronizes with a grandmaster
that supplies proper ptpTimescale, the registry value will remain unchanged.
Added several PTPv2 management message handlers for seldom-used management TLVs.
Added the ability to send PTPv2 errorTLVs in response to invalid or unsupported management TLV requests. This
ability is controlled by the registry setting "Management Error TLVs Enabled" and defaults to false (i.e., no error TLVs are returned),
on the presumption that less traffic is always desirable. You may change this value to true if your PTPv2 management software expects
or requires error responses in order to determine capabilities. You must restart the service or issue dtcheck -reload for the service
to recognize the change.
PTPv2 operating in master mode now sets the leap flags according to its best knowledge. Typically, only GPS receivers, or
time sources derived from them, know of pending leap seconds. If the machine synchronizes with a source that (ultimately) derives
from a GPS receiver, then the leap flags will be correct.
5.2.b.20140303 - Optional Upgrade
Mostly internal enhancements, with one important fix, and several unreported bugs fixed. Some "best practices" upgrades that don't affect operation. Some cosmetic changes,
mostly to the PTPv2 master settings on DTServer. Several PTPv2 "management message" fixes. Upgrade if you are experiencing any of the referenced problems, or
if you need the new functionality.
Added full path names to dynamically-loaded operating system DLLs to follow
best practices for security (no known vulnerabilities).
Centralized defines for _WIN32_WINNT, _WIN32_IE, and similar compile-time
constants into single header file shared by all components to follow best practices (no known
Fixed wording in .txt and .htm files in the distro zips that still referred to version 5.1.
Highly optimized debug-level logging to help prevent log activity from interfering
with time-sensitive activities. However, our recommendation remains to avoid debug-level logging
unless you are looking for the cause of a specific problem. Debug-level logging can lessen the
syntonization of Domain Time with its source, and should always be turned off after you
finish troubleshooting. This is especially true for PTPv2, which can generate an immense number
of debug-level messages.
Further fix for bug reported fixed in version 5.2.b.20131101 where server announce and sync intervals didn't
match CPL settings. While the 5.2.b.20131101 fix ensured that announce and sync intervals matched when a machine assumed the
PTPv2 master role, it did not address the possibility of an admin changing the settings while the machine was already a master.
In this case, the machine would advertise the new intervals (thanks to the 5.2.b.20131101 fix), but use the old ones. Now the
server will both begin using and advertising the new intervals immediately, without having to lose and reacquire master status.
Added ability for PTPv2 master to advertise itself as clockClass 13 (grandmaster quality with ARBitrary timescale).
Changed wording on the Control Panel dropdown to show clockClass numbers and descriptions: "Primary" changed to "6 Grandmaster (PTP timescale)";
"13 Grandmaster (ARB timescale)" added; "Default" changed to "248 Default (low quality)"; and "Slave-Only" changed to "255 Slave-Only (unreliable)."
Note that, by default, DTClient will not synchronize with a master advertising the ARBitrary timescale. Strict compliance with IEEE1588-2008
requires the PTP timescale. This option is provided for compatibility with other vendors' software.
Changed the default selection of clockClass for PTPv2 masters from 248 to 6.
See first entry in DTServer/DTClient below. If you have your server configured to step-only, and you have changed
the default minimum correction limit to some value larger than the default 1ms, then your server may begin serving the time without
correcting its clock. This is the proper behavior, since the server has checked with its sources and determined that its time is
close enough to continue, but may produce unexpected results if you were counting on an initial step to occur regardless of the minimum
correction limit. Our recommendation continues to be to use the default setting of 1ms for the minimum correction limit, and to use slewing rather
Changed PTPv2 master message intervals to drop-downs to ensure admins don't enter values that aren't natural powers of two. While Domain
Time can use any interval, the PTPv2 spec requires the intervals to be natural powers of two, and this information is transmitted along with outgoing
PTPv2 announce and sync packets. A naive slave might not understand whether to round up or down if the value sent isn't a natural power of two.
Removed call to NetrLogonSetServiceBits on non-domain machines, regardless of registry overrides for whether or not the machine should
be considered a reliable time provider. Calling this function from a workgroup member will always produce a meaningless error code.
Control Panel Applet
Fixed typo in dropdown display for PTPv2 IPv6 multicast address (said FF0x:1181 instead of FF0x:181).
Changed checkbox "Enumerate multicast interfaces during IPv4 bind" to "Enumerate multicast interfaces during IPv4/IPv6 bind"
Added "Network enumeration and bind success messages" to list of suppressable debug text log categories.
Changed wording on PTPv2 settings from "Refuse to synchronize with any master clock except those specified below" to
"Only select best master clock from among those listed below."
Fixed unreported bug that caused the minimum correction limit (ms) to be ignored when stepping the clock. This only
affects those who have changed the default minimum correction limit from 1ms to some larger number, and only when slewing was either disabled
or not possible.
5.2.b.20140101 introduced a small internal cache for IPv4 lookups; under some circumstances, a cache hit could fail to be
be marked as IPv4, leading to "unknown" being reported in the Raw Data text expansion of a drift data file. This version ensures that the IP
address is marked as IPv4, so it can be displayed properly.
Eliminated redundant resync triggered by service notification of clock change event after stepping the clock.
Added default listen IP suggestions when first selecting "Listen only on these addresses" (i.e., the list
is blank). When operating on the local machine, the default is all networks/CIDR masks, plus localhost. When operating on a
remote machine, the netmasks cannot be determined, so the hostname, IP address (if known) and localhost are used. These values
are suggestions only; we presume that an admin who is setting specific listening addresses will know which ones are desired and
which ones are not.
Added a new category of suppressable debug messages: "Network enumeration and bind success messages." This
information is of great usefulness in diagnosing problems due to misconfigurations or network oddities, since it shows exactly
what IPs and interfaces are found, bound, and used for each instance of each protocol, but is otherwise not needed.
Changed enumeration of multicast interfaces for individual binding to include IPv6 as well as IPv4 when
specific IP address are not provided (i.e., "Listen on all IP addresses" is selected).
Added ability to detect IPv6 address changes and signal rebind/resync (same behavior as for IPv4).
Fixed unreported bug with PTPv2 management messages where the targetPortIdentity.portNumber was not being
set correctly on replies.
Added missing members and corrected faulty packing on PTPv2 management GET replies to parent data set and port data set. Also changed
the productDescription field in the clock description from "Greyware;5.1;" to "Greyware;Domain Time Server;" or "Greyware;Domain Time Client;" (each followed
by the serial number of the unit). Management stations may use the productDescription field to determine whether or not the parent and port data sets
will return the expected data in the correct formats. Note: Domain Time Server, when acting as a PTPv2 Master, may return 0 in the delayMechanism
field of the port data set. This value indicates that Domain Time Server will respond to either E2E or P2P requests. If you want it to respond to
only E2E or P2P and report that in the port data set, change the PTP Profile dropdown to something other than auto-detect. The dropdown affects behavior
in both slave and master modes.
Allowed PTPv2 management messages from any source IP address (not just potential masters).
Fixed unreported bug when PTPv2 delay measurement was set to disabled being reported as "Unknown" instead of "Disabled"
and sometimes flip-flopping statuses when losing and reacquiring a master.
Enhanced PTPv2 ability to change delay measurement types among auto, disabled, and E2E/P2P without having to lose and
reacquire a master.
Changed statistics count of PTPv2 management messages received to include only those GET requests applicable to that particular
machine. The former behavior counted all management messages seen on the network, including requests addressed to other machines, and replies.
The machine's PTPv2 clockIdentity is now saved in the registry and reused after first being calculated (normally from the MAC address of
the primary adapter) as an 8-byte binary value called "ClockIdentity Cache." Since MAC addresses on virtual machines can change, or which NIC is
considered primary may change when the stack is rebuilt (or depending on which cable is plugged in), or when a NIC is replaced, having the value
saved keeps the clockIdentity static over time. To force Domain Time to rebuild a new clockIdentity, stop the service, delete the "ClockIdentity Cache"
value, and restart the service.
