Изменение часового пояса — параметр политики безопасности Change the time zone — security policy setting

Область применения Applies to

В этой статье описываются лучшие методики, расположение, значения, **** управление политиками и вопросы безопасности, которые следует учитывать при изменении параметра политики безопасности часового пояса. Describes the best practices, location, values, policy management, and security considerations for the Change the time zone security policy setting.

Справочные материалы Reference

Этот параметр политики определяет, какие пользователи могут настраивать часовой пояс, используемый устройством для отображения местного времени, включая системное время устройства и смещение часового пояса. This policy setting determines which users can adjust the time zone that is used by the device for displaying the local time, which includes the device’s system time plus the time zone offset.

Константа: SeTimeZonePrivilege Constant: SeTimeZonePrivilege

Возможные значения Possible values

• Определяемый пользователей список учетных записей User-defined list of accounts
• Не определено Not Defined

Рекомендации Best practices

Location Location

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

Значения по умолчанию Default values

В следующей таблице перечислены фактические и эффективные значения политики по умолчанию для последних поддерживаемых версий Windows. The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Значения по умолчанию также можно найти на странице свойств политики. Default values are also listed on the policy’s property page.

Тип сервера или объект групповой политики Server type or GPO	Значение по умолчанию Default value
Default Domain Policy Default Domain Policy	Не определено Not Defined
Политика контроллера домена по умолчанию Default Domain Controller Policy	Администраторы Administrators Пользователи Users
Параметры по умолчанию для автономного сервера Stand-Alone Server Default Settings	Администраторы Administrators Пользователи Users
Действующие параметры по умолчанию для контроллера домена Domain Controller Effective Default Settings	Администраторы Administrators Пользователи Users
Действующие параметры по умолчанию для рядового сервера Member Server Effective Default Settings	Администраторы Administrators Пользователи Users
Действующие параметры по умолчанию для клиентского компьютера Client Computer Effective Default Settings	Администраторы Administrators Пользователи Users

Управление политикой Policy management

Перезапуск устройства не требуется для того, чтобы этот параметр политики был эффективным. A restart of the device is not required for this policy setting to be effective.

Любое изменение учетной записи для этого назначения прав пользователя вступит в силу при следующем входе учетной записи. Any change to the account for this user right assignment becomes effective the next time the account logs on.

Групповая политика Group Policy

Параметры применяются в следующем порядке с помощью объекта групповой политики (GPO), который будет перезаписывать параметры на локальном компьютере при следующем обновлении групповой политики: Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:

1. Параметры локальной политики Local policy settings
2. Параметры политики сайта Site policy settings
3. Параметры политики домена Domain policy settings
4. Параметры политики подразделения OU policy settings

Если локальный параметр затеняется, это означает, что в настоящее время этот параметр контролируется GPO. When a local setting is greyed out, it indicates that a GPO currently controls that setting.

Вопросы безопасности Security considerations

В этом разделе описывается, каким образом злоумышленник может использовать компонент или его конфигурацию, как реализовать меры противодействия, а также рассматриваются возможные отрицательные последствия их реализации. This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.

Уязвимость Vulnerability

Изменение часовой пояс не представляет небольшой уязвимости, так как на время системы это не влияет. Changing the time zone represents little vulnerability because the system time is not affected. Этот параметр просто позволяет пользователям отображать предпочитаемый часовой пояс при синхронизации с контроллерами домена в разных часовых поясах. This setting merely enables users to display their preferred time zone while being synchronized with domain controllers in different time zones.

Противодействие Countermeasure

Меры противодействия не требуются, так как на системное время этот параметр не влияет. Countermeasures are not required because system time is not affected by this setting.

Настройка синхронизации времени по NTP с помощью групповых политик

Служба времени Windows, несмотря на кажущуюся простоту, является одной из основ, необходимых для нормального функционирования домена Active Directory. В правильно настроенной среде AD служба времени работает следующим образом: компьютеры пользователей получают точное время от ближайшего контроллера домена, на котором они зарегистрировались. Все контроллеры домена в свою очередь получают точное время от DC с FSMO ролью «Эмулятор PDC», а контролер PDC синхронизирует свое время с неким внешним источником времени. В качестве внешнего источника времени может выступать один или несколько NTP серверов, например time.windows.com или NTP сервер вашего Интернет-провайдера. Также нужно отметить, что по умолчанию клиенты в домене синхронизируют время с помощью службы времени Windows (Windows Time), а не с помощью протокола NTP.

Если вы столкнулись с ситуацией, когда время на клиентах и контроллерах домена различается, возможно, в вашем домене есть проблемы с синхронизацией времени и эта статья будет вам полезна.

В первую очередь выберите подходящий NTP сервер, который вы могли бы использовать. Список общедоступных NTP серверов доступен на сайте http://ntp.org . В нашем примере мы будем использовать NTP сервера из пула ru.pool.ntp.org:

Настройка синхронизации времени в домене с помощью групповых политик состоит из двух шагов:

1) Создание GPO для контроллера домена с ролью PDC
2) Создание GPO для клиентов (опционально)

Настройка политики синхронизации NTP на контролере домена PDC

Этот шаг предполагает настройку контроллера домена с ролью эмулятора PDC на синхронизацию времени с внешним NTP сервером. Т.к. теоретически роль эмулятора PDC может перемещаться между контроллерами домена, нам нужно сделать политику, которая применялась бы только к текущему владельцу роли PDC. Для этого в консоли управления Group Policy Management Console (GPMC.msc), создадим новый WMI фильтр групповых политик. Для этого в разделе WMI Filters создадим фильтр и именем PDC Emulator и WMI запросом: Select * from Win32_ComputerSystem where DomainRole = 5

Затем создайте новую GPO и назначьте ее на контейнер Domain Controllers.

