Windows 時間服務的運作方式How the Windows Time Service Works

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

在本區段中In this section

注意

本主題解釋僅限 「 Windows 時間服務 (W32Time) 的運作方式。This topic explains only how the Windows Time service (W32Time) works. 了解如何設定 Windows 時間服務的資訊,會看到一節中主題清單的位置找到 Windows 時間服務設定資訊,For information about how to configure Windows Time service, see the list of topics in the section Where to Find Windows Time Service Configuration Information.

注意

在 Windows Server 2003,Microsoft Windows 2000 Server directory 服務名為 Active Directory directory 服務。In Windows Server 2003 and Microsoft Windows 2000 Server, the directory service is named Active Directory directory service. 在 Windows Server 2008 和較新版本,directory 服務名為 Active Directory Domain Services (AD DS)。In Windows Server 2008 and later versions, the directory service is named Active Directory Domain Services (AD DS). 本主題中的其餘部分是指到 AD DS,但也適用於 Active Directory 資訊。The rest of this topic refers to AD DS, but the information is also applicable to Active Directory.

Windows 時間服務不精確實作網路時間通訊協定 (NTP),但它將會使用確保為越準確時鐘電腦在網路上的 NTP 規格中所定義的套件複雜的演算法。Although the Windows Time service is not an exact implementation of the Network Time Protocol (NTP), it uses the complex suite of algorithms that is defined in the NTP specifications to ensure that clocks on computers throughout a network are as accurate as possible. 最好 AD DS 網域中的所有電腦時鐘會同步都處理的授權電腦的時間。Ideally, all computer clocks in an AD DS domain are synchronized with the time of an authoritative computer. 許多因素可能會影響網路上的同步處理時間。Many factors can affect time synchronization on a network. 下列因素通常會影響到 AD DS 正在同步之正確性:The following factors often affect the accuracy of synchronization in AD DS:

  • 網路條件Network conditions

  • 電腦硬體時鐘之正確性The accuracy of the computer's hardware clock

  • 數量的 CPU 及網路資源可供 Windows 時間服務The amount of CPU and network resources available to the Windows Time service

重要

Windows Server 2016 之前 W32Time 服務設計時效性的應用程式需求。Prior to Windows Server 2016, the W32Time service was not designed to meet time-sensitive application needs. 不過,Windows Server 2016 的更新現在可讓您實作的 1ms 方案網域中的準確度。However, updates to Windows Server 2016 now allow you to implement a solution for 1ms accuracy in your domain. 查看Windows 2016 正確時間設定為高不正確的環境 Windows 時間服務支援邊界的詳細資訊。See Windows 2016 Accurate Time and Support boundary to configure the Windows Time service for high-accuracy environments for more information.

電腦同步處理時間較常,例如電腦執行的是 Windows XP Home Edition、 暫時性網路連接的電腦或未加入網域的電腦同步 time.windows.com 使用預設設定。Computers that synchronize their time less frequently, such as computers running Windows XP Home Edition, computers with intermittent network connections, or computers that are not joined to a domain, are configured by default to synchronize with time.windows.com. 因為它們不他們時鐘經常同步,因為可能會影響時間正確性因素不知道很難保證電腦上,有暫時性或網路連接時間準確度。Because they do not synchronize their clock frequently and because the factors that affect time accuracy may not be known, it is impossible to guarantee time accuracy on computers that have intermittent or no network connections.

AD DS 森林有同步階層預先定義的時間。An AD DS forest has a predetermined time synchronization hierarchy. Windows 時間服務會同步處理中階層、 上方的最精確參考時鐘與電腦之間的時間。The Windows Time service synchronizes time between computers within the hierarchy, with the most accurate reference clocks at the top. 如果您的電腦上設定一個以上的時間來源,Windows 的時間會 NTP 演算法從依據電腦的功能與的時間來源同步的設定來源選取最佳的時間來源。If more than one time source is configured on a computer, Windows Time uses NTP algorithms to select the best time source from the configured sources based on the computer's ability to synchronize with that time source. Windows 時間服務不支援網路廣播 」 或 「 多點對等裝置的同步處理。The Windows Time service does not support network synchronization from broadcast or multicast peers. 如需有關這些 NTP 功能的詳細資訊,查看 RFC 1305 IETF RFC 資料庫中。For more information about these NTP features, see RFC 1305 in the IETF RFC Database.

每一部電腦正在執行 Windows 時間服務使用服務以維護最正確的時間。Every computer that is running the Windows Time service uses the service to maintain the most accurate time. 在大部分案例中,不需要設定 「 Windows 時間服務。In most cases, it is not necessary to configure the Windows Time service. 根據預設,成員網域的電腦做為時間 client 的。Computers that are members of a domain act as a time client by default. 此外,Windows 時間服務時間要求來自參考指定的時間來源,您可以設定,也可以設定時間提供給戶端。In addition, the Windows Time service can be configured to request time from a designated reference time source, and can also be configured to provide time to clients.

電腦的時間是正確的角度稱為階層。The degree to which a computer's time is accurate is called a stratum. (例如硬體時鐘) 網路上的最正確的時間來源占的最低組織層級或組織層一個。The most accurate time source on a network (such as a hardware clock) occupies the lowest stratum level, or stratum one. 此正確的時間來源稱為參考時鐘。This accurate time source is called a reference clock. 取得參考時鐘直接從時間 NTP 伺服器占階層高於參考時鐘一個層級。An NTP server that acquires its time directly from a reference clock occupies a stratum that is one level higher than that of the reference clock. 資源,取得 NTP 伺服器的時間的兩個步驟,參考時鐘],因此佔據組織層的兩個高於最正確的時間來源,並等等。Resources that acquire time from the NTP server are two steps away from the reference clock, and therefore occupy a stratum that is two higher than the most accurate time source, and so on. 為電腦的組織層的數字增加,其系統時鐘時間可能會變得較不精確。As a computer's stratum number increases, the time on its system clock may become less accurate. 因此的任何電腦組織層級是指示器與最正確的時間來源程度同步該電腦。Therefore, the stratum level of any computer is an indicator of how closely that computer is synchronized with the most accurate time source.