Removed scope from IPv6 enumeration on startup bind when "localhost" was specified for a bindable address. DT first bound the unscoped
address, then tried to bind each specific scoped address afterward. The subsequent binds produced error-level messages in the log, but did not affect IPv6
operations. The error message present in prior versions may be safely ignored if it refers to an IPv6 address with a scope.
Added code for slaves to send management requests for the master's Port Data Set when first calibrating and
periodically thereafter. The requests are sent unicast. If a reply is received, DT records the master's preference for delay
request timings and also the supported mechanisms for delay requests. This information is used to aid DT's normal method of
probing for configuration information, and only operates if DT is set to fully-automatic profile and automatic delay request interval.
The frequency at which port data set management requests are sent is controled by a registry setting, "Slave PortDataSet Check Interval (seconds)"
which defaults to 3600 (once every hour). You may set the value to zero to disable management requests, or at any number between
1 second and 31536000 seconds (a year).
Added debug-level log message if a grandmaster responds to a Port Data Set management query. The message will show
the grandmaster's actual packet frequency (reported as milliseconds between packets), as well as its preferred/supported delay measurement
method. Domain Time continues to round up incoming PTPv2 packet intervals to a minimum of one second for timeout purposes, but the debug-level
message allows you to see if the master is sending sync packets more often than once per second.
Added internal IPv4 cache to group of things reset when you use either the Control Panel applet or DTCheck -resetstats to reset the statistics.
Added per-server variance history (dthistory.dat) to group of things reset when you use either the Control Panel applet or DTCheck -resetstats to reset the statistics.
Changed per-server variance history (dthistory.dat) to collect stats per-server/per-protocol instead of just per-server.
Changed per-server variance history to include only one PTPv2 sample if PTPv2 sample coalescing is enabled.
5.2.b.20140101 - Optional Upgrade
Many enhancements and customer-requested features. A few cosmetic changes. Two important fixes for Domain Time Server
related to performance in high-volume networks. Upgrade if you are experiencing any of the referenced problems, or
if you need the new functionality.
Optimized lookups for protocol names. No behavior changes.
Added more debug and error logging for LDAP and NetBIOS enumeration
in Manager, Audit Server, and Update Server. Helpful for verifying enumeration success
or determining causes of failures.
Added warning in Audit Server log when Real-Time Alert arrives from a machine
whose serial number is a duplicate of another machine. The Real-Time Alert data is not applied
to the database.
Fixed unreported bug with collection of Real-Time Alerts until x minutes had passed to
send the alerts in a group. The setting for grouping alerts specified minutes, but the code
was calculating seconds.
Added advanced Real-Time Alert option to auto-acknowledge resolved problems
(status yellow) items after a user-configurable number of minutes have passed.
Added logging of PTPv2 slave status to audit server's information-level
summary of audited machines. Also added PTPv2 slave status to debug-level logging for
incoming Real-Time Alert details.
Added ability for Audit Server to treat incoming Real-Time Alerts showing
a PTPv2 slave machine has entered the "lost master" state (that is, had been a slave, but is
currently not seeing sync or announce messages) as either warnings or errors. These are
not audit warnings or errors, they are Real-Time Alert events. The default behavior is
to ignore the condition. If you choose to treat the lost master state as a warning, it will
change the Manager flag color to yellow, and auto-reset to green once the slave has reacquired
a master. It will not send email or SNMP traps. If you choose to treat the lost master state as an error,
it will be treated like any other Real-Time Alert error: It will change the flag color to red,
it will generate email and SNMP traps, and it will require acknowledgement. Be very careful with
treating the lost master state as an error. You can easily flood your network with notices when
someone reboots the grandmaster or a switch.
Added option to restrict Active Directory (AD) domain computer lists to only those machines
whose AD Organizational Unit (OU) matches a user-supplied list of OUs. All machines
are still displayed if the Show Hidden Machines option is enabled; otherwise, only those from the
desired OUs will display. A related option allows showing machines whose OU is blank (mostly workgroup
or other non-AD machines). The new options are located on the Computer Enumeration dialog along with
other AD settings.
Added option to remove computers from Manager's cache when they are removed
from Active Directory. By default, Manager retains old AD computer information in case a machine
is being removed from/readded to the domain, or still has Domain Time installed even if never
readded to the domain. This retention is called tombstoning. You may now choose between tombstoning
Changed network broadcast/multicast scan timeout defaults to "fast lan" settings.
Fixed unreported problem preventing audio notifications for Real-Time Alerts unless
the full path name was specified (the defaults provided only a filename).
Added browse and test buttons to the audio alerts sound-selection dialog box.
Added "Remove from this list" right-click menu item for machine(s) in the Real-Time
Alerts list. Useful for decomissioned machines or machines you can't otherwise configure to stop
sending Real-Time Alerts. Note that this option does not try to contact or configure the selected
machine(s). It simply removes them from the list. If the removed machine(s) begin sending Real-Time
Alerts again, they will add themselves back to the list automatically.
Added support for INSert key to Computer list and NTP Server list.
Added support for DELete key to Computer list, NTP Server list, and Real-Time Alerts
list (only if Manager's overall option to allow using the DELete key is enabled). Also added the equivalent
right-click menu item for each type of list.
Added console output when Manager is started from a command prompt with command-line
parms. The output is identical to the output in the dtman.log file. This allows users running interactively
to see the results without having to find and open the log file or capture the return code.
Fixed unreported bug that prevented timeset chimes from playing.
Changed default of registry setting "Clock Chime Uses System Volume" from TRUE to
FALSE. On operating systems newer than Vista, this allows DTTray to have its own volume control in
the audio mixer. (This setting has existed since version 05 Nov 2012.)
Added registy setting "Clock Chime Force Volume (percent)" to force DTTray's
volume to the specified percentage of the overall system volume. The default is zero, which means
the audio mixer controls the volume as expected. Either the operating system must be older than Vista
or the "Clock Chime Uses System Volume" must be FALSE for this setting to have any effect.
DTTray volume affects both timeset chimes and time-of-day chimes.
Default PTPv2 socket bind for DTClient, DTServer, and DTCheck changed to non-exclusive to allow
DTCheck -ptptest to operate simultaneously with DTClient or DTServer.
Changed DTCheck -ptptest display to remove duplicate packets. You may use
DTCheck -ptptest -showdupes to see all packets.
Added optional parameter -nolookup to DTCheck -variance. If
-nolookup is specified, DTCheck's output will only show the IP numbers and not attempt DNS
look-ups for each responding machine's IP.
Add summary display of discovered nodes (masters and slaves) to -ptptest
output; includes the clockIdentity and IP address.
Added DTCheck -eventmonitor to test global named events (see the appendix
in SDK.doc file) and to demonstrate how an external program can be kept aware of Domain Time status without
looping or performing busy waits.
Added four options to -firewall:open. By default, -firewall:open opens the firewall in
the private network, and, if your machine is a domain member, in the domain network. The three new options
allow you specify which networks to open. You may add -public, -private, or -domain (any combination, in any
order) after -firewall:open, and DTCheck will only open the network(s) you specify. DTCheck will silently
ignore a request to open a domain network if your machine is not a domain member. You may also use
-firewall:open -all to open all possible networks without specifying them by name. Note that -firewall:close
does not pay attention to these additional options. It removes the rules entirely, as before.
Added more error checking for the -reset command, to detect attempts to use it with -tcp
on versions prior to 5.2.b.20140101, and also to make error conditions clearer to the user.
Eliminated erroneous DNS lookup during servicing of DT2 filetime request. This could, under
certain limited circumstances, make Domain Time Server take too long to respond to subsequent requests, giving
the appearance of no longer serving the time. This is an important fix for customers experiencing the problem,
but otherwise the effect is only cosmetic.
Added debug counters for available server threads.
Reverted support for WSARecvMsg to enabled by default on XP and 2003. Support for WSARecvMsg
on systems earlier than Vista had been disabled since 17 Jan 2012.