Перейдите в режим редактирования политики и разверните следующий раздел политик: Computer Configuration->Administrative Templates->System->Windows Time Service->Time Providers

Нас интересуют три политики:

• Configure Windows NTP Client: Enabled (настройки политики описаны ниже)
• Enable Windows NTP Client: Enabled
• Enable Windows NTP Server: Enabled

В настройках политики Configure Windows NTP Client укажите следующие параметры:

• NtpServer: 0.ru.pool.ntp.org,0x1 1.ru.pool.ntp.org,0x1 2.ru.pool.ntp.org,0x1 3.ru.pool.ntp.org,0x1
• Type: NTP
• CrossSiteSyncFlags: 2
• ResolvePeerBackoffMinutes: 15
• Resolve Peer BAckoffMaxTimes: 7
• SpecilalPoolInterval: 3600
• EventLogFlags: 0

Примените созданный ранее фильтр PDC Emulator к данной политике.

Осталось обновить политики на контроллере PDC:
gpupdate /force

Вручную запустите синхронизацию времени:
w32tm /resync

Проверьте текущие настройки NTP:
w32tm /query /status

Настройка синхронизации времени на клиентах домена

В среде Active Directory по умолчанию клиенты домена синхронизируют свое время с контролерами домена (опция Nt5DS – синхронизировать время согласно иерархии домена). Как правило, эта схема работает и не требует перенастройки. Однако при наличии проблем с синхронизацией времени на клиентах домена, можно попробовать принудительно назначить сервер времени для клиентов с помощью GPO.

Для этого создайте новую GPO и назначьте ее на контейнеры (OU) с компьютерами. В редакторе GPO перейдите в раздел Computer Configuration -> Administrative Templates -> System -> Windows Time Service -> Time Providers и включите политику Configure Windows NTP Client.

В качестве сервера NTP укажите имя или ip адрес PDC, например msk-dc1.winitpro.ru,0x9, а в качестве типа синхронизации — NT5DS

Обновите настройки групповых политик на клиентах и проверьте, что клиенты успешно синхронизировали свое время с PDC.

Настройка синхронизации времени в домене Active Directory (через групповые политики)

Очень удобно, когда все сервера и рабочие станции в AD имеют одинаковое время. Это избавляет от кучи проблем в структуре Active Directory.

Требования для статьи:
Будем считать, что у нас есть отдельные груповые политики для контроллера домена (или другого сервера, который будет выполнять эту роль) и для все остальных серверов и рабочих станций.
Синхронизацию сервера времени настраиваем с внешним сервером. Поэтому для сервера, который является центральным сервером времени, нужно открыть вовне порт 123, а так же для все остальных серверов и ПК должен быть открыт порт 123 во внутренней сети (NTP работает по этому порту).

Для того, чтобы это сделать открываем групповые политики

Поставшики времени

И переходим Конфигурация компьютера->Административные шаблоны->Система->Службы времени Windows->Поставшики времени

Теперь нам нужно настроить 3 параметра.

Включить NTP клиент Windows — включено (для всех политик).

Включить NTP сервер Windows — включено (только в политике для локального сервера времени).

Настроить NTP клиент Windows (сервер времени)

Настроить NTP клиент Windows (все остальные)

Настроить NTP клиент Windows — Включаем и настраиваем параметры:
NtpServer: для локального сервера времени — time.windows.com,0x9 для всех остальных — имя сервера времени в нашей сети.

Type: для локального сервера времени — NTP для всех остальных — NT5DS.

Теперь дожидаемся применения политики, или применяем ее принудительно, командой:

w32tm

w32tm /query /status

проверяем какие сервера используются (параметр Источник)
Для сервера он будет — time.windows.com,0x9
Для всех остальных — имя локального сервера времени.

На этом настройка синхронизации часов в домене завершена.

Заказать создание и поддержку безопасной IT-инфраструктуры любой сложности

Быть уверенным в своей IT-инфраструктуре — это быть уверенным в завтрашнем дне.

Windows Time service tools and settings

Applies to: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows 10 or later

In this topic, you learn about tools and settings for Windows Time service (W32Time).

If you want to synchronize time for only a domain-joined client computer, see Configure a client computer for automatic domain time synchronization. For additional topics about how to configure Windows Time service, see Where to Find Windows Time Service Configuration Information.

You should not use the Net time command to configure or set time when the Windows Time service is running.

Also, on older computers that run Windows XP or earlier versions, the Net time /querysntp command displays the name of a Network Time Protocol (NTP) server with which a computer is configured to synchronize, but that NTP server is used only when the computer’s time client is configured as NTP or AllSync. That command has since been deprecated.