當 W32Time 管理員收到時間範例時,它會使用特殊的演算法 NTP 中判斷哪一次範例是適用於。When the W32Time Manager receives time samples, it uses special algorithms in NTP to determine which of the time samples is the most appropriate for use. 時間服務也會使用另一組演算法判斷是最精確的其中一項設定的時間來源。The time service also uses another set of algorithms to determine which of the configured time sources is the most accurate. 時的時間範例是最好的作法發現時間服務,讓它在正確時間整合的本機時鐘速率根據上述條件,調整。When the time service has determined which time sample is best, based on the above criteria, it adjusts the local clock rate to allow it to converge toward the correct time. 如果間的本機時鐘與 (也稱為與的時間偏差) 選取正確的時間範例更正調整本機時鐘速度太大,時間服務會將本機時鐘為正確的時間。If the time difference between the local clock and the selected accurate time sample (also called the time skew) is too large to correct by adjusting the local clock rate, the time service sets the local clock to the correct time. 這項調整時鐘速率或直接時鐘時間變更稱為時鐘規範。This adjustment of clock rate or direct clock time change is known as clock discipline.

Windows 時間服務架構Windows Time Service Architecture

Windows 時間服務下列元件所組成:The Windows Time service consists of the following components:

  • 服務控制管理員Service Control Manager

  • Windows 時間服務管理員Windows Time Service Manager

  • 時鐘訓練Clock Discipline

  • 時間提供者Time providers

下圖顯示 Windows 時間服務的架構。The following figure shows the architecture of the Windows Time service.

Windows 時間服務架構Windows Time Service Architecture

Windows 時間

服務控制管理員負責開始和停止 Windows 時間服務。The Service Control Manager is responsible for starting and stopping the Windows Time service. Windows 時間服務管理員負責提出隨附作業系統 NTP 時間提供者的動作。The Windows Time Service Manager is responsible for initiating the action of the NTP time providers included with the operating system. Windows 時間服務管理員可控制 Windows 時間服務的所有功能與的所有時間範例聯合。The Windows Time Service Manager controls all functions of the Windows Time service and the coalescing of all time samples. 除此之外提供資訊系統達到目前狀態,例如目前的時間來源或一次系統時鐘已經更新,Windows 時間服務管理員負責也建立事件的事件登入。In addition to providing information about the current system state, such as the current time source or the last time the system clock was updated, the Windows Time Service Manager is also responsible for creating events in the event log.

同步處理時間包含下列步驟:The time synchronization process involves the following steps:

  • 輸入提供者會要求並設定 NTP 的時間來源收到時間範例。Input providers request and receive time samples from configured NTP time sources.

  • 這些時間範例然後傳遞到 Windows 時間服務管理員,所收集的所有的範例,將它們傳送到時鐘訓練子。These time samples are then passed to the Windows Time Service Manager, which collects all the samples and passes them to the clock discipline subcomponent.

  • 時鐘訓練子適用於 NTP 演算法的結果中選取的最佳的時間範例。The clock discipline subcomponent applies the NTP algorithms which results in the selection of the best time sample.

  • 時鐘訓練子調整系統時鐘最正確的時間時,調整時鐘頻率,或直接變更的時間。The clock discipline subcomponent adjusts the time of the system clock to the most accurate time by either adjusting the clock rate or directly changing the time.

如果電腦被指定為時間伺服器的時間,它可以傳送到要求隨時在這個程序的階段同步的任何電腦的時間。If a computer has been designated as a time server, it can send the time on to any computer requesting time synchronization at any point in this process.

Windows 時間服務時間通訊協定Windows Time Service Time Protocols

時間通訊協定判斷程度兩部電腦正在時鐘。Time protocols determine how closely two computers' clocks are synchronized. 判斷的最佳使用時間資訊和影時鐘來確保一致的時間會在不同的系統上維護時間通訊協定負責。A time protocol is responsible for determining the best available time information and converging the clocks to ensure that a consistent time is maintained on separate systems.

Windows 時間服務使用網路時間通訊協定 (NTP),以協助您在網路上同步處理時間。The Windows Time service uses the Network Time Protocol (NTP) to help synchronize time across a network. NTP 是包含訓練演算法所需的同步時鐘網際網路時間通訊協定。NTP is an Internet time protocol that includes the discipline algorithms necessary for synchronizing clocks. NTP 是更加準確的時間通訊協定比簡單網路時間通訊協定 (SNTP) 用於某些版本的 Windows。不過 W32Time 會繼續支援 SNTP,可讓電腦執行的時間 SNTP 為基礎的服務,例如 Windows 2000 的回溯相容性。NTP is a more accurate time protocol than the Simple Network Time Protocol (SNTP) that is used in some versions of Windows; however W32Time continues to support SNTP to enable backward compatibility with computers running SNTP-based time services, such as Windows 2000.

網路時間通訊協定Network Time Protocol

預設值為網路時間通訊協定 (NTP) 作業系統 Windows 時間服務使用同步處理通訊協定的時間。Network Time Protocol (NTP) is the default time synchronization protocol used by the Windows Time service in the operating system. NTP 容錯、 高度延展性時間通訊協定,且使用指定的時間的參考同步電腦時鐘最常使用的通訊協定。NTP is a fault-tolerant, highly scalable time protocol and is the protocol used most often for synchronizing computer clocks by using a designated time reference.

