We explain and demonstrate everything you need to know about the Net Time Service w32tm and how to configure it on a Windows Domain Controller.
To determine which Net Time Server is right for you visit www.pool.ntp.org
Intro 0:00
Windows Time Service Tutorial 0:20
Do All Domain Controllers Need The Net Time Service set? 0:40
What is a PDC Emulator 0:57
How to Figure Out Which DC is the PDC Emulator 1:17
What is the current time service configuration 1:50
What is FREE-RUNNING SYSTEM CLOCK 2:00
How To Set the W32TM Nettime Service 2:30
Why is Time Service Important to Windows Domains 4:25
How to Choose a Time Server NTP 5:05
W32tm Command Explained 6:23
What is 0x8 7:14
How to reset w32tm Time Service 9:35
Setting Net Time in GPO 9:50
Command to Force a Time Update 10:35
How To Check the Net Time NTP 10:52
Outro 11:25
W32TM Commands Used in This Video
w32tm /query /source
w32tm /config /manualpeerlist:”1.ca.pool.ntp.org,0x8 3.ca.pool.ntp.org,0x8 time.nrc.ca,0x8″ /syncfromflags:manual /update
w32tm /resync [/computer:] [/nowait] [/rediscover] [/soft]
Net Stop W32time
W32tm.exe /unregister
W32tm.exe /register
Net Start W32timew32tm /config /update
w32tm /stripchart /computer:3.ca.pool.ntp.org
W32TM Types
0x1 SpecialInterval
0x2 UseAsFallbackOnly
0x4 SymmetricActive: Google Windows Time Server: 3.3 Modes of Operation
0x8 Client
Why Is Time So Important In A Windows Domain?
In short, time important in any computer network to avoid “replay attacks”. Hackers can (and have!), connected to a network, recorded all of the traffic, found the username and password entries in that traffic, hacked to a computer on the network and then “replayed” the typing of the username and password.
Kerberos in the encryption Windows uses for credentials and it will invalidate any traffic older than 5 minutes to avoid replay attacks. However, there are many other reasons to worry about time accuracy, like
- Debit & Credit Card transaction standards (PCI – Payment Card Industry) require 1 second accuracy
- Government Regulations like:
- 50 ms accuracy for FINRA in the US
- 1 ms ESMA (MiFID II) in the EU.
- Cryptography Algorithms
- Blockchain framework for bitcoin transactions
- Distributed systems like Disk Clusters, Exchange Clusters and SQL Clusters require time to be the same on all copies
- Distributed Logs and Threat Analysis
- Active Directory Replication
In case you did not catch it in our video the PDC Emulator is the only place w32tm should be set to use an external provider and how to find an NTP provider:
You also might be interested in time accuracy improvements made to Windows 2016 by reading THIS Microsoft article. You might also find Configure the Root PDC with an Authoritative Time Source and Avoid Widespread Time Skew helpful.
Topics include:
w32tm set ntp server, w32tm set time server, Net Time Service, net time software, ntp server, ntp server setup, ntp server configuration in windows 2019, windows domain controller, Windows Server 2022, Windows Server 2019, Server 2022, Server 2019
2 Comments
Scott · July 20, 2022 at 11:43 am
I saw an article on using the GPO method for deploying NTP but after watching your video and explaining why not to use it, I am going to refrain from creating one. I am just wondering how you can check the other Domain Controllers and Windows Clients are getting the correct time from the PDC? I assume they should be of type NT5DS? thanks for the great work
Ian Matthews · July 23, 2022 at 10:10 am
Hi Scott;
There is likely a PowerShell script to check all the DC’s and clients but I do not have it. I check them manually the few times I find a problem.
Thanks for checking in with us.