Added "Master offsetScaledLogVariance" to the registry; range 0x0000 - 0xFFFF; default 0x7060.
Former versions of Domain Time Server used a hard-coded value of 0xFFFF. The offsetScaledLogVariance value is part
of the best-master-clock decision (lower values beat higher values). See IEEE 1588-2008 section 7.6.3 for details.
The formula is UInteger16((2^8*log2(sigma^2))+0x8000). Since a software clock has no way to
calculate sigma accurately, the default value is an estimate based on the expected performance of a
modern Intel-based microcomputer system. The value is not adjusted during runtime to account for hysteresis.
Change this registry setting only if you have a very specific reason to do so.
Changed the design for passing received Real-Time Alert data to Audit Server. The new
design favors sending replies immediately to clients rather than waiting until after passing the alert to
Audit Server. Reports are now queued in batches and fed to Audit Server in a separate timer thread, the
frequency of which varies automatically based on traffic and queue load. Prior versions used a queue only
when Audit Server was actually performing an audit, which led to unacceptable delays in replying to the
clients under high volume if interprocess communication was slow (usually for disk reasons). This is an
important fix for those customers experiencing this particular problem.
Fixed unreported bug that could cause listening on IPv6 when IPv4-only was configured.
Added small DNS lookup cache for frequently resolved IPs; also added validity check for
names passed to DNS to skip lookups if, by RFC, they won't ever resolve. These changes speed up
certain internal routines that depend on transforming a name to an IP, or converting a dotted-quad
IPv4 string to its 32-bit binary representation.
Changed default PTPv2 socket bind to non-exclusive to allow DTCheck -ptptest
or other PTP listeners to operate simultaneously with DTClient or DTServer. You may change this
to the former behavior (exclusive use) by checking the box on the Network tab of the Control Panel applet.
Distinguished between PTPv2 Steering (continuously-variable phase adjustments) and
PVPv2 Sampling (continuously-variable phase disabled) in the log file.
Added trace-level log output indicating how many PTPv2 samples were collected when
not using the PTPv2 coalesce option. Formerly, the log only showed how many samples when they were coalesced into
one for comparison with other time sources.
Added options for debug level output to suppress various classes of activity.
Added option to disable NTP control-mode queries; registry only. In Parameters,
changing "NTP Query Disabled" from False to True will prevent Domain Time Client (if listening for NTP
broadcasts) or Domain Time Server (if either listening for NTP broadcasts or serving NTP time) from
responding to control-mode queries.
Added display of "lost master" status for PTPv2 slave. When a machine is a slave, but
loses its master because announce or sync packets are not seen, it enters the lost-master state and
records the UTC time-of-day that the master was lost. This information is visible from both
dtcheck -ptpstats and from the PTPv2 statistics display of the control panel applet. Both
functions work on remote machines as well as the local machine. Resetting the statistics, becoming a
master, reaquiring the master, or selecting a new master, will clear the lost-master state. Having lost
a master is not necessarily an error, since PTP's best master clock algorithm is designed to select
from among multiple potential masters in just such events.
Fixed problem with control panel applet sometimes prompting to save changes before switching
focus to a different machine even if no changes had been made.
Added automatic timecheck when a PTPv2 slave enters the "lost master" state.
Added automatic Real-Time Alert update when a machine becomes a PTPv2 slave, enters
the "lost master" state, or becomes a PTPv2 master.
Updated SDK.doc file to correct typos, extend list of supported operating systems,
and add an appendix about global named events.
Replaced duplicate UDP packet detection mechanism with a FIFO queue with stale packet
detection. The old queue was circular, and aging was controlled solely by the size of the queue. The
new mechanism is faster and uses less memory.
Moved code to increment counters for incoming UDP and TCP bytes to the IOCP threads
instead of being handled by each protocol. This lets the counters include bytes received but not
acted on by a protocol (duplicate, wrong sequence, malformed, etc.).
Added global counter of rejected duplicate UDP packets (primarily multicast or broadcast
packets on multi-homed machines, where one copy is received on each interface). This counter is visible
from the statistics display in Manager or the Control Panel applet About page along with other counters.
Added memory load, working set size, and handle count to debug-level output after each
Added support for stats reset via TCP, same as UDP.
5.2.b.20131101 - Optional Upgrade
Several bug fixes and enhancements related to PTP. A few minor upgrades to other components. Upograde if you are experiencing any of the
referenced problems, or if you need the new functionality.
Added labels for Windows 8.1 and Windows Server 2012 R2.
Added ability to change Daily Report filename extension. Formerly, it was hardcoded to be .txt. The default remains .txt, but
customers using spreadsheets may want to change it to .csv to make importing easier.
Added ability to ignore large corrections reported by Real-Time Alerts if the correction was the first one after the reporting
machine has booted (within 30 seconds of restart).
Corrected spelling of SNMP on one of the menu items (was SNNP).
Corrected fallacious return code 1 when dtman audit trigger specified at the command line.
Added -stats command. DTCheck with no parameters ran the stats command; adding -stats is mostly for documentation or
those who like to be explicit.
Added -tcp parameter. If specified, DT2 commands will use TCP instead of UDP. Note: Some DT2 commands are UDP-only, some
are TCP-only; most work with either. Use this flag to force DTCheck to choose TCP over UDP when possible.
Added -trainingstart (experimental) which may be used either by itself or after -resettimings.
Added -trainingstop (experimental) to stop advanced training; may not be used in conjunction with other commands.
Added -lockphase, -unlockphase, -lockinterphase, and -unlockinterphase commands (experimental).
Fixed bug in PTPv2 server announce and sync intervals not matching CPL settings.
Changed return code from error to success when some, but not all, samples requested from a particular source
are valid. Previous behavior discarded the source entirely if not all sample attempts were successful.
Added "Continuously Variable Dynamic Base" (default true) to the PTPv2 section of the registry. If set to
false, then PTPv2 continuously-variable interphase decisions will be based on the machine's default clock rate.
Changed correction calculation to accommodate either a dynamic or a fixed base; increased coherence for
unstable clocks when switching among PTP and NTP time sources.
Added extra debug log output for PTP.
When sending a real time alert, Client and Server both include a bit flag to indicate if this is the
first correction after a reboot (within 30 seconds of machine startup). Audit Server can then choose whether or not to
ignore large corrections after a reboot.
Added optional PTPv2 latency cap, disabled by default. If enabled, measured latencies greater than the value specified (in hectonanoseconds),
will be reported as the value of the cap. This setting is useful on networks that are unreliable or subjected to load spikes. The default
is 5000 hectonanoseconds (one-half a millisecond).
Fixed bug in PTPv2 delay calculation using End-to-End with a two-step master clock that puts unexpected values in the sync message's
Added code to handle unicast delay measurement with more than one potential PTPv2 master online.
5.2.b.20130405 - Optional Upgrade
Minor enhancements, primarily for PTPv2 multicast reception. Upgrade if you need the new functionality.
Changed format of Last Protcol column to use abbreviated protocol names instead of full RFC identifiers.
Exposed the option to enumerate multicast interfaces and bind to each separately. This was formerly
a registry-only setting. You MAY need to restart the Domain Time service (or reboot the machine) for changes to take
effect, but Domain Time usually accommodates the change immediately without a restart.
Added Clock Runaway Protection registry setting (default true). If a clock is not stable enough to
determine its own frequency compared to the server's frequency, it may continually adjust its own rate trying to match
the server's without any notable success. In these edge cases, it is better to detect the situation and reset the timings
to the defaults rather than let the clock continue to search for a better rate. If detected, a warning message in the log
will state, "Possible runaway condition detected," and the clock timings will be reset. This problem mostly affects virtual
machine guests and machines relying on unstable internet time sources.
Changed the method of enumerating IP addresses per interface to account for rare situations where getaddrinfo()
does not include all of the information available by querying each adapter. If there is a discrepancy, debug or trace messages in
the log show which IPs exist and are bindable but were not included in the getaddrinfo() array. This situation arises mostly in
multi-homed machines with disjoint networks, and only affects which IPs are bound for listening.