同步處理時間 NTP 發生一段時間,而在網路上包括 NTP 封包轉換。NTP time synchronization takes place over a period of time and involves the transfer of NTP packets over a network. NTP 封包包含時間戳記同步處理時間中包含 client 和參與伺服器的時間範例。NTP packets contain time stamps that include a time sample from both the client and the server participating in time synchronization.

NTP 依賴定義最正確的時間,使用參考時鐘與同步該參考時鐘網路上的所有時鐘。NTP relies on a reference clock to define the most accurate time to be used and synchronizes all clocks on a network to that reference clock. NTP 使用目前的時間通用標準國際標準時間 (UTC)。NTP uses Coordinated Universal Time (UTC) as the universal standard for current time. UTC 不受影響的時區,並讓 NTP 無論時區設定世界任何位置使用。UTC is independent of time zones and enables NTP to be used anywhere in the world regardless of time zone settings.

NTP 演算法NTP Algorithms

NTP 包含兩種演算法、 時鐘篩選演算法和時鐘選擇演算法,以協助判斷最佳的時間範例 Windows 時間服務。NTP includes two algorithms, a clock-filtering algorithm and a clock-selection algorithm, to assist the Windows Time service in determining the best time sample. 時鐘篩選演算法的設計目的是篩選會接收查詢的時間來源,而且判斷最佳時間範例每個來源的時間範例。The clock-filtering algorithm is designed to sift through time samples that are received from queried time sources and determine the best time samples from each source. 時鐘選擇演算法然後判斷最精確網路上的時間伺服器。The clock-selection algorithm then determines the most accurate time server on the network. 這項資訊是然後傳遞至時鐘訓練演算法,使用時補償網路延遲和電腦時鐘留意因為錯誤修正本機電腦的時鐘所收集的資訊。This information is then passed to the clock discipline algorithm, which uses the information gathered to correct the local clock of the computer, while compensating for errors due to network latency and computer clock inaccuracy.

NTP 演算法就是最精確的燈號-中度網路及伺服器負載的條件。The NTP algorithms are most accurate under conditions of light-to-moderate network and server loads. 與網路的傳輸時間會考量任何演算法,為 NTP 演算法可能不良條件極端網路壅塞在執行。As with any algorithm that takes network transit time into account, NTP algorithms might perform poorly under conditions of extreme network congestion. 如需 NTP 演算法,查看 RFC 1305 IETF RFC 資料庫中。For more information about the NTP algorithms, see RFC 1305 in the IETF RFC Database.

NTP 時間提供者NTP Time Provider

Windows 時間服務是完整時間同步套件,可支援各種不同的硬體裝置與的時間通訊協定。The Windows Time service is a complete time synchronization package that can support a variety of hardware devices and time protocols. 若要使用這項支援,請服務會使用可插入時間提供者。To enable this support, the service uses pluggable time providers. 時間提供者負責任一取得正確的時間戳記 (從網路或硬體) 的或提供其他電腦的時間戳記在網路上。A time provider is responsible for either obtaining accurate time stamps (from the network or from hardware) or for providing those time stamps to other computers over the network.

NTP 提供者已隨附作業系統標準時間提供者。The NTP provider is the standard time provider included with the operating system. NTP 提供者遵守指定 NTP client 和 server 第 3 版標準,可以互動 SNTP 戶端和 Windows 2000 與其他 SNTP 戶端回溯相容性的伺服器。The NTP provider follows the standards specified by NTP version 3 for a client and server, and can interact with SNTP clients and servers for backward compatibility with Windows 2000 and other SNTP clients. Windows 時間服務提供者 NTP 下列兩個組件包含:The NTP provider in the Windows Time service consists of the following two parts:

  • NtpServer 輸出提供者。NtpServer output provider. 這是回應 client 時間要求網路上時間伺服器。This is a time server that responds to client time requests on the network.

  • NtpClient 輸入提供者。NtpClient input provider. 這是時間 client 取得時間資訊從其他來源硬體裝置或 NTP 伺服器,並可以退還,很適合同步處理本機電腦時鐘時間範例。This is a time client that obtains time information from another source, either a hardware device or an NTP server, and can return time samples that are useful for synchronizing the local clock.

雖然密切相關的實際下列兩個提供者作業,它們會出現獨立時間服務。Although the actual operations of these two providers are closely related, they appear independent to the time service. 從 Windows 2000 Server、 Windows 的電腦已連接到網路,它被設定為 NTP client。Starting with Windows 2000 Server, when a Windows computer is connected to a network, it is configured as an NTP client. 此外,電腦執行的 Windows 時間服務嘗試只預設同步處理時間網域控制站或手動指定的時間來源。Also, computers running the Windows Time service only attempt to synchronize time with a domain controller or a manually specified time source by default. 這些是時間的慣用的時間提供者,因為它們是時間的使用自動、 安全來源。These are the preferred time providers because they are automatically available, secure sources of time.

