Accurate time in a domain environment is essential for authentication between clients and servers to work correctly. Kerberos v5 protocol requires a tolerance of less than 5 minutes, anything more than this and you will get authentication errors.
I’ve recently been investigating a a server who’s time leaped 28 days into the future! So wanted to start auditing the Windows Time service to see what made the change.
So in this blog post I’ll show you how to enable Windows Time service auditing.
Here are the two event log messages which (along with the fact no one could log in), prompted the investigation.
After checking the event viewer I next looked at the Task Scheduler, and the only scheduled task around the time of the change was a Google Chrome update task, which surely couldn’t have been responsible?
To enable Time Service auditing
Open an elevated command prompt and type:
w32tm /debug /enable /file:c:\W32Time\w32time.log /size:10000000 /entries:0-300
To disable Time Service auditing
Type: w32tm /debug /disable
Along with enabling auditing we’re now using a neat little utility from Greyware – Domain Time, which creates a control panel applet to interrogate the local w32tm service, and allows you to easily specify NTP servers and time hierarchy in a GUI rather than from the command line. Since then time has been rock solid, and I never did get to the bottom of what changed the time.
Resources
Maximum tolerance for computer clock synchronization
Maximum tolerance for computer clock synchronization (Windows 10)