Configuring w32time As NTP Client
The performance of the w32time (“Windows Time”) service as NTP client depends strongly on the w32time software version, which in turn depends on the Windows version it was shipped with.
Only w32time versions shipped with Windows Server 2016, Windows 10 version 1607, or later can achieve an accuracy that sounds reasonable.
Strange w32time default configuration
If a Windows machine gets the time from an NTP server on the network, it acts just as a client of that server, and should send normal NTP “client” request packets to the server, so that the server sends an NTP “server” response packet back.
However, by default some older w32time services (e.g. the ones shipped with Windows XP and Server 2003) send NTPv3 “symmetric active peer” packets instead of “client” mode packets, and normally the NTP daemon (ntpd) as an NTP server should not even reply to such packets, unless the “symmetric active” packet really comes from an authenticated peer.
So back in 2002 a workaround was implemented in ntpd where it doesn't mobilize a peer association unless the request comes from an authenticated peer, but anyway sends a reply, just to satisfy those w32time clients.
Versions of LANTIME firmware/ntpd that don't reply to "symmetric active" requests
In June 2018 there was a change in the source code of ntpd to fix a different problem, and this change unintentionally disabled the workaround mentioned above. Once this had been noticed by users, the workaround was enabled again, and thus the subsequent patch release ntp-4.2.8p12 works again as it has been for many years.
The version of ntpd where the workaround for w32time clients was unintentionally disabled was shipped with LANTIME firmware versions 6.24.013 and 6.24.014. So this should work properly with all older LANTIME firmware versions, and with LANTIME firmware version 6.24.015 or newer.
Anyway, the proper fix would be to configure the w32time service on the Windows machines in a way that it sends “client” requests to the server, as expected by the NTP standards.
This is described in the next chapter.
Correctly Specifying an own NTP server
w32time is the name of the service shipped with Windows, which is normally configured automatically to query the time from a domain controller in an Active Directory domain,
if the machine is a member of an AD domain, or from one of Microsoft's public NTP servers which can be accessed via time.microsoft.com,
if the machine is a standalone machine or an AD domain controller.
The w32tm command, however, is an utility program that can be run in a console (cmd) window with administrator privileges to configure and monitor the w32time service.
The following commands can be used to specify the host name or IP address of an external NTP server to be queried, and check the current settings.
When specifying an NTP server, it may be required to add a specific flag to the host name or IP address, even though this is poorly documented by Microsoft. According to the Microsoft documentation at
- [MS-SNTP]: Abstract Data Model | Microsoft Docs
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sntp/fef409e4-5297-4f18-850b-e386f7e10fea
the following flags are supported:
| 0x1 | SpecialInterval | Wait the for the special interval instead of the standard interval before sending the next query, see Registry Settings |
|---|---|---|
| 0x2 | UseAsFallbackOnly | Use the specified NTP server as fallback only |
| 0x4 | SymmatricActive | Force sending symmetric active peer requests to the specified NTP server |
| 0x8 | Client | Force sending client requests to the specified NTP server |
As already mentioned above, some versions of w32time used to send symmetric active peer requests to NTP servers by default, but if the NTP server runs the standard NTP software (ntpd),
the server may not reply to such unauthenticated peer requests at all. The normal behavior is to send client requests to a server, in which case the server
sends a server reply.
So it's safe to use flag 0x8, or a combination of other flags with 0x8, if required. E.g., 0x8 and 0x1 would result in a flag 0x9.
So actually the following command can be used to specify a single server:
w32tm /config /manualpeerlist:[server],0x8 /syncfromflags:MANUAL /update
Of course the IP address or the DNS hostname of the NTP server has to be entered instead of [server], and the flag 0x8 is appended after a comma, as explained above.
If several servers are to be configured for redundancy then the servers specified by /manualpeerlist have to be
separated by a space, so the whole parameter has to be enclosed in double quotes:
w32tm /config /manualpeerlist:“[server1],0x8 [server2],0x8” /syncfromflags:MANUAL /update
The parameter /update makes sure the changes immediately become effective.
The following command can be used e.g. on Windows 7 / Server 2012 and later to check the list of servers (actually always labelled peers) that are currently in use:
w32tm /query /peers
The output of this command also shows a mode for each specified server/peer, which should be 3 (Client) in most cases.
For other options of the w32tm command please see the usage information displayed if the command is run without any parameter.
In Windows XP and Server 2003 a different command had to be used to check the configured NTP servers:
net time /querysntp
Registry Settings
The following settings are required on every node that runs w32time to achieve the best results:
| Registry Key | Value |
|---|---|
| MinPollInterval | 6 |
| MaxPollInterval | 6 |
| UpdateInterval | 100 |
| SpecialPollInterval | 64 |
| FrequencyCorrectRate | 2 |
These parameters are determined by registry settings, or via the some group policies. See the WARNING section on this web page:
- Windows Time Service Registry Entries
https://docs.microsoft.com/en-us/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings#w2k3tr_times_tools_uhlp
References
- Windows Time Service Tools and Settings
https://docs.microsoft.com/en-us/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings
which contains links to
- Accurate Time for Windows Server 2016
https://docs.microsoft.com/en-us/windows-server/networking/windows-time-service/accurate-time
which links to an addendum (a PDF)- Addendum to the White paper on Windows Time Sync Accuracy
http://windocs.blob.core.windows.net/windocs/WindowsTimeSyncAccuracy_Addendum.pdf
- Support boundary to configure the Windows Time service for high-accuracy environments
https://docs.microsoft.com/en-us/windows-server/networking/windows-time-service/support-boundary
Also:
- https://www.yammer.com/wsscengineering/#/files/133303237
(A Microsoft/Yammer account with sufficient rights may be required to log in and download the file)
Past discussions on ntpd's workaround for w32time
The problem that w32time sends “symmetric active” requests by default has been brought up by Dave Mills in the NTP news group back in 2002:
In another post of that thread, Dave Mills said he had implemented a workaround in ntpd:
The problem was discussed once more in 2008, where Dave Mills said that
ntpd should just send a “symmetric passive” reply back to such clients, but
should not mobilize an association:
— Martin Burnicki martin.burnicki@meinberg.de, last updated 2022-08-17
127.0.0.1