NTP 安全性NTP Security

AD DS 樹系中 Windows 時間服務依賴執行的時間資料驗證標準網域的安全性功能。Within an AD DS forest, the Windows Time service relies on standard domain security features to enforce the authentication of time data. 做為時間伺服器的本機網域控制站成員網域的電腦之間傳送 NTP 封包的安全性根據共用金鑰驗證。The security of NTP packets that are sent between a domain member computer and a local domain controller that is acting as a time server is based on shared key authentication. Windows 時間服務會使用電腦的 Kerberos 工作階段金鑰來建立 NTP 封包傳送在網路上的已驗證的特徵標記。The Windows Time service uses the computer's Kerberos session key to create authenticated signatures on NTP packets that are sent across the network. 不在安全網路登入通道傳輸 NTP 封包。NTP packets are not transmitted inside the Net Logon secure channel. 改當電腦從網域階層網域控制站要求與的時間,Windows 時間服務會要求驗證與的時間。Instead, when a computer requests the time from a domain controller in the domain hierarchy, the Windows Time service requires that the time be authenticated. 網域控制站的形式 64 位元值工作階段金鑰從網路登入服務已經過驗證,再傳回所需的資訊。The domain controller then returns the required information in the form of a 64-bit value that has been authenticated with the session key from the Net Logon service. 如果傳回的 NTP 封包使用電腦工作階段金鑰未經簽署或已不正確,遭拒與的時間。If the returned NTP packet is not signed with the computer's session key or is signed incorrectly, the time is rejected. 所有這類驗證失敗的登入事件登入。All such authentication failures are logged in the Event Log. 如此一來,Windows 時間服務會提供 AD DS 森林中 NTP 資料安全性。In this way, the Windows Time service provides security for NTP data in an AD DS forest.

一般而言,Windows 時間戶端自動同步處理的正確時間從取得網域控制站在相同的網域。Generally, Windows time clients automatically obtain accurate time for synchronization from domain controllers in the same domain. 樹系子女網域中的網域控制站與他們家長網域中的網域控制站同步處理時間。In a forest, the domain controllers of a child domain synchronize time with domain controllers in their parent domains. 當時間伺服器回到要求時間 client 的已驗證的 NTP 封包時,Kerberos 工作階段按鍵跨網域信任 account 所定義透過已封包。When a time server returns an authenticated NTP packet to a client that requests the time, the packet is signed by means of a Kerberos session key defined by an interdomain trust account. 跨網域信任 account 建立新 AD DS 網域結合樹系時網路登入服務管理工作階段金鑰。The interdomain trust account is created when a new AD DS domain joins a forest, and the Net Logon service manages the session key. 如此一來,設定為可靠森林根網域中的網域控制站在所有的網域控制站父系和子女在網域中,以及間接所有的電腦位於網域樹系的已驗證的時間來源。In this way, the domain controller that is configured as reliable in the forest root domain becomes the authenticated time source for all of the domain controllers in both the parent and child domains, and indirectly for all computers located in the domain tree.

Windows 時間服務可以之間森林,才能設定,但請務必注意,此設定不安全。The Windows Time service can be configured to work between forests, but it is important to note that this configuration is not secure. 例如,NTP 伺服器可能可以在不同的樹系。For example, an NTP server might be available in a different forest. 不過,因為該電腦以不同的樹系,不是 Kerberos 工作階段金鑰,用來登入和驗證 NTP 封包。However, because that computer is in a different forest, there is no Kerberos session key with which to sign and authenticate NTP packets. 在不同的樹系的電腦取得正確的時間同步,client 需要的網路存取權的電腦,必須設定時間服務使用其他樹系中的特定時間來源。To obtain accurate time synchronization from a computer in a different forest, the client needs network access to that computer and the time service must be configured to use a specific time source located in the other forest. 如果從 NTP 伺服器以外自己網域階層手動 client 設定為存取時間,傳送 client 與的時間伺服器的 NTP 封包未驗證,因此不安全。If a client is manually configured to access time from an NTP server outside of its own domain hierarchy, the NTP packets sent between the client and the time server are not authenticated, and therefore are not secure. 信任的樹系實作,即使有 Windows 時間服務不安全跨樹系。Even with the implementation of forest trusts, the Windows Time service is not secure across forests. 雖然安全網路登入通道驗證機制 Windows 時間服務,不支援跨樹系驗證。Although the Net Logon secure channel is the authentication mechanism for the Windows Time service, authentication across forests is not supported.

Windows 時間服務所支援的硬體裝置Hardware Devices That Are Supported by the Windows Time Service

硬體式的時鐘,例如 GPS 或廣播時鐘常用高準確參考時鐘裝置。Hardware-based clocks such as GPS or radio clocks are often used as highly accurate reference clock devices. 根據預設,直接連接到電腦的硬體裝置不支援 Windows 時間服務 NTP 時間提供,雖然您可以建立軟體獨立時間提供者的支援這種類型的連接。By default, the Windows Time service NTP time provider does not support the direct connection of a hardware device to a computer, although it is possible to create a software-based independent time provider that supports this type of connection. 這種類型的搭配 Windows 時間服務提供者可以提供可靠,穩定時間參考。This type of provider, in conjunction with the Windows Time service, can provide a reliable, stable time reference.

硬體裝置,例如時鐘 cesium 或全球定位系統 (GPS) 接收器,提供下列以取得正確的時間定義標準準確目前的時間。Hardware devices, such as a cesium clock or a Global Positioning System (GPS) receiver, provide accurate current time by following a standard to obtain an accurate definition of time. Cesium 時鐘是非常穩定,並不會受到因素溫度、 壓力或濕度,例如但也非常高。Cesium clocks are extremely stable and are unaffected by factors such as temperature, pressure, or humidity, but are also very expensive. GPS 接收器是更便宜操作,也準確參考時鐘。A GPS receiver is much less expensive to operate and is also an accurate reference clock. GPS 接收器從 cesium 時鐘取得他們的使用時間的衛星取得他們的使用時間。GPS receivers obtain their time from satellites that obtain their time from a cesium clock. 獨立時間提供使用,而 Windows 的時間伺服器可以連接到外部 NTP 伺服器,這透過電話或網際網路連接到硬體裝置取得他們的使用時間。Without the use of an independent time provider, Windows time servers can acquire their time by connecting to an external NTP server, which is connected to a hardware device by means of a telephone or the Internet. 例如美國海 Observatory 組織提供 NTP 伺服器非常可靠參考時鐘連接。Organizations such as the United States Naval Observatory provide NTP servers that are connected to extremely reliable reference clocks.

