Time sync for Windows VMs in Azure

Time sync is important for security and event correlation. Sometimes it is used for distributed transactions implementation. Time accuracy between multiple computer systems is achieved through synchronization. Synchronization can be affected by multiple things, including reboots and network traffic between the time source and the computer fetching the time.

Azure is now backed by infrastructure running Windows Server 2016. Windows Server 2016 has improved algorithms used to correct time and condition the local clock to synchronize with UTC. Windows Server 2016 also improved the VMICTimeSync service that governs how VMs sync with the host for accurate time. Improvements include more accurate initial time on VM start or VM restore and interrupt latency correction for samples provided to Windows Time (W32time).

For a quick overview of Windows Time service, take a look at this high-level overview video.

Overview

Accuracy for a computer clock is gauged on how close the computer clock is to the Coordinated Universal Time (UTC) time standard. UTC is defined by a multinational sample of precise atomic clocks that can only be off by one second in 300 years. But, reading UTC directly requires specialized hardware. Instead, time servers are synced to UTC and are accessed from other computers to provide scalability and robustness. Every computer has time synchronization service running that knows what time servers to use and periodically checks if computer clock needs to be corrected and adjusts time if needed.

Azure hosts are synchronized to internal Microsoft time servers that take their time from Microsoft-owned Stratum 1 devices, with GPS antennas. Virtual machines in Azure can either depend on their host to pass the accurate time (host time) on to the VM or the VM can directly get time from a time server, or a combination of both.

Virtual machine interactions with the host can also affect the clock. During memory preserving maintenance, VMs are paused for up to 30 seconds. For example, before maintenance begins the VM clock shows 10:00:00 AM and lasts 28 seconds. After the VM resumes, the clock on the VM would still show 10:00:00 AM, which would be 28 seconds off. To correct for this, the VMICTimeSync service monitors what is happening on the host and prompts for changes to happen on the VMs to compensate.

The VMICTimeSync service operates in either sample or sync mode and will only influence the clock forward. In sample mode, which requires W32time to be running, the VMICTimeSync service polls the host every 5 seconds and provides time samples to W32time. Approximately every 30 seconds, the W32time service takes the latest time sample and uses it to influence the guest’s clock. Sync mode activates if a guest has been resumed or if a guest’s clock drifts more than 5 seconds behind the host’s clock. In cases where the W32time service is properly running, the latter case should never happen.

Without time synchronization working, the clock on the VM would accumulate errors. When there is only one VM, the effect might not be significant unless the workload requires highly accurate timekeeping. But in most cases, we have multiple, interconnected VMs that use time to track transactions and the time needs to be consistent throughout the entire deployment. When time between VMs is different, you could see the following effects:

• Authentication will fail. Security protocols like Kerberos or certificate-dependent technology rely on time being consistent across the systems.
• It’s very hard to figure out what have happened in a system if logs (or other data) don’t agree on time. The same event would look like it occurred at different times, making correlation difficult.
• If clock is off, the billing could be calculated incorrectly.

The best results for Windows deployments are achieved by using Windows Server 2016 as the guest operating system, which ensures you can use the latest improvements in time synchronization.

Configuration options

There are three options for configuring time sync for your Windows VMs hosted in Azure:

• Host time and time.windows.com. This is the default configuration used in Azure Marketplace images.
• Host-only.
• Use another, external time server with or without using host time.

Use the default

By default Windows OS VM images are configured for w32time to sync from two sources:

• The NtpClient provider, which gets information from time.windows.com.
• The VMICTimeSync service, used to communicate the host time to the VMs and make corrections after the VM is paused for maintenance. Azure hosts use Microsoft-owned Stratum 1 devices to keep accurate time.

w32time would prefer the time provider in the following order of priority: stratum level, root delay, root dispersion, time offset. In most cases, w32time on an Azure VM would prefer host time due to evaluation it would do to compare both time sources.

For domain joined machines the domain itself establishes time sync hierarchy, but the forest root still needs to take time from somewhere and the following considerations would still hold true.

Host-only

Because time.windows.com is a public NTP server, syncing time with it requires sending traffic over the internet, varying packet delays can negatively affect quality of the time sync. Removing time.windows.com by switching to host-only sync can sometimes improve your time sync results.

Switching to host-only time sync makes sense if you experience time sync issues using the default configuration. Try out the host-only sync to see if that would improve the time sync on VM.

External time server

If you have specific time sync requirements, there is also an option of using external time servers. External time servers can provide specific time, which can be useful for test scenarios, ensuring time uniformity with machines hosted in non-Microsoft datacenters, or handling leap seconds in a special way.

You can combine external servers with the VMICTimeSync service and VMICTimeProvider to provide results similar to the default configuration.