Added check for changes in the AnswerIP array as well as changes to the Enumerate Multicast Interfaces
setting. If changes are detected, Domain Time will try to rebind all the listener sockets on the fly.
Added check for changes in the VM status (only applies to virtual machine guests). This check will
produce a warning message and parameter reload if the VM status changes between machine reboots. This can occur after
live or shared-nothing migrations from one VM host to another. The check for changes happens at each scheduled timecheck.
5.2.b.20130222 - Optional Upgrade
Internal changes, one minor bug fix, several enhancements based on customer requests. Upgrade if you need the new functionality.
Enhanced color-coded text output to make finding results easier.
Added code to purge old master information when a slave server becomes master or independent. This ensures that
if the machine role is changed back to slave, then a full replication from the current master occurs.
Added "Rebind on IP Change" registry setting for server to force the same kind of rebinding of IP addresses and
interfaces that client does when the CPL's "Initiate sync if IP address is added dynamically" checkbox is checked. Server's
Control Panel applet now includes a checkbox exactly like Client's.
Changed names of internal variables to conform to our naming standards. No functionality changes related to this.
Added "Server Answer IP Override DT2", "Server Answer IP Override NTP", and "Server Answer IP Override PTP"
to the registry. Each is a REG_MULTI_SZ (Strings) value. If non-empty, this value must list, one per line, networks or
individual IPs to which the corresponding protocol should bind, using CIDR notation. For example, the entry
192.168.0.0/16 would bind to 192.168.0.1 through 192.168.255.254. An entry of ::1/128 would bind to the IPv6 loopback
address. Multiple networks can be specified, one per line. If these values are present and non-empty, they override the
"Server Answer IP" list for the corresponding protocol. Unlike the "Server Answer IP" list, the override lists are included
in template imports and exports. Since they will typically be used only to list networks rather than specific IPs, this
allows administrators to segregate traffic on multihomed machines without worrying about each individual machine's IP
Upgraded the behavior of the list specified by "Server Answer IP" in the registry to support entries
specifying CIDR notation as well as individual hostnames or IP addresses.
5.2.b.20121111 - Optional Upgrade
Rollup of OEM features and minor bug fixes. Upgrade if you are experiencing any of the problems mentioned, or if you need the new functionality.
Replaced all sprintf_s, strcat_s, and similar CRT "secure" string manipulators with
Added support for calling Windows 8 Server "Windows Server 2012" or "Win2012."
Added support for recognizing clock-type appliances using the DT2 protocol.
Added last-known listen port for DT2-HTTP, so we can restart the listener (without restarting the service)
if the admin changes the listen port.
Reversed optimization introduced in 20120206 that skipped checking for DC role change except at service
startup. Since the PDC Emulator role can migrate without restarting the affected servers, Domain Time cannot assume that
the role is unchanged between boots.
Added fallback search-on-failure (if box is checked) for cases where the admin has chosen to use a list of
servers and either has an empty list or has uncheck all of the items in the list. Normal search-on-failure auto-discovery rules
apply (even though no listed servers failed).
Added rebind for mulitcast listener(s) when IP address list changes.
Server & Client
Added ClockIdentity Uses NetBIOS to the PTPv2 parameters section of the registry. If not present
or false (the default), PTPv2 will use the MAC address or UUID according to the IEEE1588 specification. If present and true,
PTPv2 will form a fake ClockIdentity made up from the machine's NetBIOS name.
Added outgoing packet tracing for multicasts and broadcasts.
Enhanced PTPv2 trace messages to show when a grandmaster clock changes its clock quality or other parameters.
Changed pend counter log output from trace level to debug; eliminated redundant "not performing alignments" debug messages.
Changed pending leap minimum to 45 days after the last leap was applied. Added "would have been scheduled" to pending leaps when leaping disabled.
Improved stability of interphase on machines that cannot lock to one second per second within required tolerances.
Added code to skip creation of Daily Report file on disk if Daily Reports are not enabled.
Corrected deltas between NTP reference source when the audit machine's own time was off (this change also affects Manager).
Added Open Containing Folder... menu item to Daily Reports menu.
Added Open Containing Folder... menu item to Synchronization Logs menu.
Fixed bug in quoted-printable email format on Daily Report from DT Monitor.
-syslog option. This is a very simple IPv4-only
syslog listener that prints incoming messages to the console. It is useful primarily for testing the syslog
functionality built into Domain Time's logging.
Added [server] -leapcheck option to DTCheck. For use against DTServer
only (DTClient will not respond). Report whether the DT2 protocol supports leap flags (version 5.2.b20110501 or later),
and the status of the current leap second on [server].
5.2.b.20120215 - Optional Upgrade
Minor bug fixes, changed wording on prompts and reports, added features to command-line programs. Upgrade if you are experiencing any of the problems
mentioned, or if you want the new functionality.
Recompiled with /dynamicbase and /nxcompat switches (not all executables had these switches set)
Added additional debug information and SEH tracing
Fixed bug in slave signalling introduced in 5.2.b.20110601 that could cause DTServer to attempt to contact
slaves using the slave's last-known ephemeral port rather than port 9909.
DTServer and DTClient
Fixed (rare) exception in broadcast time reception when freeing duplicates.
Changed "Service Notify Time Change" trace message to debug.
Added warning/prompt to Control Panel applet when an admin unchecks the "Adjust this machine's overall clock rate to minimize future corrections"
checkbox. Under normal circumstances, this checkbox should remain checked. The warning alerts admins to the potential consequences if Domain Time
is not allowed to manage the system clock rate.
Changed wording on CPL checkbox to "Analyze time samples from all servers and choose the best" (now the same for both client and server).
Changed drift record "raw detail" text output labels to clarify the values in each section.
Added /ptptest (experimental).
Added -ad (may be combined with -raw and/or -windowsauth). This switch tells NTPCheck to enumerate the DCs
in the default domain of the machine where NTPCheck is run, and test each one for the flag indicating whether or not
it is a time server. It then proceeds to verify which server is returned when DsGetDcName is called with various
flags pertaining to time servers. It then enumerates machines using NetServerEnum, and checks the flags again, and
gets the time from each marked time server.
5.2.b.20120206 - Optional Upgrade
Minor bug fixes for unusual circumstances; several enhancements per customer request. Upgrade if you are experiencing the problems or want the new functionality.
Added save of slave mode registry entry on startup by the service if not already
present. The CPL and service calculated the default setting differently based on
whether the machine was a BDC. In earlier versions, the registry value didn't
exist until the CPL changed the mode from slave to indie or vice versa.
Server and Client
Added "UDP Dynamic Counters Enabled" (default false) and
"UDP Connection Reset Enabled" (default true) to the registry to give users control
over how Domain Time handles ICMP errors related to UDP. These settings coincide
with internal changes to how Domain Time manages the pool of pending UDP receives
in the face of 10052 and 10054 errors. The new behavior is enabled by default, and
these settings should be changed only on advice of tech support.
Resolved exception when Group Policy is used to add additional servers after Group
Policy has already been applied with fewer servers.
Clarified error message when an invalid configuration template (.reg file) is
pushed out from Manager -- for example, using a client template on server or
Added "Time Change Event Monitor" to the text logging options to help identify
the user and process responsible for system clock changes not made by Domain Time.
See the Server/Client Logs and Status documentation for details.
Fixed bug in Control Panel applet on the dialog box displayed when a conflict over
port 123/udp (NTP) is discovered. The dialog did not display the Yes/No buttons
When removing Domain Time (client or server) from a remote machine, Manager attempts
to restore saved W32Time (Windows Time) service information. In previous versions,
Manager restored the information, but (if set to auto-start), the W32Time service failed
to start until after a reboot. Manager now configures the W32Time service so that an
immediate restart of W32Time is possible.
Added new checkbox to the batch operations dialog, "Prompt for other correctable errors"
(default true). The primary correctable error, other than credentials needed, is failed
mapping of host name to IP address or response indicating the machine doesn't use the
IP address provided. If this box is unchecked, then Manager will not stop the batch to
prompt for new information; the error will be recorded as if the user had clicked the
cancel button on the popup.