許多 GPS 接收器的其他裝置的時間可以作為 NTP 網路上的伺服器。Many GPS receivers and other time devices can function as NTP servers on a network. 您可以設定 AD DS 樹系才也擔任 NTP 伺服器,您網路上同步處理這些外部硬體裝置的時間。You can configure your AD DS forest to synchronize time from these external hardware devices only if they are also acting as NTP servers on your network. 若要這樣做,請設定的網域控制站的主要網域控制站運作 () 肯定在您的樹系根與 GPS 裝置提供 NTP 伺服器同步。To do so, configure the domain controller functioning as the primary domain controller (PDC) emulator in your forest root to synchronize with the NTP server provided by the GPS device. 若要這樣做,請查看上的樹系根網域中肯定設定 Windows 時間服務(http://go.microsoft.com/fwlink/?LinkId=91969)。To do so, see Configure the Windows Time service on the PDC emulator in the Forest Root Domain (http://go.microsoft.com/fwlink/?LinkId=91969).

簡單網路時間通訊協定Simple Network Time Protocol

簡單網路時間通訊協定 (SNTP) 是正確性的旨在為伺服器及不需要 NTP 提供程度簡化的時間通訊協定。The Simple Network Time Protocol (SNTP) is a simplified time protocol that is intended for servers and clients that do not require the degree of accuracy that NTP provides. SNTP,更基本 NTP 的版本是使用 Windows 2000 的主要時間通訊協定。SNTP, a more rudimentary version of NTP, is the primary time protocol that is used in Windows 2000. 由於 SNTP 和 NTP 網路封包格式相同的兩個通訊協定而且交互作用。Because the network packet formats of SNTP and NTP are identical, the two protocols are interoperable. 這兩個主要不同是 SNTP 未錯誤管理及複雜篩選系統 NTP 提供。The primary difference between the two is that SNTP does not have the error management and complex filtering systems that NTP provides. 如需簡單網路時間通訊協定,查看 RFC 1769 IETF RFC 資料庫中。For more information about the Simple Network Time Protocol, see RFC 1769 in the IETF RFC Database.

時間通訊協定交互操作Time Protocol Interoperability

Windows 時間服務可以在的電腦執行的 Windows 2000、 Windows XP 和 Windows Server 2003,混合的環境中運作,因為使用在 Windows 2000 的 SNTP 通訊協定交互的 Windows XP 和 Windows Server 2003 NTP 通訊協定作用。The Windows Time service can operate in a mixed environment of computers running Windows 2000, Windows XP, and Windows Server 2003, because the SNTP protocol used in Windows 2000 is interoperable with the NTP protocol in Windows XP and Windows Server 2003.

Windows Server nt4.0,稱為 「 TimeServ,在服務時間同步 Windows nt4.0 網路上的時間。The time service in Windows NT Server 4.0, called TimeServ, synchronizes time across a Windows NT 4.0 network. TimeServ 是附加元件功能提供的一部分Microsoft NT 4.0 資源套件,並不提供程度同步處理時間所需的 Windows Server 2003 的可靠性。TimeServ is an add-on feature available as part of the Microsoft Windows NT 4.0 Resource Kit and does not provide the degree of reliability of time synchronization that is required by Windows Server 2003.

Windows 時間服務可以交互的電腦是執行 Windows nt4.0,因為它們可以與 Windows 2000 或 Windows Server 2003; 電腦同步處理時間不過,執行 Windows 2000 或 Windows Server 2003 的電腦不會不會自動探索 Windows nt4.0 時間伺服器。The Windows Time service can interoperate with computers running Windows NT 4.0 because they can synchronize time with computers running Windows 2000 or Windows Server 2003; however, a computer running Windows 2000 or Windows Server 2003 does not automatically discover Windows NT 4.0 time servers. 例如如果您的網域設定為使用階層為基礎的網域同步處理時間想來與 Windows nt4.0 網域控制站同步處理時間在的電腦同步處理和您的方法,您必須設定這些電腦以手動方式與 Windows nt4.0 網域控制站同步。For example, if your domain is configured to synchronize time by using the domain hierarchy-based method of synchronization and you want computers in the domain hierarchy to synchronize time with a Windows NT 4.0 domain controller, you have to configure those computers manually to synchronize with the Windows NT 4.0 domain controllers.

Windows nt4.0 比 Windows 時間服務使用同步處理時間使用的簡易機制。Windows NT 4.0 uses a simpler mechanism for time synchronization than the Windows Time service uses. 因此,以確保您網路上的正確時間同步處理,建議您升級到 Windows 2000 或 Windows Server 2003 任何 Windows nt4.0 網域控制站。Therefore, to ensure accurate time synchronization across your network, it is recommended that you upgrade any Windows NT 4.0 domain controllers to Windows 2000 or Windows Server 2003.

Windows 時間服務程序與互動Windows Time Service Processes and Interactions

Windows 時間服務的設計可以同步的網路上的電腦。The Windows Time service is designed to synchronize the clocks of computers on a network. 網路時間同步處理程序,也稱為時間聚合,就會發生在網路為電腦存取每當更加準確的時間伺服器。The network time synchronization process, also called time convergence, occurs throughout a network as each computer accesses time from a more accurate time server. 時間聚合包括授權伺服器 NTP 封包的形式 client 電腦目前的時間提供處理程序。Time convergence involves a process by which an authoritative server provides the current time to client computers in the form of NTP packets. 封包中所提供的資訊,表示對目前在電腦的時間,讓它更加準確伺服器與同步是否需要調整。The information provided within a packet indicates whether an adjustment needs to be made to the computer's current clock time so that it is synchronized with the more accurate server.

