How to enable Windows Time Service Auditing

Windows Server
Accurate time in a domain environment is essential for authentication between clients and servers to work correctly. Kerberos v5 protocol requires a tolerance of less than 5 minutes, anything more than this and you will get authentication errors.

I’ve recently been investigating a a server who’s time leaped 28 days into the future! So wanted to start auditing the Windows Time service to see what made the change.

So in this blog post I’ll show you how to enable Windows Time service auditing.

Here are the two event log messages which (along with the fact no one could log in), prompted the investigation.

Event Log ID 1 Kernel-General The system time has change to change reason an application or system component changed the time

Event Log ID 52 Time-Service The time service has set the time with the offset




After checking the event viewer I next looked at the Task Scheduler, and the only scheduled task around the time of the change was a Google Chrome update task, which surely couldn’t have been responsible?

To enable Time Service auditing

Open an elevated command prompt and type:

w32tm /debug /enable /file:c:\W32Time\w32time.log /size:10000000 /entries:0-300

w32tm debug enable file path size 1000000 entries0-300

 

To disable Time Service auditing

Type: w32tm /debug /disable

Along with enabling auditing we’re now using a neat little utility from Greyware – Domain Time, which creates a control panel applet to interrogate the local w32tm service, and allows you to easily specify NTP servers and time hierarchy in a GUI rather than from the command line. Since then time has been rock solid, and I never did get to the bottom of what changed the time.




Resources

Maximum tolerance for computer clock synchronization 

Maximum tolerance for computer clock synchronization (Windows 10)

How to turn on debug logging in the Windows Time Service

Enable Windows Time Service Debug Logging

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.