Check your configuration

Check if the NtpClient time provider is configured to use explicit NTP servers (NTP) or domain time sync (NT5DS).

If the VM is using NTP, you will see the following output:

To see what time server the NtpClient time provider is using, at an elevated command prompt type:

If the VM is using the default, the output will look like this:

To see what time provider is being used currently.

Here is the output you could see and what it would mean:

• time.windows.com — in the default configuration, w32time would get time from time.windows.com. The time sync quality depends on internet connectivity to it and is affected by packet delays. This is the usual output you would get on a physical machine.
• VM IC Time Synchronization Provider — the VM is syncing time from the host. This is the usual output you would get on a virtual machine running on Azure.
• Your domain server — the current machine is in a domain and the domain defines the time sync hierarchy.
• Some other server — w32time was explicitly configured to get the time from that another server. Time sync quality depends on this time server quality.
• Local CMOS Clock — clock is unsynchronized. You can get this output if w32time hasn’t had enough time to start after a reboot or when all the configured time sources are not available.

Opt-in for host-only time sync

Azure is constantly working on improving time sync on hosts and can guarantee that all the time sync infrastructure is collocated in Microsoft-owned datacenters. If you have time sync issues with the default setup that prefers to use time.windows.com as the primary time source, you can use the following commands to opt-in to host-only time sync.

Mark the VMIC provider as enabled.

Mark the NTPClient provider as disabled.

Restart the w32time Service.

Windows Server 2012 and R2 VMs

Windows Server 2012 and Windows Server 2012 R2 have different default settings for time sync. The w32time by default is configured in a way that prefers low overhead of the service over to precise time.

If you want to move your Windows Server 2012 and 2012 R2 deployments to use the newer defaults that prefer precise time, you can apply the following settings.

Update the w32time poll and update intervals to match Windows Server 2016 settings.

For w32time to be able to use the new poll intervals, the NtpServers need to be marked as using them. If servers are annotated with 0x1 bitflag mask, that would override this mechanism and w32time would use SpecialPollInterval instead. Make sure that specified NTP servers are either using 0x8 flag or no flag at all:

Check what flags are being used for the used NTP servers.

Next steps

Below are links to more details about the time sync:

How to force Windows 10 time to synch with a time server?

The time displayed by WIndows 10 is over 30 seconds slow even though I shut it down and restarted my computer less than 15 hours ago. I can’t find a way to force W10 to synch the clock with a time server.

I had a program (SocketWatch) I had used for years to update the clock with the NIST time server, but it no longer works in W10.

Replies (31) 

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.

Thank you for posting in Microsoft Community.

Method 1:

Follow the steps mentioned below.

1. Press Windows key + r and type services.msc and press enter.
2. Right click on Windows Time and select properties to check the status of the service.
3. Restart the Windows Time service.
4. Click on OK.
5. Restart the computer

Method 2:

a. Click on clock and select “Change date and time settings”.

b. Click on the “Internet Time” tab.

c. Check if it is set to “synchronize the time with time.windows.com”

d. If the option is selected, click on change settings to check the option “Synchronize with an Internet Time server”

Method 3:

Follow the steps mentioned below.

Press Windows key + X and select Command prompt(Admin).

Type each one of the command below and press enter.

net stop w32time

net start w32time

Restart the computer to test the issue again.

Простой способ синхронизации времени Windows 7 с любого сервера

Часы, особенно, в старых компьютерах перестают обновляться и соответствовать показаниям часов на сервере времени, тем самым нарушается точность компьютерных часов. Поэтому поводу не стоит расстраиваться, имеются самые простые способы решения этой проблемы, с которыми справится каждый начинающий, осваивающий азы компьютерной техники.

Для начала попробуем настроить время компьютера вручную, заходим в панель «Настройки времени по Интернету», по очереди выбирая в окошке серверы, начиная с time.widows.com до time-b.nist.gov – их всего пять, жмем на кнопку «Обновить сейчас».

И если во всех случаях обновления одна и та же ошибка, это означает: ping – время, измеряемое в миллисекундах, установленное сервером времени, которое необходимо для преодоления пути к серверу времени и обратно, наш старый компьютер с длинной дистанцией туда и обратно не справляется. Ниже на рисунке показана схема соединения наших устройств с Интернетом.

Из этой схемы видно, какой путь сигнал запроса и ответа должен преодолеть, чтобы связаться с сервером времени Windows. Ping (время ожидания) на серверах специально уменьшают, чтобы снизить нагрузку на них и отсечь старые компьютеры. Поэтому Майкрософт постоянно советует, чтобы пользователи перешли на новые версии Windows и заодно приобрели более совершенные компьютеры.