時間聚合程序的一部分,嘗試使用相同的網域中的任何網域控制站同步處理時間網域成員。As part of the time convergence process, domain members attempt to synchronize time with any domain controller located in the same domain. 如果電腦位於網域控制站,它會嘗試使用更多可靠的網域控制站同步處理。If the computer is a domain controller, it attempts to synchronize with a more authoritative domain controller.

電腦執行的是 Windows XP Home Edition 或未加入網域的電腦不嘗試同步的網域階層、,但是從 time.windows.com 取得時間預設設定。Computers running Windows XP Home Edition or computers that are not joined to a domain do not attempt to synchronize with the domain hierarchy, but are configured by default to obtain time from time.windows.com.

若要建立的電腦執行 Windows Server 2003 授權,電腦必須設定為可靠的時間來源。To establish a computer running Windows Server 2003 as authoritative, the computer must be configured to be a reliable time source. 根據預設,第一次網域控制站的 Windows Server 2003 網域上已安裝會自動設定為可靠的時間來源。By default, the first domain controller that is installed on a Windows Server 2003 domain is automatically configured to be a reliable time source. 因為授權網域的電腦,它必須外部的時間來源,而網域階層同步設定。Because it is the authoritative computer for the domain, it must be configured to synchronize with an external time source rather than with the domain hierarchy. 也根據預設,所有其他成員的 Windows Server 2003 網域設定的網域階層同步。Also by default, all other Windows Server 2003 domain members are configured to synchronize with the domain hierarchy.

Windows Server 2003 網路建立後,您可以設定 Windows 時間服務使用同步下列選項之一:After you have established a Windows Server 2003 network, you can configure the Windows Time service to use one of the following options for synchronization:

  • 網域型階層同步Domain hierarchy-based synchronization

  • 手動指定同步來源A manually-specified synchronization source

  • 所有可用的同步處理機制All available synchronization mechanisms

  • 不是同步。No synchronization.

每個同步類型討論下一節。Each of these synchronization types is discussed in the following section.

網域型階層同步Domain Hierarchy-Based Synchronization

同步處理根據網域階層使用 AD DS 網域階層找到要用來同步處理時間可靠的來源。Synchronization that is based on a domain hierarchy uses the AD DS domain hierarchy to find a reliable source with which to synchronize time. Windows 時間服務根據網域階層、 判斷正確性的每個時間伺服器。Based on domain hierarchy, the Windows Time service determines the accuracy of each time server. Windows Server 2003 樹系存放主要網域控制器 (PDC) 模擬器作業主角,位於森林根網域的電腦存放位置的最佳的時間來源,除非另一個可靠的時間來源設定。In a Windows Server 2003 forest, the computer that holds the primary domain controller (PDC) emulator operations master role, located in the forest root domain, holds the position of best time source, unless another reliable time source has been configured. 下圖顯示網域階層在的電腦之間同步處理時間的路徑。The following figure illustrates a path of time synchronization between computers in a domain hierarchy.

在 [AD DS 階層同步處理時間Time Synchronization in an AD DS Hierarchy

Windows 時間

可靠的時間來源的設定Reliable Time Source Configuration

電腦設定為可靠的時間來源被視為根的時間服務。A computer that is configured to be a reliable time source is identified as the root of the time service. 根時間服務的網域授權伺服器,通常會設定為從硬體裝置或外接 NTP 伺服器擷取的時間。The root of the time service is the authoritative server for the domain and typically is configured to retrieve time from an external NTP server or hardware device. 為可靠的時間來源最佳化網域階層整個傳送時間的方式可以設定時間伺服器。A time server can be configured as a reliable time source to optimize how time is transferred throughout the domain hierarchy. 如果網域控制站設定為可靠的時間來源,網路登入服務宣告網域控制站為可靠的時間來源登入時網路。If a domain controller is configured to be a reliable time source, Net Logon service announces that domain controller as a reliable time source when it logs on to the network. 其他網域控制站的時間來源,若要同步的外觀時, 選擇可靠的來源第一次如果有的話。When other domain controllers look for a time source to synchronize with, they choose a reliable source first if one is available.

時間來源選取項目Time Source Selection

時間來源選擇程序可以建立網路上的兩個問題:The time source selection process can create two problems on a network:

  • 同步處理其他循環。Additional synchronization cycles.

  • 網路流量提高的音量。Increased volume in network traffic.

在 [同步網路循環發生於時間維持一致之間的網域控制站群組,並在這些持續不與其他可靠的時間來源同步之間共用的同時。A cycle in the synchronization network occurs when time remains consistent between a group of domain controllers and the same time is shared between them continuously without a resynchronization with another reliable time source. Windows 時間服務的時間來源選擇演算法被設計來抵禦這些類型的問題。The Windows Time service's time source selection algorithm is designed to protect against these types of problems.

電腦使用其中一項下列方法找出要同步的時間來源:A computer uses one of the following methods to identify a time source to synchronize with:

  • 如果您的電腦不是網域中的成員,它必須與指定的時間來源同步設定。If the computer is not a member of a domain, it must be configured to synchronize with a specified time source.