Most domain member computers have a time client type of NT5DS, which means that they synchronize time from the domain hierarchy. The only typical exception to this is the domain controller that functions as the primary domain controller (PDC) emulator operations master of the forest root domain. The PDC emulator operations master is usually configured to synchronize time with an external time source. To view the time client configuration of a computer (starting in Windows Server 2008 and Windows Vista), run the W32tm /query /configuration command from an elevated Command Prompt, and read the Type line in the command output. For more information, see How Windows Time Service Works. Additionally, you can run the reg query HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters command and read the value of NtpServer in the command output.

Prior to Windows Server 2016, the W32Time service was not designed to meet time-sensitive application needs. However, updates to Windows Server 2016 now allow you to implement a solution for one-millisecond accuracy in your domain. For more information, see Windows 2016 Accurate Time and Support boundary to configure the Windows Time service for high-accuracy environments.

Windows Time service tools

The following tool is associated with the Windows Time service.

W32tm.exe: Windows Time

Category

This tool is part of the default installation of Windows (Windows XP and later versions) and Windows Server (Windows Server 2003 and later versions).

Version compatibility

This tool works on the default installation of Windows (Windows XP and later versions) and Windows Server (Windows Server 2003 and later versions).

You can use W32tm.exe to configure Windows Time service settings and to diagnose time service problems. W32tm.exe is the preferred command-line tool for configuring, monitoring, or troubleshooting the Windows Time service.

The following tables describe the parameters that you can use with W32tm.exe.

W32tm.exe primary parameters

Parameter	Description
w32tm /?	Displays the W32tm command-line help
w32tm /register	Registers the time service to run as a service and adds its default configuration information to the registry.
w32tm /unregister	Unregisters the time service and removes all of its configuration information from the registry.
w32tm /monitor [/domain: ] [/computers: [, [, . ]]] [/threads: ]	Monitors the Windows Time service. /domain: Specifies which domain to monitor. If no domain name is given, or neither the /domain nor /computers option is specified, the default domain is used. This option might be used more than once. /computers: Monitors the given list of computers. Computer names are separated by commas, with no spaces. If a name is prefixed with a *, it is treated as a PDC. This option might be used more than once. /threads: Specifies the number of computers to analyze simultaneously. The default value is three. Allowed range is 1-50.
w32tm /ntte	Converts a Windows NT system time (measured in 10 -7 -second intervals starting from 0h 1-Jan 1601) into a readable format.
w32tm /ntpte	Converts an NTP time (measured in 2 -32 -second intervals starting from 0h 1-Jan 1900) into a readable format.
w32tm /resync [/computer: ] [/nowait] [/rediscover] [/soft]	Tells a computer that it should resynchronize its clock as soon as possible, throwing out all accumulated error statistics. /computer: : Specifies the computer that should resynchronize. If not specified, the local computer will resynchronize. /nowait: do not wait for the resynchronize to occur; return immediately. Otherwise, wait for the resynchronize to complete before returning. /rediscover: Redetects the network configuration and rediscovers network sources, then resynchronize. /soft: Resynchronizes by using existing error statistics. Not useful, provided for compatibility.
w32tm /stripchart /computer: [/period: ] [/dataonly] [/samples: ] [/rdtsc]	Displays a strip chart of the offset between this computer and another computer. /computer: : The computer to measure the offset against. /period: : The time between samples, in seconds. The default is two seconds. /dataonly: Displays the data only, without graphics. /samples: : Collects samples, then stops. If not specified, samples will be collected until Ctrl+C is pressed. /rdtsc: For each sample, this option prints comma-separated values along with the headers RdtscStart, RdtscEnd, FileTime, RoundtripDelay, and NtpOffset instead of the text graphic. RdtscStart: RDTSC (Read Time Stamp Counter) value collected just before the NTP request was generated. RdtscEnd: RDTSC value collected just after the NTP response was received and processed. FileTime: Local FILETIME value used in the NTP request. RoundtripDelay: Time elapsed in seconds between generating the NTP request and processing the received NTP response, computed as per NTP roundtrip computations. NTPOffset: Time offset in seconds between the local computer and the NTP server, computed as per NTP offset computations.
w32tm /config [/computer: ] [/update] [/manualpeerlist: ] [/syncfromflags: ] [/LocalClockDispersion: ] [/reliable:(YES|NO)] [/largephaseoffset: ]	/computer: : Adjusts the configuration of . If not specified, the default is the local computer. /update: Notifies the time service that the configuration has changed, causing the changes to take effect. /manualpeerlist: : Sets the manual peer list to , which is a space-delimited list of DNS and/or IP addresses. When specifying multiple peers, this option must be enclosed in quotes. /syncfromflags: : Sets what sources the NTP client should synchronize from. should be a comma-separated list of these keywords (not case sensitive): MANUAL: Include peers from the manual peer list. DOMHIER: Synchronize from a domain controller (DC) in the domain hierarchy. /LocalClockDispersion: : Configures the accuracy of the internal clock that W32Time will assume when it can’t acquire time from its configured sources. /reliable:(YES|NO): Set whether this computer is a reliable time source. This setting is only meaningful on domain controllers. YES: This computer is a reliable time service. NO: This computer is not a reliable time service. /largephaseoffset: : sets the time difference between local and network time which W32Time will consider a spike.
w32tm /tz	Display the current time zone settings.
w32tm /dumpreg [/subkey: ] [/computer: ]	Display the values associated with a given registry key. The default key is HKLM\System\CurrentControlSet\Services\W32Time (the root key for the time service). /subkey: : Displays the values associated with subkey of the default key. /computer: : Queries registry settings for computer
w32tm /query [/computer: ] [/verbose]	Displays a computer’s Windows Time service information. This parameter was first made available in the Windows Time client in Windows Vista and Windows Server 2008. /computer: : Queries the information of . If not specified, the default value is the local computer. /source: Displays the time source. /configuration: Displays the configuration of run time and where the setting comes from. In verbose mode, display the undefined or unused setting too. /peers: Displays a list of peers and their status. /status: Displays Windows Time service status. /verbose: Sets the verbose mode to display more information.
w32tm /debug >	Enables or disables the local computer Windows Time service private log. This parameter was first made available in the Windows Time client in Windows Vista and Windows Server 2008. /disable: Disables the private log. /enable: Enables the private log. file: : Specifies the absolute file name. size: : Specifies the maximum size for circular logging. entries: : Contains a list of flags, specified by number and separated by commas, that specify the types of information that should be logged. Valid numbers are 0 to 300. A range of numbers is valid, in addition to single numbers, such as 0-100,103,106. Value 0-300 is for logging all information. /truncate: Truncate the file if it exists.