Normalized startup logs so all services (not just DTClient and DTServer) keep their
startup logs in the same folder as the main service log. Since the default for
both used to be the system32 folder, they ended up in the same place. However,
some customers are aware of the "Service Log Filename" registry value in the
Parameters key, and use it to direct the main service log elsewhere. This change
ensures that the startup log stays with the main log.
Added registry setting called "Allow Multiple Instances" (default
not present). If present and true, the system tray applet will allow multiple instances
of itself to run, limited to one per terminal session. In addition, the service will
attempt to start one instance in each terminal session when it starts. Useful only
on Terminal Server or similar.
Changed dtcheck /firewall:open so that it omits Profile=Domain if the machine is
not a domain member. On Vista, the firewall control panel applet can't display
rules that specify both Profile=Domain and Profile=Private if the machine is not
a domain member. On other operating systems, the profile either doesn't matter (XP
and 2003), or works even when the computer has not joined a domain.
To reapply the rules created by a previous dtcheck /firewall:open, first use
dtcheck /firewall:close then reissue dtcheck /firewall:open (using the latest
version of dtcheck). This will remove and then rewrite the firewall rules.
5.2.b.20120117 - Optional Upgrade
First version to support Windows 8 and Windows Server 8 pre-release. Many unrelated enhancements, including several added at customer request. Several minor bug fixes. Upgrade if you want the new functionality.
Setup now removes folders created during configuration if they are empty afterward (this includes the empty start menu link for Domain Time II if Manager isn't installed)
Setup now restarts DTAlert and DTMan if it closes them during Management Tools upgrade
Fixed typo in license.txt
Added lookup by IP if NetBIOS name fails with 11001 (host not found) when collecting drift records
Fixed exception when backup mode enabled and primary is offline at the moment replication begins
Added thread priority to background ephemera and drift collection (only in the registry, default -2)
Added exclusivity to network listen bind
Changed upgrade from 4.1 Thin Client to use auto-discovery instead of blank list of servers
Fixed parse error on auto-discovered domain servers
Changed to ignore cascades and advisories during advanced training
Changed the max IOCP threads from 8 to 4 to keep from starting unnecessary threads
Client & Server
Enhanced error handling for IOCP enqueing and network stack insufficiency on busy servers
Added spin button to Timings page on the CPL; fixed so typing or spinning enables the Apply button
Disabled use of WSARecvMsg on XP and 2003 machines
Services can now create a minidump in the system32 folder if they encounter unrecoverable errors. The CPL's problem report automatically includes any dump from a Domain Time component.
Added check for invalid/missing path returned by OS for the temp directory
Added lazy-write capabilities to text log file. Disabled by default
Added error code in trace output on "Could not obtain domain/forest" warning
Rearranged interpolator sequence to account for performance counter latency more accurately
Added "Unknown" instead of blank if domain information is not available on CPL pages
Changed default server list (we still recommend that customers choose their own servers)
Changed shutdown routine to call SetSystemTimeAdjustment() whether or not CMOS flushing is enabled (prior behavior only called SSTA if flush was enabled)
Changed default minimum interphase significance from 1100 to 1250 hns
Changed UDP per-socket send buffer size to 64K
Exposed PTPv2 XP-Class multiplier in registry for continuously variable interphase; was hard-coded at 7, now defaults to 5
Added PTPv2 options to allow rejecting a server if its claimed time source, clock quality, or clock class is insufficient
Added PTPv2 sync packet receipt timeout grace period (grace period doubled if machine is virtual)
Added PTPv2 "crosscheck" settings; if enabled and delta exceeds the specified number of milliseconds, other defined sources will be consulted (as if the "Analyze time samples..." checkbox were checked)
Changed default for setting processor affinity to false if the CPU reports an invariant TSC or if the machine is a Hyper-V guest. This determination
is made on first startup, and the decision is recorded in the service's Parameters key. Users may override the decision by changing the
"Critical Timing Processor Limit" to either True or False (stop the service, change the value, and restart the service)
Added code to ensure that the clock rate is set to expected values when PTPv2 continuously variable phase adjustment is discontinued unexpectedly (loss of signal). Problem only detected in the lab
Removed log warning about inconsistent leap seconds when a 4.x (or any pre-5.2.b.20110601) server fails to provide leap second information using
the DT2 protocol, but a later-version server does. Versions prior to 5.2.b.20110601 do not have leap second information in the DT2 protocol packet, and Domain Time
was interpreting "I don't know" as being a conflict with "I know, and the answer is no leap second pending." Servers that do not provide leap second
notifications are now ignored when checking for conflicts
Changed advanced training to allow admin to specify number of cycles and the interval between. Prior versions always used 7 seconds
between tests, and called for 45-75 tests (depending on version). Defaults are now 45 tests with 30 seconds between. This gives a much
more accurate estimate of the machine's overall rate if interphase is active. The old 7-second interval was not long enough to allow
interphases to occur
Added support for SERVICE_CONTROL_PARAMCHANGE message (if received, causes a reload of parameters from the registry)
Added support for SERVICE_CONTROL_TIMECHANGE on Win7 and up (if received, treated same as a WM_TIMECHANGE broadcast)
Added "IPv4 Source Address" and "IPv6 Source Address" to registry. If present and non-blank, client or server will attempt to bind to the specified IP address for requests
Added support for Windows 8 and Windows Server 8 (pre-release/beta) on x86 and x64 platforms. ARM platforms will not be supported. Not for production use.
Rearranged interpolator sequence to account for performance counter latency more accurately
Added GetDomainTimeAsFileTimeMonotonic() (see dthres.h for details)
Added /firewall:open and /firewall:close (opens and closes time-related incoming ports in the Windows firewall)
Added /reload to reload parms from registry (triggers SERVICE_CONTROL_PARAMCHANGE if available, else stops and restarts the service)
Diagnostic Use (do not use these options unless directed to do so by support engineers)
Added /t3, /t4, /qpc, and /qpc2 timing tests
Added /bc635[:reps] [/out:filename] (test of 1pps Symmetricom bus card)
Added /sps (seconds-per-second) test (measures passage of time by comparing different counters)
Added /mstest (test that produces output useful for comparing phase rates)
Fixed save of template upgrade checkboxes during Manager shutdown
Added warnings to log file when template options changed by admin
Fixed toggle of grid lines
Added command-line parms to trigger an audit, an ephemera collection, or a synchronization (drift) collection. Syntax:
dtman trigger audit (triggers an immediate audit)
dtman trigger ephemera (triggers an immediate ephemera collection)
dtman trigger drift (triggers an immediate drift collection)
Added code to re-display the system tray icon if dttray.exe finishes loading before the operating system finishes initializing the taskbar notification area
Added exclusivity to network listen bind
5.2.b.20110831 - Optional Upgrade
This release addresses mostly internal changes, but fixes a few problems. Upgrade if you are experiencing the problems or want the new functionality.
Fixed problem with upgrade from 4.1 where the single time source was set to derive from the domain hierarchy rather than a specified server.
Removed wording "not recommended" from PTP Master configuration page. The wording was intended to warn users that software-based PTP was
not as reliable or precise as hardware-based, but some users took it to mean that the option wasn't supported.
Added checkbox to the auto-discovery dialog to control whether or not to use domain authentication against servers discovered using the
domain hierarchy (default false). Previous versions did not allow the admin to choose, and always used domain authentication.
Server & Client
Added code to specify IPv4 interface numbers while enabling multicast reception when listening on
all IP addresses. The code formerly let the operating system choose the default interface, which
could cause problems on specific types of multihomed systems with disparate networks. The new behavior iterates through
the interfaces and specifically enables multicast reception on any Ethernet, PPP, wireless, firewire,
or tunnel interface. The new behavior is not enabled by default. Change the registry value "Enumerate Interfaces for Multicast"
in the Parameters subkey to TRUE and restart the service to obtain the new behavior.