  • 如果電腦是成員伺服器或工作站預設網域中的遵循 AD DS 階層並與目前執行的是 Windows 時間服務其本機網域中的網域控制站同步處理時間。If the computer is a member server or workstation within a domain, by default, it follows the AD DS hierarchy and synchronizes its time with a domain controller in its local domain that is currently running the Windows Time service.

如果電腦位於網域控制站,這會讓尋找同步處理的其他網域控制站最多六個查詢。If the computer is a domain controller, it makes up to six queries to locate another domain controller to synchronize with. 找出的某些屬性,例如網域控制站的特定位置,一種的時間來源的設計目的是每個查詢且是否可靠的時間來源。Each query is designed to identify a time source with certain attributes, such as a type of domain controller, a particular location, and whether or not it is a reliable time source. 時間來源必須也遵守下列限制:The time source must also adhere to the following constraints:

  • 家長網域中的網域控制站只可以同步可靠的時間來源。A reliable time source can only synchronize with a domain controller in the parent domain.

  • 它自己網域中的可靠的時間來源或家長網域中的任何網域控制站可以同步肯定。A PDC emulator can synchronize with a reliable time source in its own domain or any domain controller in the parent domain.

如果網域控制站無法同步的網域控制站它是查詢類型,不會對查詢。If the domain controller is not able to synchronize with the type of domain controller that it is querying, the query is not made. 網域控制站知道的電腦的時間才能取得才查詢哪一種。The domain controller knows which type of computer it can obtain time from before it makes the query. 例如,本機肯定不會嘗試查詢數字三或六個因為網域控制站不會與本身同步。For example, a local PDC emulator does not attempt to query numbers three or six because a domain controller does not attempt to synchronize with itself.

下表列出,讓您尋找的時間來源和做了查詢訂單可網域控制站查詢。The following table lists the queries that a domain controller makes to find a time source and the order in which the queries are made.

查詢網域控制站的時間來源Domain Controller Time Source Queries

查詢數字Query Number 網域控制站Domain Controller 位置Location 可靠性的時間來源Reliability of Time Source
11 家長網域控制站Parent domain controller 在 [網站In-site 為了慣用的時間來源,但它可以同步的非可靠的時間來源如果的所有可用。Prefers a reliable time source but it can synchronize with a non-reliable time source if that is all that is available.
22 本機網域控制站Local domain controller 在 [網站In-site 僅同步可靠的時間來源。Only synchronizes with a reliable time source.
33 本機肯定Local PDC emulator 在 [網站In-site 不適用。Does not apply.

網域控制站不會與本身同步。A domain controller does not attempt to synchronize with itself.
44 家長網域控制站Parent domain controller -台Out-of-site 為了慣用的時間來源,但它可以同步的非可靠的時間來源如果的所有可用。Prefers a reliable time source but it can synchronize with a non-reliable time source if that is all that is available.
55 本機網域控制站Local domain controller -台Out-of-site 僅同步可靠的時間來源。Only synchronizes with a reliable time source.
66 本機肯定Local PDC emulator -台Out-of-site 不適用。Does not apply.

網域控制站不會與本身同步。A domain controller does not attempt to synchronize with itself.

注意Note

  • 與本身不會同步電腦。A computer never synchronizes with itself. 如果電腦進行同步處理本機肯定,它不會查詢 3 或 6。If the computer attempting synchronization is the local PDC emulator, it does not attempt Queries 3 or 6.

每個查詢傳回可以當做的時間來源的網域控制站的清單。Each query returns a list of domain controllers that can be used as a time source. Windows 時間指派的每個網域控制站查詢分數根據可靠性和網域控制站的位置。Windows Time assigns each domain controller that is queried a score based on the reliability and location of the domain controller. 下表列出每種類型的網域控制站的 Windows 時間指派分數。The following table lists the scores assigned by Windows Time to each type of domain controller.

分數判斷Score Determination

網域控制站狀態Domain Controller Status 分數Score
網域控制站位在相同的網站Domain controller located in same site 88
網域控制站標示為可靠的時間來源Domain controller marked as a reliable time source 44
網域控制站位於家長網域中Domain controller located in the parent domain 22
這是肯定網域控制站Domain controller that is a PDC emulator 11

當 Windows 時間服務判斷時,它有認定的網域控制站最佳可能分數時,不需查詢進行。When the Windows Time service determines that it has identified the domain controller with the best possible score, no more queries are made. 指派時間服務分數是累積的這表示位在相同的網站肯定接收分數的回應。The scores assigned by the time service are cumulative, which means that a PDC emulator located in the same site receives a score of nine.

如果時間服務的根不設定外部來源與同步,電腦的硬體內部時鐘控制與的時間。If the root of the time service is not configured to synchronize with an external source, the internal hardware clock of the computer governs the time.

手動指定同步Manually-Specified Synchronization

手動指定同步可讓您指定單一對等裝置或從的電腦取得時間對等裝置清單。Manually-specified synchronization enables you to designate a single peer or list of peers from which a computer obtains time. 如果您的電腦不是網域中的成員,它必須手動設定與指定的時間來源同步。If the computer is not a member of a domain, it must be manually configured to synchronize with a specified time source. 電腦位於網域同步網域階層預設設定,以手動方式指定同步是實用的樹系的網域根或適用於未加入網域的電腦。A computer that is a member of a domain is configured by default to synchronize from the domain hierarchy, manually-specified synchronization is most useful for the forest root of the domain or for computers that are not joined to a domain. 手動指定外部 NTP 伺服器與您的網域中的授權電腦同步處理提供可靠的時間。Manually specifying an external NTP server to synchronize with the authoritative computer for your domain provides reliable time. 不過,設定授權硬體時鐘與同步您的網域的電腦是實際好方案提供您的網域最精確、 安全時間。However, configuring the authoritative computer for your domain to synchronize with a hardware clock is actually a better solution for providing the most accurate, secure time to your domain.

