Windows Server 2016 精确时间Accurate Time for Windows Server 2016

适用于:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012、Windows 10 或更高版本Applies to: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows 10 or later

Windows 时间服务是一个组件,它为客户端和服务器时间同步提供程序使用插件模型。The Windows Time service is a component that uses a plug-in model for client and server time synchronization providers. Windows 上有两个内置的客户端提供程序,并且有可用的第三方插件。There are two built-in client providers on Windows, and there are third-party plug-ins available. 一种提供程序使用 NTP (RFC 1305)MS-NTP 将本地系统时间同步到与 NTP 和/或 MS-NTP 兼容的引用服务器。One provider uses NTP (RFC 1305) or MS-NTP to synchronize the local system time to an NTP and/or MS-NTP compliant reference server. 另一个提供程序用于 Hyper-V,可将虚拟机 (VM) 同步到 Hyper-V 主机。The other provider is for Hyper-V and synchronizes virtual machines (VM) to the Hyper-V host. 存在多个提供程序时,Windows 将首先使用层次级别(依次为根延迟、根分散和时间偏移)选择最佳提供程序。When multiple providers exist, Windows will pick the best provider using stratum level first, followed by root delay, root dispersion, and finally time offset.

备注

若要快速了解 Windows 时间服务,请参阅此高级概述视频For a quick overview of Windows Time service, take a look at this high-level overview video.

在本主题中,我们将讨论这些主题,因为它们与实现准确时间相关:In this topic, we discuss ... these topics as they relate to enabling accurate time:

  • 改进Improvements
  • 度量Measurements
  • 最佳方案Best Practices

重要

可在此处下载“Windows 2016 精确确时间”一文引用的附录。An addendum referenced by the Windows 2016 Accurate Time article can be downloaded here. 本文档提供了有关测试和度量方法的更多详细信息。This document provides more details about our testing and measurement methodologies.

备注

Windows 时间提供程序插件模型记录在 TechNet 上The windows time provider plugin model is documented on TechNet.

域层次结构Domain Hierarchy

域和独立配置的工作方式不同。Domain and Standalone configurations work differently.

  • 域成员使用安全 NTP 协议,该协议使用身份验证来确保时间引用的安全性和真实性。Domain members use a secure NTP protocol, which uses authentication to ensure the security and authenticity of the time reference. 域成员与域层次结构和评分系统所确定的主时钟同步。Domain members synchronize with a master clock determined by the domain hierarchy and a scoring system. 在域中,存在时间层次的层次结构层,因此每个 DC 指向具有更准确时间层的父级 DC。In a domain, there is a hierarchical layer of time stratums, whereby each DC points to a parent DC with a more accurate time stratum. 层次结构解析为根林中的 PDC 或 DC,或具有 GTIMESERV 域标志的 DC,后者表示域的良好时间服务器。The hierarchy resolves to the PDC or a DC in the root forest, or a DC with the GTIMESERV domain flag, which denotes a Good Time Server for the domain. 请参阅下面的 [使用 GTIMESERV 指定本地可靠时间服务部分。See the [Specify a Local Reliable Time Service Using GTIMESERV section below.

  • 独立计算机默认配置为使用 time.windows.com。Standalone machines are configured to use time.windows.com by default. 此名称由 DNS 服务器解析,该服务器应指向 Microsoft 拥有的资源。This name is resolved by your DNS Server, which should point to a Microsoft owned resource. 与所有远程定位的时间引用一样,网络中断可能会阻止同步。Like all remotely located time references, network outages, may prevent synchronization. 网络流量负载和非对称网络路径可能会降低时间同步的准确度。Network traffic loads and asymmetrical network paths may reduce the accuracy of the time synchronization. 若要实现 1 毫秒的准确度,不能依赖于远程时间源。For 1 ms accuracy, you can't depend on a remote time sources.

由于 Hyper-V 来宾将至少有两个 Windows 时间提供程序(主机时间和 NTP)可供选择,因此在作为来宾运行时,可能会看到域或独立的不同行为。Since Hyper-V guests will have at least two Windows Time providers to choose from, the host time and NTP, you might see different behaviors with either Domain or Standalone when running as a guest.

备注

有关域层次结构和评分系统的详细信息,请参阅“什么是 Windows 时间服务?”For more information about the domain hierarchy and scoring system, see the "What is Windows Time Service?" 博客文章。blog post.

备注

层次是 NTP 和 Hyper-V 提供程序中使用的概念,其值指示层次结构中的时钟位置。Stratum is a concept used in both the NTP and Hyper-V providers, and its value indicates the clocks location in the hierarchy. 第 1 层保留给最高级别时钟,而第 0 层保留给假定为准确的硬件,并且与之相关联的延迟很少或者没有。Stratum 1 is reserved for the highest-level clock, and stratum 0 is reserved for the hardware assumed to be accurate and has little or no delay associated with it. 第 2 层与第 1 层服务器通信,第 3 层与第 2 层通信,依此类推。Stratum 2 talk to stratum 1 servers, stratum 3 to stratum 2 and so on. 虽然较低的层通常指示更准确的时钟,但仍有可能发现差异。While a lower stratum often indicates a more accurate clock, it is possible to find discrepancies. 此外,W32time 仅接受第 15 层或以下层的时间。Also, W32time only accepts time from stratum 15 or below. 若要查看客户端的层次,请使用 w32tm /query /status 。To see the stratum of a client, use w32tm /query /status.