Reversed 20110601 change to default state of Windows Time. If the machine is a cluster, or if the
machine is a DC running DTClient, Windows Time will default to NoSync. Otherwise, Windows Time will
default to Disabled. This change only affects the default applied to new installations if no setting
is specified in the template.
Exposed internal variables controlling PTPv2 continuously-variable phase adjust. These should be changed
only on instructions from tech support.
Changed algorithms for domain hierarchy discovery for both named domain sources and auto-config using the
domain hierarchy. All forms of domain discovery now use the same internal procedures.
Added trace-level log output for IP addresses discovered when the IP address list changes dynamically.
Changed Alt-F (Find) on Log File Viewer to Alt-D to allow Alt-F (File) menu to work.
Added four new command-line switches:
DTCheck /resetTimings -- stops the service and resets all current and historical timing variables to defaults; restarts the service unless /noRestart is also specified
DTCheck /resetSerial -- stops the service and resets the serial number; restarts the service unless /noRestart is also specified
DTCheck /noRestart -- prevents the service from being restarted after /resetTimings or /resetSerial
DTCheck /prepClone -- same as issuing /resetTimings /resetSerial /noRestart; useful for ensuring an image is ready for cloning
Added right-click menu item to launch Manager.
5.2.b.20110601 - Optional Upgrade
This release addresses mostly internal changes, but fixes a few problems. Upgrade if you are experiencing the problems or want the new functionality.
Changed the internal format of the system32\dtslaves.dat file to include a version marker at the beginning of the file and
each slave's serial number as well as its IP address. This change will help prevent duplicate notices when the master signals
its list of slaves. Also changed trace/info messages to display the slave's serial number.
Changed the default when installed on a DC or cluster server to set the Windows Time service mode to NoSync rather than Disabled.
This relieves administrators from having to configure Windows Time afterward, or remember to use the NoSync template from Manager.
Server & Client
Added leap-second flag and server revision numbers to standard DT2 reply messages. Client may optionally use this information
to reflect the server's knowledge of an upcoming leap second. The server can only know about an upcoming leap seconds if it
gets its own time via PTP or NTP, but remembers the information. This change allows the server to warn clients ahead of time
as if they were using PTP or NTP directly.
Added code to allow the service to start the system tray notification icon using the logged-on user's security context. This
change means that upgrades or installs when someone is logged on will have the icon reappear without having to start it manually
or log off/back on.
Added serial number to DTSTATS packet; used by CPL when displaying stats from a remote machine, or
by DTCHECK when displaying stats either locally or remotely.
Added trace messages to SNMP module to confirm successful sends (errors were already noted).
Control Panel Applets
Changed manifest to specify "asInvoker" instead of "requireAdministrator." Each CPL either detects
and validates admin privileges, or starts a program marked with requireAdministrator. On Windows 7
if a control panel applet is marked to require admin privileges, the operating system does not
prompt for elevation or give any indication that the applet cannot run if the user isn't already
an admin. Non-admins can get the elevation prompt by using SHIFT-RIGHT-CLICK on the CPL icon.
System Tray Notification Icon
Replaced the Activity Monitor visual indications for Domain Time I with PTPv2. The Domain Time I
protocol is deprecated, although still supported fully for existing Win95/ME machines.
Changed registry permissions so that the unelevated system tray icon could manage its settings
directly. (The permissions are reset by the main service at each startup.)
Added Vista/Win7 UAC shield icon to pop-up menu items where appopriate.
5.2.b.20110309 - Optional Upgrade
This release corrects one problem, and adds two new features. Upgrade if you are experiencing the problem or want the new functionality.
Corrected a parsing error in IPv6 literal addresses. Domain Time was erroneously considering an IPv6 literal address without
a double-colon to be an IPv4 address. Resultant communications would fail, and the address would be saved in truncated form.
IPv6 literals that contained a double-colon, or DNS/hostnames that resolved to an IPv6 address, were not affected by this bug.
Client & Server
Added a max latency test (default of 500 ms). If enabled and set to a non-zero value, client or server will reject any sample
obtained via NTP or DT2 where the latency from obtaining the sample exceeds the amount specified. This setting applies to
all samples taken, and is not overridden by trigger exceptions (except for the first timecheck after startup). We recommend
using this feature only in situations where the admin has a reasonable expectation of performance against a local source, and
can therefore choose the correct value.
Added logging for successful and unsuccessful timezone changes when attempting to match a server's timezone. Also added error
checking so if the SetTimeZoneInformation() system call fails, we don't signal a resync. An undocumented change to this routine
is now officially documented: The timezone cannot be changed via the match-server's-timezone mechanism more often than once a
minute. This is to help prevent loops when the operating system selects a matching timezone with a different name. For example,
if you ask for Guadalajara time, the operating system may choose to use Central US instead. The two timezones are (currently)
identical except for the name, and older operating systems that don't have a specific definition for Guadalajara will choose
Central US instead. This is not considered an error by the operating system, but could lead to Domain Time trying to change
the timezone to no purpose.
5.2.b.20110224 - Optional Upgrade
This release provides several enhancements and fixes minor bugs. It also incorporates a number of customer requests for new or
slightly changed functionality. Upgrade if you are experiencing any of the problems mentioned, or if you want the new functionality.
Client & Server
Fixed problem with slaves sometimes reverting to saved settings instead of using master's timings.
Added domtimeMachineName to all SNMP trap definitions that didn't already include the
field. Updated domtime.mib to reflect the change. Customers using SNMP traps should import
the new MIB and adjust their scripts or triggered events as necessary.
Added NTP Client Max Stratum (DWORD) to registry; default is 15. NTP clients will not accept time
from a server with a stratum higher than this number. (The NTP default is to use 16 or higher
to mean unsynchronized.)
Corrected logic error that persisted a failure code across multiple samples for a single
time source, which caused subsequent samples to fail without being attempted.
Corrected error in domtime.adm file. The meaning of fixed interval
and variable interval were reversed. Anyone affected by this change will need to re-import the domtime.adm policy into
the domain policies and select the correct setting for either fixed or variable interval.
Added flush to dtaudit.eph file to compensate for operating system's lazy cache flush, and
updated Domain Time's internal cache to maintain coherency.
Added teardown/rebuild of UDP socket between multiple requests to a server to eliminate the
possibility of stale responses being seen as current.
Added exclusion to prevent PDC set to use the domain hierarchy from using itself as a time source.
Corrected domain hierarchy detection code to work better with DCs.
Added radio buttons to Real-Time Alerts page to force machine to be included or excluded from the
audit list of the server to which the Real-Time Alert is sent. This check will be performed by
the Audit Server upon receipt of the alert.
Added detection of recent boot for first several timechecks, to compensate for those cases (mostly
fast machines with SSDs and motherboard NICs) where the network reports ready and the OS allows
services dependent on TCP/IP to run, but where the network really isn't up yet. For example, sometimes
everything reports ready before the IP address(es) or gateway(s) has(have) been bound to the adapter(s).
If the machine has recently booted, and the timecheck error is no-timesources-available, then client
and server will check again in a few seconds.
Added Find to help in searching large lists.
Added IP address column to realtime alert display page.
Added additional support for cases where no file lock is present but the service executable file
is locked anyway. The lock is usually held by the WMI service via an unexposed internal operating system
function. The new support detects this condition, and replaces the file by renaming it, copying the new
file, and then deleting the old copy.
Taught Manager to recognize rServiceLogFileName registry entries for itself, Audit Server, and Update Server. The
services themselves already honor rServiceLogFileName by virtue of using the service framework, but
now Manager can find the logs if they've been relocated. Not exposed in Manager's interface.
Added option to reset last-contact time and failure count when manually setting a machine to be
Enhanced ephemera record search by xcast to help locate DHCP machines that are alive but have changed
IPs since their last synchronization. Useful primarily for large installations where DNS and NetBIOS
name resolution lag DHCP assignments.
Excluded rServiceLogFilename registry entry from backup replication. The standby machine's log location is independent
of the primary's.