For more information about W32tm.exe, see Windows help.

Examples

If you want to set the local Windows Time client to point to two different time servers, one named ntpserver.contoso.com and another named clock.adatum.com, type the following command at the command line, and then press ENTER:

If you want to check the Windows Time client configuration from a Windows-based client computer that has a host name of CONTOSOW1, run the following command:

The output of this command is a list of configuration parameters that are set for the Windows Time client.

Windows Server 2016 has improved the time synchronization algorithms to align with RFC specifications. Therefore, if you want to set the local Windows Time client to point to multiple peers, it is highly recommended that you prepare three or more different time servers.

If you have only two time servers, you should specify the UseAsFallbackOnly flag (0x2) to de-prioritize one of them. For instance, if you want to prioritize ntpserver.contoso.com over clock.adatum.com, run the following command.

Using Group Policy to configure the Windows Time service

The Windows Time service stores a number of configuration properties as registry entries. You can use Group Policy Objects to configure most of this information. For example, you can use GPOs to configure a computer to be an NTPServer or NTPClient, configure the time synchronization mechanism, or configure a computer to be a reliable time source.

Group Policy settings for the Windows Time service can be configured on Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2 domain controllers and can be applied only to computers running Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2.

Windows stores the Windows Time service policy information in the W32Time.admx administrative template file, under Computer Configuration\Administrative Templates\System\Windows Time Service. It stores the configuration information that the policies define in the registry, and uses those registry entries to configure the registry entries for the Windows Time service. As a result, the values defined by Group Policy overwrite any pre-existing values in the Windows Time service section of the registry.

Some of the preset GPO settings differ from the corresponding default registry entries. If you plan to use a GPO to configure any Windows Time setting, be sure that you review Preset values for the Windows Time service Group Policy settings are different from the corresponding Windows Time service registry entries in Windows Server 2003. This issue applies to Windows Server 2008 R2, Windows Server 2008, Windows Server 2003 R2, and Windows Server 2003.

For example, suppose you edit policy settings in the Configure Windows NTP Client policy.

Your changes are stored in the following location in the administrative template:

Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers\ Configure Windows NTP Client

Windows loads these settings into the policy area of the registry under the following subkey:

HKLM\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient

Then Windows uses the policy settings to configure the related Windows Time service registry entries under the following subkey:

HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Time Providers\NTPClient\

The following table lists the policies that you can configure for the Windows Time service, and the registry subkeys that those policies affect.

When you remove a Group Policy setting, Windows removes the corresponding entry from the policy area of the registry.

Policy 1	Registry locations 2, 3
Global Configuration Settings	W32Time W32Time\Config W32Time\Parameters
Time Providers\Configure Windows NTP Client	W32Time\TimeProviders\NtpClient
Time Providers\Enable Windows NTP Client	W32Time\TimeProviders\NtpClient
Time Providers\Enable Windows NTP Server	W32Time\TimeProviders\NtpServer

1 Category path: Computer Configuration\Administrative Templates\System\Windows Time Service 2 Subkey: HKLM\SOFTWARE\Policies\Microsoft 3 Subkey: HKLM\SYSTEM\CurrentControlSet\Services

Enabling W32Time logging

The following three registry entries are not a part of the W32Time default configuration but can be added to the registry to obtain increased logging capabilities. The information logged to the System Event log can be modified by changing value for the EventLogFlags setting in the Group Policy Object Editor. By default, the time service logs an event every time that it switches to a new time source.

In order to enable W32Time logging, add the following registry entries:

Registry Entry	Versions	Description
FileLogEntries	All versions	Controls the number of entries created in the Windows Time log file. The default value is none, which does not log any Windows Time activity. Valid values are 0 to 300. This value does not affect the event log entries normally created by Windows Time
FileLogName	All versions	Controls the location and file name of the Windows Time log. The default value is blank, and should not be changed unless FileLogEntries is changed. A valid value is a full path and file name that Windows Time will use to create the log file. This value does not affect the event log entries normally created by Windows Time.
FileLogSize	All versions	Controls the circular logging behavior of Windows Time log files. When FileLogEntries and FileLogName are defined, Entry defines the size, in bytes, to allow the log file to reach before overwriting the oldest log entries with new entries. Please use 1000000 or larger value for this setting. This value does not affect the event log entries normally created by Windows Time.