准确时间的关键因素Critical Factors for Accurate Time

在每种情况下,对于准确的时间,有三个关键因素:In every case for accurate time, there are three critical factors:

  1. 固态的源时钟 - 域中的源时钟必须稳定且准确。Solid Source Clock - The source clock in your domain needs to be stable and accurate. 这通常意味着安装 GPS 设备或指向第 1 层源,从而考虑 #3。This usually means installing a GPS device or pointing to a Stratum 1 source, taking #3 into account. 比如说,如果水上有两艘船,并且你尝试测量一艘船的高度,与另一艘相比较,则在源船非常稳定且不移动的情况下,准确度最高。The analogy goes, if you have two boats on the water, and you are trying to measure the altitude of one compared to the other, your accuracy is best if the source boat is very stable and not moving. 对于时间也是如此,并且如果源时钟不稳定,则同步时钟的整个链会受到影响,并在每个阶段进行放大。The same goes for time, and if your source clock isn't stable, then the entire chain of synchronized clocks is affected and magnified at each stage. 它还必须是可访问的,因为连接中断会干扰时间同步。It also must be accessible because disruptions in the connection will interfere with time synchronization. 最后,该方法必须是安全的。And finally, it must be secure. 如果未正确维护时间引用,或者可能由恶意方操作,则你的域可能会受到基于时间的攻击。If the time reference is not properly maintained, or operated by a potentially malicious party, you could expose your domain to time based attacks.
  2. 稳定的客户端时钟 - 稳定的客户端时钟可确保振荡器的自然偏移为可控制的。Stable client clock - A stable client clocks assures that the natural drift of the oscillator is containable. NTP 使用可能来自多个 NTP 服务器的多个示例,来调节和管理本地计算机时钟。NTP uses multiple samples from potentially multiple NTP servers to condition and discipline your local computers clock. 它不会执行时间更改,但是会减缓或加快本地时钟的速度,以便快速接近准确的时间,并在 NTP 请求之间保持准确。It does not step the time changes, but rather slows or speeds up the local clock so that you approach the accurate time quickly and stay accurate between NTP requests. 然而,如果客户端计算机时钟的振荡器不稳定,则在调整之间可能会发生更多波动,并且 Windows 用于调节时钟的算法无法准确工作。However, if the client computer clock's oscillator is not stable, then more fluctuations in between adjustments can occur and the algorithms Windows uses to condition the clock don't work accurately. 在某些情况下,可能需要更新固件才能获得准确的时间。In some cases, firmware updates might be needed for accurate time.
  3. 对称 NTP 通信 - 用于 NTP 通信的连接是对称的,这一点非常重要。Symmetrical NTP communication - It is critical that the connection for NTP communication is symmetrical. NTP 使用计算来调整假设网络修补程序对称的时间。NTP uses calculations to adjust the time that assume the network patch is symmetrical. 如果 NTP 包进入服务器的路径需要不同的时间来返回,则准确度会受到影响。If the path the NTP packet takes going to the server takes a different amount of time to return, the accuracy is affected. 例如,由于网络拓扑发生更改,或者通过具有不同接口速度的设备路由数据包,该路径可能会更改。For example, the path could change due to changes in network topology, or packets being routed through devices that have different interface speeds.

对于电池供电的设备,无论是移动的还是便携式的,都必须考虑不同的策略。For battery powered devices, both mobile and portable, you must consider different strategies. 根据我们的建议,若要保持准确的时间,需要每秒管理一次时钟,这与时钟更新频率相关。As per our recommendation, keeping accurate time requires the clock to be disciplined once a second, which correlates to the Clock Update Frequency. 这些设置将消耗比预期更多的电池电量,并可能干扰 Windows 中为此类设备提供的省电模式。These settings will consume more battery power than expected and can interfere with power saving modes available in Windows for such devices. 电池供电的设备还具有特定的电源模式,这些模式会阻止所有应用程序运行,这会干扰 W32time 管理时钟和保持时间准确的能力。Battery powered devices also have certain power modes which stop all applications from running, which interferes with W32time's ability to discipline the clock and maintain accurate time. 此外,移动设备中的时钟在开始时可能并不太准确。Additionally, clocks in mobile devices may not be very accurate to begin with. 环境条件会影响时钟准确性,移动设备可以从一个环境条件转到下一个环境条件,这可能会干扰其保持时间准确的能力。Ambient environmental conditions affect clock accuracy and a mobile device can move from one ambient condition to the next which may interfere with its ability to keep time accurately. 因此,Microsoft 不建议设置具有高准确度设置的电池供电的便携设备。Therefore, Microsoft does not recommend that you set up battery powered portable devices with high accuracy settings.

为什么时间很重要?Why is time important?

出于许多不同的原因,你需要准确的时间。There are many different reasons you might need accurate time. Windows 的典型情况是 Kerberos,其要求客户端和服务器之间精确到 5 分钟。The typical case for Windows is Kerberos, which requires 5 minutes of accuracy between the client and server. 但是,还有许多其他区域会受到时间准确度的影响,其中包括:However, there are many other areas that can be affected by time accuracy including:

  • 政府法规,如:Government Regulations like:
    • 美国 FINRA 要求精确到 50 毫秒50 ms accuracy for FINRA in the US
    • 欧盟 ESMA (MiFID II) 要求精确到 1 毫秒。1 ms ESMA (MiFID II) in the EU.
  • 加密算法Cryptography Algorithms
  • 群集/SQL/Exchange 和文档数据库等分布式系统Distributed systems like Cluster/SQL/Exchange and Document DBs
  • 比特币交易的区块链框架Blockchain framework for bitcoin transactions
  • 分布式日志和威胁分析Distributed Logs and Threat Analysis
  • AD 复制AD Replication
  • PCI(支付卡行业),当前准确度为 1 秒钟PCI (Payment Card Industry), currently 1 second accuracy

其他参考Additional references