5.2.b.20101113 - First release of Version 5.2. Recommended Upgrade
Version 5.2 introduces some significant additions to functionality of the 5.x series, several enhancements to views and reports, and a few minor bug fixes.
Added support for IEEE 1588-2008 Precision Time Protocol (PTPv2) as a time source (slave mode).
Added support for PTPv2 master mode (DTServer only).
Added secondary target for real-time alerts; choice of failover or send-to-both.
Fixed problem with clients not being able to set timezones to match an independent server.
Fixed text log roll problem that could sometimes truncate old log files incorrectly.
The control panel applet and several of its pop-ups now remember their screen position between invocations.
Added warning message in text log and event viewer when timezone changes (for example, CDT to CST). In the
event viewer, the event ID is 3008, and the textual portion explains what changed.
Changed the default minimum success interval (for fixed intervals) to 5 seconds (was 15).
Changed the default minimum error retry interval to 5 seconds.
Made target-seeking interval calculations more aggressive when target is less than 6ms.
Increased TCP accept backlog on DTServer to accommodate large Audit Server installations with frequent real-time alert updates.
Significantly enhanced interphase calculations to smooth outliers and avoid insignificant changes for a more stable clock.
Added "Server Threads" registry parm (default 0) to allow specifying the number of threads: Min of 1, max of 8. Zero means let the server choose.
Changed the "All samples are non-conformant" warning message to an info message.
Exposed choice of slew methods (choices are default, compatible, and microsleep; default recommended except if tech support determines a machine
has a specific hardware problem that a different slew method would alleviate). The slew methods aren't new, but are exposed in the control panel
applet for the first time.
Changed the startup log file to use the same folder as the main log (if the main log is not in system32).
During install on a DC, the Windows Time announce/reliable flag is set, in case the admin decides to run Windows Time in NoSync mode.
Added error dialogs so that if the support page's zip and email functions fail, the user will know immediately.
Added support for WSARecvMsg; the "RecvMsg Enabled" registry parameter (default True) can be used to turn it off.
When WSARecvMsg is enabled, Domain Time will use it rather than recvfrom in server threads, to distinguish
among unicast, multicast, and broadcast incoming packets. Enabling WSARecvMsg also enables use of SO_TIMESTAMP,
SO_TIMESTAMPNS, or SO_TIMESTAMPING if the operating system and network drivers support these options. No Windows
platform currently supports SO_TIMESTAMP.
Manager/Audit Server New Features:
Added Standby Mode to turn an Audit Server into a "hot spare" (called the secondary) for another
Audit Server (called the primary). When operating as a secondary, Audit Server periodically collects logs
and settings from the primary, but takes no other action. If the primary goes offline, the secondary can
be released from Standby Mode, either automatically or manually, and assume the duties of the primary using
all the most recent information.
Added Standby Mode status display to the Manager's Audit Server information page.
Added Audit Server/Standby Mode menu item to configure Standby Mode.
Added File/Backup Database menu item to backup the audit list.
Added command-line operation dtman backup filename to backup the audit list to the specified file.
Added File/Restore Database menu item to restore the audit list.
Added command-line operation dtman restore filename to restore the audit list from the specified file.
Documented command-line operation dtman import filename to add/drop machines to/from the audit list.
Fixed bug where deleting synchronization reports removed them from the list but not from disk.
Added display of currently-selected template(s) to the multi operation dialog.
Added support for managing multiple real-time alert targets on remote machines.
Now remembers selected items when switching between views and after some operations.
Drift Graph Display
Changed the center line to gray (was green) to help distinguish it visually from the other horizontal lines.
Introduced support for driftptp.dt files (used to show PTPv2 status).
Fixed problem with scroll bar thumb positioning when viewing very large drift files.
Changed internal calculation to show at least 1 second when the actual interval is less than 1 second.
Added checkbox on the control panel applet's Advanced tab to truncate drift data at millisecond precision. As of
this version, the drift file records data in hectonanoseconds (0.0000001 seconds) unless you check the box on the
control panel applet.
Changed number of displayed points on the drift graph from 64 to 96.
Added new scales for display of submicrosecond variances.
Added /ptpstats command-line parameter to show IEEE 1588 status.
Added /adapters command-line parameter to show network adapter information.
Added /cpuid command-line parameter to show type and features of the installed CPU.
Version 5.1 Changelog
5.1.b.20100731 - Optional Upgrade
Changes to Monitor and Manager only. Upgrade if you are experiencing any of the problems mentioned below.
The format string for Audit Server's daily report was not being saved if it exceeded 255 characters in
length. The length limit is actually 1024 characters. The GUI has been upgraded to accept and save
the correct length.
Remote upgrade of Client or Server on some machines could occasionally fail if WMI (wmiprvse.exe)
was holding the executable open. Manager now detects this condition and stops/restarts WMI during remote upgrades.
Added checkbox to control panel applet to allow choice of whether email alerts should be tagged
as high-priority. Prior to this change, all email alerts were always marked high-priority.
5.1.b.20100604 - Optional Upgrade
Several small bug fixes and enhancements. Upgrade if you are experiencing any of the problems mentioned below.
Client-only and server-only distribution zips indicated management tools could be installed. Installation failed if
attempted because the tools were not present. Setup now only offers tools if present in the distribution.
Removing Manager now also removes Monitor
Removed superfluous comma in Add/Remove Programs uninstall information
Settings pushed out using Reset Config now take effect immediately instead of after the next sync
Client & Server
Added resolved IP addresses to log output when time sources are specified by name
Added extra registry permissions check to CPL when invoked by Manager against a remote machine to give more sensible error message when access is denied
Fixed access violation in pre-audit sync report (only affected x86 versions)
Fixed report error that occasionally overstated the number of non-responders after an audit
Added check for possible invalid return from Microsoft Security API call to DTLockDn on some editions of Windows 7 (precautionary change only)
Added icons for Alt-Tab display and for 32x32 in task bar (only affected Monitor's CPL in the taskbar)
5.1.b.20100331 - Optional Upgrade
Minor new features, minor bug fixes, OEM changes, one new program, enhanced support for non-compliant NTP servers. Upgrade in order to use the new
features, or if you are experiencing any of the problems.
Client & Server
Fixed problem on control panel applet with list of sources going missing if saved twice (apply then close or apply then change page)
Changed initial focus on log viewer window; made relaunch do a restore if viewer was minimized instead of closed
Changed minimum broadcast/multicast interval range to allow every 3 seconds (lower limit was 15 seconds)
Used ws2_32 header workaround for missing getaddrinfo (allows "not supported" on Win2000 instead of DLL failure)
Added more debug information to client discovery process
Added rebind process in case port 9909 tcp or udp can't bind on rapid restart of service
Added hypervisor and 2k8 guest detection on Windows 2008r2
Reworked interphase algorithms to increase range of corrections available
Added KNIGHT vs KNAVE detection and messages (debug info only)
Reworked DT2 transaction handler to prevent IPv6 host not found error after IPv4 failure
Corrected bug that prevented incoming signed DT2 broadcast/multicast from being recognized as signed
Manager and Audit Server
Zeroed ntp request packet's unused bits for Solaris compatibility
Added IP addresses to regular log file lines
Added additional ntp packet debug-only output
Added code to detect non-compliant and/or clock-not-set ntp servers so the alert status is preserved in audit summary
Added command prompt to the Utilities menu on Manager (opens in the Manager folder for easier access to Manager's command-line utilities)
Added workaround for MS update to CoInitializeEx that prevented some browse-for-folder operations and hyperlink clicks to fail (this is the only difference between 5.1.b.20100330 and 5.1.b.20100331)
DT Lockdown (dtlockdn.exe)
Added new program, DT Lockdown, to control service object security, executable security, and auditing.
DT Lockdown is an advanced command-line administrative tool. Please see documentation before using.
Fixed internal version marking on Client (was "DTServer" intead of "DTClient") - only present for MS reports or properties view; not used by our programs
Removed unused dtlogo.jpg from resources of Client
Fixed typo in log message - "event" spelled "evnet"
Added support to control panel applet for running while locked down with read-only permissions
5.1.b.20100330 - See above
One fix added to the 5.1.b.20100330 release; renumbered as 5.1.b.20100331 (see above).
