In this
article I want to discuss about a problem regarding the W32time service
on a Windows Server 2008. This service is used to maintain date and time
synchronization between all hosts/servers in a network. If you work in a
medium-large company, you probably interact with a lot of servers.
Timing and synchronization between these servers is crucial for all sort
of activities. Starting from activities like backups, running scripts,
updates etc. can relay on the timing and synchronization between
devices. Windows time runs as a service on both servers and
workstations. Let's take a look at this service right now by opening the
services console and looking for the "Windows Time" service:
Now, if we double click it, you will see it's properties:
You can Start/Stop/Pause or Resume this service by either using the GUI or by using the net start/stop [service] command. To run this command open a command prompt and type net stop w32time to stop this service. To view the available commands that net command can supply, type net ?:
You are now probably wondering how can you know the name of a service.
Well, the easiest way is to use the Services console and look in the
name section. I prefer using the sc query type= service command.
This command will display all services on the local machine, their name
and state. Type this command to see it's output:
Another useful command that you can use to interact with the time is the w32tm command. If you work in a domain with many domain controllers, you can type in w32tm /monitor
to see the delay and synchronization status between all domain
controllers. This is very useful especially if you encounter timing
problems and replication problems between devices. By typing w32tm /tz ,you can view the currently configured time zone:
Another way you can use this command is to force the local or a remote machine to synchronize. You can type simply w32tm /resync command for the local machine or add the /computer:[name] parameter for a remote machine:
Usually, when someone changes the time settings of a server the action
is automatically logged in system event viewer. If for whatever reason
the timing change is not recorded in event viewer, you can force the
logging by modifying the system registry. First, open the registry
editor (regedit) and navigate to the following path HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\Parameters:
Under this registry add the following values:
name: Log ; Data type: REG_WORD ; Value: 0x00000064 (Hex)
name WriteLog ; Data type: REG_SZ ; Value: True
The following event IDs will be recorded by event viewer:
- event 61 will be logged in System log saying that the time was changed
- event 0 will specify the offset value. By the way, this value
specifies how behind in terms of timing is the local machine from the
NTP servers. These are globally distributed servers that work together
to synchronize time between them.
- the errors will be logged with the event ID of 11
A company can have its own NTP server or use a global server. Windows
Time uses port UDP 123 for synchronization between devices. To test if a
NTP server is opened for timing synchronization, use the telnet
command. In the following example, I've tried to sync my computer with a
NTP server (imaginary one) and next I've tested the 123 port on the
server to see if ti's opened for connections:
I've just realized that this is a UDP port and cannot be tested by using
the telnet command. Another way is by using a third party software like
Netcat or Ntpquery
When the time is changed by another user , the event is logged under the
ID 4616. These events are logged under the Security group. By viewing
this event you can see when the time change occurred:
I hope this shot post will be useful to you, please leave a comment and
share it to others. If there is something more to add, feel free to
point out your ideas. Have a wonderful day folks.
"Remember Me When You Raise Your Hand For Dua"
Raheel Ahmed Khan
System Engineer
send2raheel@yahoo.com
send2raheel@engineer.com
sirraheel@gmail.com
send2raheel (skype id)
My Blog Spot
http://raheel-mydreamz.blogspot.com/
No comments:
Post a Comment