Configuring how Windows Time service resets the computer clock

In order for W32Time to set the computer clock gradually, the offset must be less than the MaxAllowedPhaseOffset value and satisfy the following equation at the same time:

Windows Server 2016 and later versions:

|CurrentTimeOffset| ÷ (16 × PhaseCorrectRate × pollIntervalInSeconds) ≤ SystemClockRate ÷ 2

Windows Server 2012 R2 and earlier versions:

|CurrentTimeOffset| ÷ (PhaseCorrectRate × UpdateInterval) ≤ SystemClockRate ÷ 2

The CurrentTimeOffset value is measured in clock ticks, where 1 ms = 10,000 clock ticks on a Windows system.

SystemClockRate and PhaseCorrectRate are also measured in clock ticks. To get the SystemClockRate value, you can use the following command and convert it from seconds to clock ticks by using the formula of seconds Г— 1,000 Г— 10,000:

SystemClockRate is the rate of the clock on the system. Using 156,000 seconds as an example, the SystemClockRate value would be 0.0156000 Г— 1,000 Г— 10,000 = 156,000 clock ticks.

MaxAllowedPhaseOffset is also measured in seconds. To convert it to clock ticks, multiply MaxAllowedPhaseOffset Г— 1,000 Г— 10,000.

The following examples show how to apply these calculations when you use Windows Server 2012 R2 or an earlier version.

Example 1: Time differs by four minutes

Your time is 11:05 and the time sample that you received from a peer and believe to be correct is 11:09.

PhaseCorrectRate = 1

UpdateInterval = 30,000 clock ticks

SystemClockRate = 156,000 clock ticks

MaxAllowedPhaseOffset = 10 min = 600 seconds = 600 Г— 1,000 Г— 10,000 = 6,000,000,000 clock ticks

|CurrentTimeOffset| = 4 min = 4 Г— 60 Г— 1,000 Г— 10,000 = 2,400,000,000 clock ticks

Is CurrentTimeOffset ≤ MaxAllowedPhaseOffset?

2,400,000,000 ≤ 6,000,000,000: TRUE

AND does it satisfy the above equation?

(|CurrentTimeOffset| ÷ (PhaseCorrectRate × UpdateInterval) ≤ SystemClockRate ÷ 2)

Is 2,400,000,000 / (30,000 × 1) ≤ 156,000 ÷ 2

80,000 ≤ 78,000: FALSE

Therefore, W32tm would set the clock back immediately.

In this case, if you want to set the clock back slowly, you would also have to adjust the values of PhaseCorrectRate or UpdateInterval in the registry to make sure that the equation result is TRUE.

Example 2: Time differs by three minutes

PhaseCorrectRate = 1

UpdateInterval = 30,000 clock ticks

SystemClockRate = 156,000 clock ticks

MaxAllowedPhaseOffset = 10 min = 600 seconds = 600 Г— 1,000 Г— 10,000 = 6,000,000,000 clock ticks

|CurrentTimeOffset| = 3 mins = 3 Г— 60 Г— 1,000 Г— 10,000 = 1,800,000,000 clock ticks

Is |CurrentTimeOffset| ≤ MaxAllowedPhaseOffset?

1,800,000,000 ≤ 6,000,000,000: TRUE

AND does it satisfy the above equation?

(|CurrentTimeOffset| ÷ (PhaseCorrectRate × UpdateInterval) ≤ SystemClockRate ÷ 2)

Is 3 mins × (1,800,000,000) ÷ (30,000 × 1) ≤ 156,000 ÷ 2

Is 60,000 ≤ 78,000: TRUE

In this case, the clock will be set back slowly.

Reference: Windows Time service registry entries

The information about these registry entries is provided as a reference for use in troubleshooting or verifying that the required settings are applied. Many of the values in the W32Time section of the registry are used internally by W32Time to store information. Do not manually change these values. Modifications to the registry are not validated by the registry editor or by Windows before they are applied. If the registry contains invalid values, Windows may experience unrecoverable errors.

Windows Time service stores information under the following registry subkeys:

Additionally, for troubleshooting purposes, you can add entries in order to configure logs.

In the following tables, «All versions» refers to versions of Windows that include Windows 7, Windows 8, Windows 10, Windows Server 2008 and Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019. Some entries are only available on later Windows versions.

Some of the parameters in the registry are measured in clock ticks and some are measured in seconds. To convert the time from clock ticks to seconds, use these conversion factors:

• 1 minute = 60 sec
• 1 sec = 1000 ms
• 1 ms = 10,000 clock ticks on a Windows system, as described at DateTime.Ticks Property.

For example, 5 minutes becomes 5 Г— 60 Г— 1000 Г— 10000 = 3,000,000,000 clock ticks.

«HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config» subkey entries

Registry entry	Versions	Description
AnnounceFlags	All versions	Controls whether this computer is marked as a reliable time server. A computer is not marked as reliable unless it is also marked as a time server. 0x00. Not a time server 0x01. Always time server 0x02. Automatic time server 0x04. Always-reliable time server 0x08. Automatic reliable time server The default value for domain members is 10. The default value for stand-alone clients and servers is 10.
ChainDisable	Controls whether or not the chaining mechanism is disabled. If chaining is disabled (set to 0), a read-only domain controller (RODC) can synchronize with any domain controller, but hosts that do not have their passwords cached on the RODC will not be able to synchronize with the RODC. This is a boolean setting, and the default value is 0.
ChainEntryTimeout	Specifies the maximum amount of time that an entry can remain in the chaining table before the entry is considered to be expired. Expired entries may be removed when the next request or response is processed. The default value is 16 (seconds).
ChainLoggingRate	Controls the frequency at which an event that indicates the number of successful and unsuccessful chaining attempts is logged to the System log in Event Viewer. The default is 30 (minutes).
ChainMaxEntries	Controls the maximum number of entries that are allowed in the chaining table. If the chaining table is full and no expired entries can be removed, any incoming requests are discarded. The default value is 128 (entries).
ChainMaxHostEntries	Controls the maximum number of entries that are allowed in the chaining table for a particular host. The default value is 4 (entries).
ClockAdjustmentAuditLimit	Windows Server 2016 Version 1709 and later versions; Windows 10 Version 1709 and later versions	Specifies the smallest local clock adjustments that may be logged to the W32time service event log on the target computer. The default value is 800 (parts per million — PPM).
ClockHoldoverPeriod	Windows Server 2016 Version 1709 and later versions; Windows 10 Version 1709 and later versions	Indicates the maximum number of seconds a system clock can nominally hold its accuracy without synchronizing with a time source. If this period of time passes without W32time obtaining new samples from any of its input providers, W32time initiates a rediscovery of time sources. Default: 7,800 seconds.
EventLogFlags	All versions	Controls which events that the time service logs. 0x1. Time jump 0x2. Source change The default value on domain members is 2. The default value on stand-alone clients and servers is 2.
FrequencyCorrectRate	All versions	Controls the rate at which the clock is corrected. If this value is too small, the clock is unstable and overcorrects. If the value is too large, the clock takes a long time to synchronize. The default value on domain members is 4. The default value on stand-alone clients and servers is 4.

Note
Zero is not a valid value for the FrequencyCorrectRate registry entry. On Windows Server 2003, Windows Server 2003 R2, Windows Server 2008 , and Windows Server 2008 R2 computers, if the value is set to 0, the Windows Time service automatically changes it to 1. HoldPeriod All versions Controls the period of time for which spike detection is disabled in order to bring the local clock into synchronization quickly. A spike is a time sample indicating that time is off a number of seconds, and is usually received after good time samples have been returned consistently. The default value on domain members is 5. The default value on stand-alone clients and servers is 5. LargePhaseOffset All versions Specifies that a time offset greater than or equal to this value in 10 -7 seconds is considered a spike. A network disruption such as a large amount of traffic might cause a spike. A spike will be ignored unless it persists for a long period of time. The default value on domain members is 50000000. The default value on stand-alone clients and servers is 50000000. LastClockRate All versions Maintained by W32Time. It contains reserved data that is used by the Windows operating system, and any changes to this setting can cause unpredictable results. The default value on domain members is 156250. The default value on stand-alone clients and servers is 156250. LocalClockDispersion All versions Controls the dispersion (in seconds) that you must assume when the only time source is the built-in CMOS clock. The default value on domain members is 10. The default value on stand-alone clients and servers is 10. MaxAllowedPhaseOffset All versions Specifies the maximum offset (in seconds) for which W32Time attempts to adjust the computer clock by using the clock rate. When the offset exceeds this rate, W32Time sets the computer clock directly. The default value for domain members is 300. The default value for stand-alone clients and servers is 1. For more information, see Configuring how Windows Time service resets the computer clock. MaxClockRate All versions Maintained by W32Time. It contains reserved data that is used by the Windows operating system, and any changes to this setting can cause unpredictable results. The default value for domain members is 155860. The default value for stand-alone clients and servers is 155860. MaxNegPhaseCorrection All versions Specifies the largest negative time correction, in seconds, that the service makes. If the service determines that a change larger than this is required, it logs an event instead.

Note
The value 0xFFFFFFFF is a special case. This value means that the service always corrects the time.

The default value for domain members is 0xFFFFFFFF. The default value for stand-alone clients and servers is 54,000 (15 hrs). MaxPollInterval All versions Specifies the largest interval, in log2 seconds, allowed for the system polling interval. Note that while a system must poll according to the scheduled interval, a provider can refuse to produce samples when requested to do so. The default value for domain controllers is 10. The default value for domain members is 15. The default value for stand-alone clients and servers is 15. MaxPosPhaseCorrection All versions Specifies the largest positive time correction in seconds that the service makes. If the service determines that a change larger than this is required, it logs an event instead.

Note
The value 0xFFFFFFFF is a special case. This value means that the service always corrects the time.