5.1.b.20100114 - Optional upgrade
Additional minor bug-fixes and enhancements (Manager); fixed compatibility problem with Pentium II/III processors (all items). Upgrade in order to use the new features, or if
you are experiencing any of the problems.
Recompiled to remove dependency on SSE2. This change only affects machines with older x86 processors (primarily Pentium II or Pentium III, or older AMD processors,
but specifically any Intel or AMD processor without full support for SSE2 SIMD extensions). On these processors, Domain Time components would either not run at
all, or run but immediately give an exception and terminate. The clock timing algorithm was dependent on floating point support provided by SSE2. To accomodate
older processors as well as modern ones, we moved the calculations to x87 FPU. Users with modern CPUs should see no difference in behavior, while users with older
CPUs should see the programs working as intended. File sizes are slightly increased for x86 versions.
Fixed problem with clock window sometimes disappearing on startup
Fixed problem with template choice (for server installations/upgrades) not recognizing reversion to defaults
Made background image (watermark) visibility optional
Made left-hand pane sizeable (added gripper to move the split between right and left sides).
Added tag on status bar when showing synchronization status
Aligned status bar center section to move with sizeable pane
Persisted pane size
Fixed typo that said "1 networks" when only one network was detected (removed the "s")
Client & Server
Fixed problem with fresh installs using defaults instead of template settings for timings
Taught how to stop Manager and DTAlert if running, so they can be removed without reboot
Added missing registry keys in list of keys to remove during cleanup
Changed default for Real-Time Alert listener to enabled
5.1.b.20100105 - Optional upgrade
Minor bug-fixes to Manager; minor enhancements throughout. Upgrade in order to use the new features, or if
you are experiencing any of the minor bugs.
Server will no longer report 169.254.x.x IPv4 addresses in response to discovery requests
Client and Server will now recognize 169.254.x.x IPv4 addresses as "self" and not use them as time sources
Fixed command buffer truncation in DTCheck's discover command (truncation produced chopped-off IP address display)
Client auto-discovery now uses address from which discovery response came in addition to server's claimed address (to account for multiple routes)
Multiple cosmetic changes to DTAlert
Added DTAlert to DTTray menu options
Grouped DTTray menu options by category to make finding things easier
Added ability to download chime packs directly from DTTray
Removed Audit Server and Update Server from DTTray (in 5.1, these options launch Manager instead of separate control panel applets)
Manager license report refresh now performs a Verify to update licensing information
Fixed bug in 20091215 where closing the DTMonitor CPL would also close Manager
Fixed bug with Manager's custom templates not being applied to remote machines until after manual sync trigger
Fixed bug with Manager's custom templates occasionally not being found even when present
Fixed misspelling in registry parameter name on Manager ("soune warning" changed to "sound warning")
5.1.b.20091215 - Optional upgrade
This release includes some minor bug-fixes, but is composed mostly of enhancements and features that didn't
make it into the first public release by the deadline. Upgrade in order to use the new features, or if you
are experiencing any of the minor bugs.
Added DTAlert (Real-time Alert Viewer) program. DTAlert is an extension for Audit Server and Manager, allowing Manager's
real-time alert display to be echoed to other machines. DTAlert can gather data from multiple Audit Servers and let
you see your entire network's status alert status at a glance. DTAlert is a stand-alone program that requires only
TCP connectivity to your Audit Server machines.
Added support for sending real-time alerts from individual machines to Audit Server via UDP as well as TCP.
Added "All Computers" view to Manager as an alternative to showing each computer within its domain hierarchy.
Audit Server can now optionally double-check (requery) machines that provide anomalous variance data during the scan phase. Scanning
is inherently less precise than direct query, and by double-checking unexpected values, Audit Server can help eliminate false
alerts and ensure the overall data collected is as accurate as possible.
Added optional sounds to Manager's display of real-time alerts.
Added ability for Manager to configure real-time alert reporting on individual machines or groups of machines.
Added expiration dates, registered status, and installation dates of various tools to Manager's license report. Because this information
is only accessible by connecting to a remote machine, the information is updated only when Manager installs or upgrades the
machine, or when Manager opens the machine's control panel. The information is not updated during Manager's verify function or
during normal scans of the network.
Added automatic detection and correction of failures when the Remote Registry service is enabled but not running. If RPC control is
available, admin permissions are verified, and the machine is otherwise reachable, Manager will now start the Remote Registry
service (as long as it isn't disabled) and retry failing operations.
Fixed problem where Manager or other tools did not show up in license report after fresh install.
Fixed problem where removal of Manager did not clean up associated registry keys.
Fixed problem in Audit Server where alert emails for real-time alerts could be sent even if email alerts were disabled.
Fixed problem with Windows authentication on Windows 7 and 2008-R2 machines validating against a domain controller. Microsoft added a new DLL
(logoncli.dll) to these operating systems, and moved some functions into this DLL from their traditional place in netapi32.dll, resulting
in the inability of Client to authenticate requests if automatic discovery and negotiation was enabled.
Fixed problem where some menu items in Manager were unavailable (grayed out) incorrectly. This problem only appeared if Audit Server
was not installed.
Added support to the patch programs for Manager's cross-platform files. The original patch programs only updated files in the same
moiety, which meant the new Manager could be fully upgraded only by running its setup program.
Fixed problem with unnecessary registry values being created by several of Manager's tools. Only values which are actually needed
are now created.
5.1.b.20091201 - First public release - (mandatory upgrade for beta-testers and pre-release users)
Removed requirement for Audit Server and Update Server to run as administrative users
Integrated Update Server into Manager
Finalized message format for real-time alerts (note: incompatible with beta versions)
Added test and auto-configure to real-time alerts
Added import/export of time sources on the main CPL
Added binary backup/restore to the import/export page of the main CPL
Added sample templates and additional help for templates
Changed evaluation period calculation to round up to the next whole day
Reworked several dialogs for clarity
A proper setup program is now included with all distributions
Added new manifest to setup program for Windows 7 compatibility
Updated dtclean to account for new/changed filenames
5.1.b.20091111 - Pre-release of Version 5.1 (partners and beta-testers only)
Version 5.1 represents a complete rewrite of all components, bringing together all existing enhancements, OEM
features, customer requests, and new technology.
Full IPv6 support
Support for Windows XP, 2003, 2008, 2008R2, and Window 7, both x86 and x64
Manager can now install, upgrade, or control x86 or x64 computers, regardless of its own bittedness
Update Server can now now install or upgrade x86 or x64 computers, regardless of its own bittedness
Added IPv4 and IPv6 multicast support
Added SNMP reporting to individual clients or servers, and to Audit Server
Added syslog reporting to individual clients or servers
Control of Audit Server is now integrated directly into Manager
Remove dependency on MS Networking browse list; Active Directory enumeration uses LDAP
Full symmetric key authentication support for NTP or DT2
Server can provide Windows-authenticated NTP timestamps for computers running Windows Time in the NT5DS mode
Increased reporting and timesetting abilities to sub-milliseconds
Remove limit on number of servers
Added ability to sample each server multiple times
Significantly improved statistical analysis when choosing time servers
Replaced DOMTIME.INI with DTSERVER.REG and DTCLIENT.REG
Added support for Windows Group Policies
Made DCHP server discovery more useful by repurposing option 004 to search for DT2 servers only
Added anticipatory leap second scheduling
Significantly improved phase adjustment detection and correction
Added interphase adjustments (to handle when the system's optimal clock rate falls between integral phase adjustments)
Significantly improved performance on VMs and Hyper-V
Increased customer control over slewing and stepping options
Complete revamp of all user interfaces
Added import/export of settings to control panel applet
Added high-precision API so third-party programs can benefit from Domain Time's interpolated time-of-day (see SDK documentation)
Added real-time reporting to Audit Server from clients or servers, with a real-time display in Manager