手動指定的時間來源是不會經過寫入特定時間提供者,以及因此容易受到攻擊。Manually-specified time sources are not authenticated unless a specific time provider is written for them, and they are therefore vulnerable to attackers. 同時,如果您的電腦同步處理手動指定的來源,而非的驗證網域控制站,兩部電腦可能不同步,導致 F:kerberos 驗證失敗。Also, if a computer synchronizes with a manually-specified source rather than its authenticating domain controller, the two computers might be out of synchronization, causing Kerberos authentication to fail. 這可能會要求網路驗證失敗,例如列印或分享檔案的其他動作。This might cause other actions requiring network authentication to fail, such as printing or file sharing. 如果只有樹系根同步外部來源的設定,在森林中的所有其他電腦保持同步合作,讓難以重新執行攻擊。If only the forest root is configured to synchronize with an external source, all other computers within the forest remain synchronized with each other, making replay attacks difficult.

所有可用的同步處理機制All Available Synchronization Mechanisms

「 所有可用的同步處理機制 」 是最有價值的使用者,在網路上同步處理方式。The "all available synchronization mechanisms" option is the most valuable synchronization method for users on a network. 這個方法可同步的網域階層,也可能提供其他網域階層無法使用,而定設定的時間來源。This method allows synchronization with the domain hierarchy and may also provide an alternate time source if the domain hierarchy becomes unavailable, depending on the configuration. 如果 client 無法同步網域階層與的時間的時間來源自動退回所指定的時間來源NtpServer設定。If the client is unable to synchronize time with the domain hierarchy, the time source automatically falls back to the time source specified by the NtpServer setting. 同步處理的方法是正確的時間提供給戶端最有可能。This method of synchronization is most likely to provide accurate time to clients.

停止同步處理時間Stopping Time Synchronization

有的著中您會想要停止同步時間的電腦。There are certain situations in which you will want to stop a computer from synchronizing its time. 例如,電腦嘗試透過撥號透過 WAN 同步從網際網路上的時間來源或其他網站時,如果它可以收取高電話費用。For example, if a computer attempts to synchronize from a time source on the Internet or from another site over a WAN by means of a dial-up connection, it can incur costly telephone charges. 停用該電腦上的同步處理之後,您避免電腦嘗試存取的時間來源透過撥號。When you disable synchronization on that computer, you prevent the computer from attempting to access a time source over a dial-up connection.

您也可以同步,以避免錯誤事件登入代停用。You can also disable synchronization to prevent the generation of errors in the event log. 每次的電腦嘗試同步與的時間來源,無法使用,則會在事件登入產生錯誤。Each time a computer attempts to synchronize with a time source that is unavailable, it generates an error in the Event Log. 如果您的時間來源使用網路上的維護引導您不想要重新 client 同步從其他來源的設定,您可以停用防止進行同步處理時間伺服器時,無法使用 client 上的同步處理。If a time source is taken off of the network for scheduled maintenance and you do not intend to reconfigure the client to synchronize from another source, you can disable synchronization on the client to prevent it from attempting synchronization while the time server is unavailable.

很有幫助停用指定為根同步處理網路的電腦上同步處理。It is useful to disable synchronization on the computer that is designated as the root of the synchronization network. 這表示電腦根信任本機時鐘。This indicates that the root computer trusts its local clock. 如果根同步階層的不設定為非同步,如果您無法同步處理的其他的時間來源,戶端不接受這台電腦送出,因為它的時間不會受信任的封包。If the root of the synchronization hierarchy is not set to NoSync and if it is unable to synchronize with another time source, clients do not accept the packet that this computer sends out because its time cannot be trusted.

只伺服器,即使它們不同步處理的其他的時間來源用受信任的這些已被視為 client 的可靠的時間伺服器。The only time servers that are trusted by clients even if they have not synchronized with another time source are those that have been identified by the client as reliable time servers.

停用 Windows 時間服務Disabling the Windows Time Service

Windows 時間服務 (W32Time) 可以完全停用。The Windows Time service (W32Time) can be completely disabled. 如果您選擇實作使用 NTP 第三方時間同步 product,您必須停用 Windows 時間服務。If you choose to implement a third-party time synchronization product that uses NTP, you must disable the Windows Time service. 這是因為所有 NTP 伺服器都需要存取權的使用者資料流通訊協定 (UDP) 連接埠 123,並連接埠 123,只要在 Windows Server 2003 的作業系統上執行的 Windows 時間服務,仍時間 Windows 所保留。This is because all NTP servers need access to User Datagram Protocol (UDP) port 123, and as long as the Windows Time service is running on the Windows Server 2003 operating system, port 123 remains reserved by Windows Time.

Windows 時間服務使用的網路連接埠Network Ports Used by Windows Time Service

Windows 時間服務通訊網路找出可靠的時間來源,請取得時間資訊,並提供時間資訊到其他電腦上。The Windows Time service communicates on a network to identify reliable time sources, obtain time information, and provide time information to other computers. 它會執行此通訊,否則 SNTP Rfc 與 NTP 所定義。It performs this communication as defined by the NTP and SNTP RFCs.

Windows 時間服務連接埠指派Port Assignments for the Windows Time Service

服務名稱Service name UDPUDP TCPTCP
NTPNTP 123123 不適用N/A
SNTPSNTP 123123 不適用N/A

也了See Also

Windows 時間服務技術參考Windows Time Service Technical Reference
Windows 時間服務工具和設定Windows Time Service Tools and Settings
Microsoft 知識庫文章 902229Microsoft Knowledge Base article 902229