The default value for domain members is 0xFFFFFFFF. The default value for stand-alone clients and servers is 54,000 (15 hrs). MinClockRate All versions Maintained by W32Time. It contains reserved data that is used by the Windows operating system, and any changes to this setting can cause unpredictable results. The default value for domain members is 155860. The default value for stand-alone clients and servers is 155860. MinPollInterval All versions Specifies the smallest interval, in log2 seconds, allowed for the system polling interval. Note that while a system does not request samples more frequently than this, a provider can produce samples at times other than the scheduled interval. The default value for domain controllers is 6. The default value for domain members is 10. The default value for stand-alone clients and servers is 10. PhaseCorrectRate All versions Controls the rate at which the phase error is corrected. Specifying a small value corrects the phase error quickly, but might cause the clock to become unstable. If the value is too large, it takes a longer time to correct the phase error.

The default value on domain members is 1. The default value on stand-alone clients and servers is 7.

Note
Zero is not a valid value for the PhaseCorrectRate registry entry. On Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2 computers, if the value is set to 0, the Windows Time service automatically changes it to 1. PollAdjustFactor All versions Controls the decision to increase or decrease the poll interval for the system. The larger the value, the smaller the amount of error that causes the poll interval to be decreased. The default value on domain members is 5. The default value on stand-alone clients and servers is 5. RequireSecureTimeSyncRequests Windows 8 and later versions Controls whether or not the DC will respond to time sync requests that use older authentication protocols. If enabled (set to 1), the DC will not respond to requests using such protocols. This is a boolean setting, and the default value is 0. SpikeWatchPeriod All versions Specifies the amount of time that a suspicious offset must persist before it is accepted as correct (in seconds). The default value on domain members is 900. The default value on stand-alone clients and workstations is 900. TimeJumpAuditOffset All versions An unsigned integer that indicates the time jump audit threshold, in seconds. If the time service adjusts the local clock by setting the clock directly, and the time correction is more than this value, then the time service logs an audit event. UpdateInterval All versions Specifies the number of clock ticks between phase correction adjustments. The default value for domain controllers is 100. The default value for domain members is 30,000. The default value for stand-alone clients and servers is 360,000.

Note
Zero is not a valid value for the UpdateInterval registry entry. On computers running Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2, if the value is set to 0, the Windows Time service automatically changes it to 1. UtilizeSslTimeData Windows versions later than Windows 10 build 1511 Value of 1 indicates that W32Time uses multiple SSL timestamps to Seed a clock that is grossly inaccurate.

«HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters» subkey entries

Registry entry	Versions	Description
AllowNonstandardModeCombinations	All versions	Indicates that non-standard mode combinations are allowed in synchronization between peers. The default value for domain members is 1. The default value for stand-alone clients and servers is 1.
NtpServer	All versions	Specifies a space-delimited list of peers from which a computer obtains time stamps, consisting of one or more DNS names or IP addresses per line. Each DNS name or IP address listed must be unique. Computers connected to a domain must synchronize with a more reliable time source, such as the official U.S. time clock. 0x01 SpecialInterval 0x02 UseAsFallbackOnly 0x04 SymmetricActive: For more information about this mode, see Windows Time Server: 3.3 Modes of Operation. 0x08 Client There is no default value for this registry entry on domain members. The default value on stand-alone clients and servers is time.windows.com,0x1.
ServiceDll	All versions	Maintained by W32Time. It contains reserved data that is used by the Windows operating system, and any changes to this setting can cause unpredictable results. The default location for this DLL on both domain members and stand-alone clients and servers is %windir%\System32\W32Time.dll.
ServiceMain	All versions	Maintained by W32Time. It contains reserved data that is used by the Windows operating system, and any changes to this setting can cause unpredictable results. The default value on domain members is SvchostEntry_W32Time. The default value on stand-alone clients and servers is SvchostEntry_W32Time.
Type	All versions	Indicates which peers to accept synchronization from: NoSync. The time service does not synchronize with other sources. NTP. The time service synchronizes from the servers specified in the NtpServer. registry entry. NT5DS. The time service synchronizes from the domain hierarchy. AllSync. The time service uses all the available synchronization mechanisms. The default value on domain members is NT5DS. The default value on stand-alone clients and servers is NTP.

«HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient» subkey entries

Registry entry	Version	Description
AllowNonstandardModeCombinations	All versions	Indicates that non-standard mode combinations are allowed in synchronization between peers. The default value for domain members is 1. The default value for stand-alone clients and servers is 1.
CompatibilityFlags	All versions	Specifies the following compatibility flags and values: 0x00000001 — DispersionInvalid 0x00000002 — IgnoreFutureRefTimeStamp 0x80000000 — AutodetectWin2K 0x40000000 — AutodetectWin2KStage2 The default value for domain members is 0x80000000. The default value for stand-alone clients and servers is 0x80000000.
CrossSiteSyncFlags	All versions	Determines whether the service chooses synchronization partners outside the domain of the computer. The options and values are: 0 — None 1 — PdcOnly 2 — All This value is ignored if the NT5DS value is not set. The default value for domain members is 2. The default value for stand-alone clients and servers is 2.
DllName	All versions	Specifies the location of the DLL for the time provider.

The default location for this DLL on both domain members and stand-alone clients and servers is %windir%\System32\W32Time.dll. Enabled All versions Indicates if the NtpClient provider is enabled in the current Time Service.

