none
Time Stamp Synchronization

Answers

  • eventlog always uses system clock for time stamp. Just for testing or confirmation, Note down the current systemclock time and reboot the machine. Once the machine is up and running, open event viewer and go to system logs, check for event ID 1074. Both  time should match.
    • Edited by Br0209 Thursday, September 17, 2015 1:01 AM
    • Marked as answer by isaac.c.p Thursday, September 17, 2015 2:21 AM
    Thursday, September 17, 2015 1:01 AM

All replies

  • Usually all servers / clients will do get the time stamp for domain controllers.

    On Domain controllers - we configure NTP servers through registry entry - so that domain controller can fetch the time.

    Registy entry for NTP configuration is :HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time

    Check for the parameter NTPServer and see the value. 

    On best practice, your domain controller should point to external NTP resource like time.windows.com or any other NTP source and all other servers / Clients should point to Domain controller.

    Please let me know if you need more information. 

    • Proposed as answer by Br0209 Thursday, September 17, 2015 12:05 AM
    Thursday, September 17, 2015 12:05 AM
  • Thanks for the information, is there a way to check that the time stamps are indeed using the system clocks?
    Thursday, September 17, 2015 12:17 AM
  • Can you please give more information on what "time stamps"
    Thursday, September 17, 2015 12:35 AM
  • For example, the timestamp on event logs -

    Provider
    [ Name] Microsoft-Windows-Security-Auditing
    [ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}
    EventID 4656
    Version 1
    Level 0
    Task 12804
    Opcode 0
    Keywords 0x8020000000000000
    - TimeCreated
    [ SystemTime] 2015-09-16T05:20:55.551301700Z - this one
    EventRecordID 23916460

    How can i tell that this time is from the internal clock of the system?

    thank you for your patience. :)

    Thursday, September 17, 2015 12:58 AM
  • eventlog always uses system clock for time stamp. Just for testing or confirmation, Note down the current systemclock time and reboot the machine. Once the machine is up and running, open event viewer and go to system logs, check for event ID 1074. Both  time should match.
    • Edited by Br0209 Thursday, September 17, 2015 1:01 AM
    • Marked as answer by isaac.c.p Thursday, September 17, 2015 2:21 AM
    Thursday, September 17, 2015 1:01 AM