Однако мы можем синхронизировать время с любого сервера и даже компьютера друга или соседа, а лучше всего с сервера своего провайдера. Для начала необходимо понять, что ping это не только время, но и утилита, с помощью которой, можно оценить надежность интернет соединения с любым сервером и компьютером. Проверим сервер времени Windows, для этого откроем командную строку. Путь к ней: Пуск \ Все программы \ Стандартные \ Командная строка. Второй кнопкой мыши запускаем ее от имени администратора:

Windows sync time with server

This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Asked by:

Question

I just recently setup a new Windows 2012 server, I having difficulties syncing the server to pool.ntp.org. When I check the registry everything is pointing to the external source, however, when I do a check the time source is set to local time clock. I opened port 123 udp on the server firewall. Do I need to open the port on the Cisco ASA5505 also?

Thank you for your post.

All replies

Based on your situation, I’d like to collect more details to narrow down this issue:
1. Are you in a workgroup environment or a domain environment?
2. How do you configure the time sync? If possible, please run command w32tm /query /status to check the time sync status.

Also, you need to open UDP 123 for NTP service so that server can identify reliable time sources and obtain time information.

If you need further help, please feel free to let us know.

Best Regards,
Albert

Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

Run this from a command prompt on the server.

w32tm /stripchart /computer:pool.ntp.org

This will tell you if you are actually connecting to the pool or not.

Then you can also see on your firewall if the request is being dropped.

I’m in a domain environment. Here are the results for W32tm /stripchart /computer:pool.ntp.org. It looks like I’m able to connect to pool.ntp.org. However, when I run w32tm /query /status the server is still pointing to the local time

C:\Users\Administrator>w32tm /stripchart /computer:pool.ntp.org
Tracking pool.ntp.org [85.204.137.77:123].
The current time is 4/6/2018 9:03:34 AM.
09:03:34 d:+00.0957042s o:-00.6873143s [ * |
]
09:03:36 d:+00.0936385s o:-00.6908301s [ * |
]
09:03:38 d:+00.0936548s o:-00.6911165s [ * |
]
09:03:40 d:+00.0936381s o:-00.6928888s [ * |
]
09:03:43 d:+00.0936607s o:-00.6929543s [ * |
]
09:03:45 d:+00.0936528s o:-00.6912651s [ * |

w32tm /query /status — result

C:\Users\Administrator>w32tm /query /status
Leap Indicator: 0(no warning)
Stratum: 1 (primary reference — syncd by radio clock)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0000000s
Root Dispersion: 10.0000000s
ReferenceId: 0x4C4F434C (source name: «LOCL»)
Last Successful Sync Time: 4/5/2018 10:16:05 AM
Source: Free-running System Clock
Poll Interval: 6 (64s)

Finally, here are the results when I run w32tm /query /peers.

C:\Users\Administrator>w32tm /query /peers
#Peers: 1

Peer: 192.168.0.240
State: Pending
Time Remaining: 18149.8416932s
Mode: 0 (reserved)
Stratum: 0 (unspecified)
PeerPoll Interval: 0 (unspecified)
HostPoll Interval: 0 (unspecified)

What am I doing wrong?

Is this server a member server or domain controller?
If it is a member server, it will sync time with the PDC automatically and if it is a domain controller, please refer to the following article to configure the time synchronization:
“It’s Simple!” – Time Configuration in Active Directory
https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-simple-time-configuration-in-active-directory/

If you need further help, please feel free to let us know.

Best Regards,
Albert

Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

According to your situation, in order to provide efficient method for troubleshooting, please help me collect the following information:
1. Verify configuration and that selected time source can be verified using the following command:
w32tm /query /configuration /verbose
2. Verify registry keys under HKLM\SYSTEM\CurrentControlSet\services\W32Time\Parameters
NtpServer = pool.ntp.org
Type = NTP

If you have any updates during this process, please feel free to let me know.

Best Regards,
Albert

Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

Here are the results when I run w32tm /query /configuration /verbose:

C:\Users\Administrator>w32tm /query /configuration /verbose
[Configuration]

EventLogFlags: 2 (Local)
AnnounceFlags: 5 (Local)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 6 (Local)
MaxPollInterval: 10 (Local)
MaxNegPhaseCorrection: 172800 (Local)
MaxPosPhaseCorrection: 172800 (Local)
MaxAllowedPhaseOffset: 300 (Local)

FrequencyCorrectRate: 4 (Local)
PollAdjustFactor: 5 (Local)
LargePhaseOffset: 50000000 (Local)
SpikeWatchPeriod: 900 (Local)
LocalClockDispersion: 10 (Local)
HoldPeriod: 5 (Local)
PhaseCorrectRate: 7 (Local)
UpdateInterval: 100 (Local)

FileLogName: (Undefined or NotUsed)
FileLogEntries: (Undefined or NotUsed)
FileLogSize: 0 (Undefined or NotUsed)
FileLogFlags: 0 (Undefined or NotUsed)