• 1 — Yes
• 0 — No

The default value on domain members is 1. The default value on stand-alone clients and servers is 1. EventLogFlags All versions Specifies the events logged by the Windows Time service.

• 0x1 — Reachability changes
• 0x2 — Large sample skew (This is applicable to Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2 only)

The default value on domain members is 0x1. The default value on stand-alone clients and servers is 0x1. InputProvider All versions Indicates whether to enable the NtpClient as an InputProvider, which obtains time information from the NtpServer. The NtpServer is a time server that responds to client time requests on the network by returning time samples that are useful for synchronizing the local clock.

• 1 — Yes
• 0 — No

Default value for both domain members and stand-alone clients is 1. LargeSampleSkew All versions Specifies the large sample skew for logging, in seconds. To comply with Security and Exchange Commission (SEC) specifications, this should be set to three seconds. Events will be logged for this setting only when EventLogFlags is explicitly configured for 0x2 large sample skew. The default value on domain members is 3. The default value on stand-alone clients and servers is 3. ResolvePeerBackOffMaxTimes All versions Specifies the maximum number of times to double the wait interval when repeated attempts to locate a peer to synchronize with fail. A value of zero means that the wait interval is always the minimum. The default value on domain members is 7. The default value on stand-alone clients and servers is 7. ResolvePeerBackoffMinutes All versions Specifies the initial interval to wait, in minutes, before attempting to locate a peer to synchronize with. The default value on domain members is 15. The default value on stand-alone clients and servers is 15. SpecialPollInterval All versions Specifies the special poll interval, in seconds, for manual peers. When the SpecialInterval 0x1 flag is enabled, W32Time uses this poll interval instead of a poll interval determined by the operating system. The default value on domain members is 3,600. The default value on stand-alone clients and servers is 604,800.

New for build 1703, SpecialPollInterval is contained by the MinPollInterval and MaxPollInterval Config registry values. SpecialPollTimeRemaining All versions Maintained by W32Time. It contains reserved data that is used by the Windows operating system. It specifies the time, in seconds, before W32Time will resynchronize after the computer has restarted. Any changes to this setting can cause unpredictable results. The default value on both domain members and on stand-alone clients and servers is left blank.

«HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer» subkey entries

Registry Entry	Versions	Description
AllowNonstandardModeCombinations	All versions	Indicates that non-standard mode combinations are allowed in synchronization between clients and servers. The default value for domain members is 1. The default value for stand-alone clients and servers is 1.
DllName	All versions	Specifies the location of the DLL for the time provider. The default location for this DLL on both domain members and stand-alone clients and servers is %windir%\System32\W32Time.dll.
Enabled	All versions	Indicates if the NtpServer provider is enabled in the current Time Service. 1 — Yes 0 — No The default value on domain members is 1. The default value on stand-alone clients and servers is 1.
InputProvider	All versions	Indicates whether to enable the NtpClient as an InputProvider, which obtains time information from the NtpServer. The NtpServer is a time server that responds to client time requests on the network by returning time samples that are useful for synchronizing the local clock. 1 — Yes 0 — No = 0 Default value for both domain members and stand-alone clients: 1

Reference: Pre-set values for the Windows Time service GPO settings

The following table lists the global Group Policy settings that are associated with the Windows Time service and the pre-set value associated with each setting. For more information about each setting, see the corresponding registry entries in Reference: Windows Time service registry entries earlier in this article. The following settings are contained in a single GPO called Global Configuration Settings.

Pre-set values for «Global Group Policy» settings

Group Policy setting	Pre-set value
AnnounceFlags	10
EventLogFlags	2
FrequencyCorrectRate	4
HoldPeriod	5
LargePhaseOffset	1,280,000
LocalClockDispersion	10
MaxAllowedPhaseOffset	300
MaxNegPhaseCorrection	54,000 (15 hours)
MaxPollInterval	15
MaxPosPhaseCorrection	54,000 (15 hours)
MinPollInterval	10
PhaseCorrectRate	7
PollAdjustFactor	5
SpikeWatchPeriod	90
UpdateInterval	100

Pre-set values for «Configure Windows NTP Client» settings

The following table lists the available settings for the Configure Windows NTP Client GPO and the pre-set values that are associated with the Windows Time service. For more information about each setting, see the corresponding registry entries in Reference: Windows Time service registry entries earlier in this article.

Group Policy setting	Pre-set value
NtpServer	time.windows.com, 0x1
Type	Default options: NTP. Use on computers that are not joined to a domain. NT5DS. Use on computers that are joined to a domain.
CrossSiteSyncFlags	2
ResolvePeerBackoffMinutes	15
ResolvePeerBackoffMaxTimes	7
SpecialPollInterval	3,600
EventLogFlags	0

Reference: Network ports that the Windows Time service uses

Windows Time follows the NTP specification, which requires the use of UDP port 123 for all time synchronization communication. This port is reserved by Windows Time and remains reserved at all times. Whenever the computer synchronizes its clock or provides time to another computer, that communication is performed on UDP port 123.

If you have a computer that has multiple network adapters (also called a multihomed computer), you cannot selectively enable the Windows Time service based on the network adapter.

Related information

The following resources contain additional information that is relevant to this section.

• RFC 1305 in the IETF RFC Database

—>