Set the time for your Windows instance
A consistent and accurate time reference on your Windows instance is crucial for many server tasks and processes. Time stamps in system logs play an essential role in identifying when issues occurred and the chronological order of events. When you use the AWS CLI or an AWS SDK to make requests from your instance, these tools sign requests on your behalf. If your instance's date and time settings are inaccurate, it can result in a discrepancy between the date in the signature and the date of the request, leading to AWS rejecting your requests.
To address this important aspect, Amazon offers the Amazon Time Sync Service, which is accessible from all EC2 instances and used by various AWS services. The service uses a fleet of satellite-connected and atomic reference clocks in each AWS Region to deliver accurate and current time readings of the Coordinated Universal Time (UTC) global standard.
The Amazon Time Sync Service either uses the Network Time Protocol (NTP), or provides a local Precision Time Protocol (PTP) hardware clock on supported instances. The PTP hardware clock supports either NTP or a direct PTP connection. The NTP and direct PTP connections use the same highly accurate time source, but the direct PTP connection is more accurate than the NTP connection. The NTP connection to the Amazon Time Sync Service supports leap smearing while the PTP connection to the PTP hardware clock does not smear time. For more information, see Leap seconds.
For a backup to the local Amazon Time Sync Service on your instance, and to connect resources outside of
Amazon EC2 to the Amazon Time Sync Service, you can use the public Amazon Time Sync Service located at time.aws.com. The
public Amazon Time Sync Service, like the local Amazon Time Sync Service, automatically smears any leap seconds that are added
to UTC. The public Amazon Time Sync Service is supported globally by our fleet of satellite-connected and
atomic reference clocks in each AWS Region.
For Linux instances, see Set the time for your Linux instance.
Topics
Set your instance to use the local Amazon Time Sync Service
Your instances can access the local Amazon Time Sync Service as follows:
-
Through NTP at the following IP address endpoints:
-
IPv4:
169.254.169.123 -
IPv6:
fd00:ec2::123(Only accessible by instances built on the AWS Nitro System.)
-
NTP connections do not require any VPC configuration changes, and your instance does not require access to the internet.
The PTP hardware clock is part of the AWS Nitro System, so it is directly accessible on supported bare metal and virtualized EC2 instances without using any customer resources.
The NTP endpoints to the PTP hardware clock are the same as the regular Amazon Time Sync Service connection over IPv4 or IPv6. If your software is configured to the NTP endpoint and is running on an instance with a PTP hardware clock, it will be connected to the PTP hardware clock automatically over NTP.
Starting with the August 2018 release, Windows AMIs use the Amazon Time Sync Service by default. No further configuration is required for instances launched from these AMIs and you can skip the following procedures.
Contents
Connect to the IPv4 endpoint of the Amazon Time Sync Service
First verify your current NTP configuration. If your instance is already using the IPv4 endpoint of the Amazon Time Sync Service, no further configuration is required. If your instance is not using the Amazon Time Sync Service, then complete the procedure to change the NTP server to use the Amazon Time Sync Service.
To verify the NTP configuration
-
From your instance, open a Command Prompt window.
-
Get the current NTP configuration by typing the following command:
w32tm /query /configurationThis command returns the current configuration settings for the Windows instance and will show if you're connected to the Amazon Time Sync Service.
-
(Optional) Get the status of the current configuration by typing the following command:
w32tm /query /statusThis command returns information such as the last time the instance synced with the NTP server and the poll interval.
To change the NTP server to use the Amazon Time Sync Service
-
From the Command Prompt window, run the following command:
w32tm /config /manualpeerlist:169.254.169.123 /syncfromflags:manual /update -
Verify your new settings by using the following command:
w32tm /query /configurationIn the output that's returned, verify that
NtpServerdisplays the169.254.169.123IPv4 endpoint.
Default network time protocol (NTP) settings for Amazon Windows AMIs
Amazon Machine Images (AMIs) generally adhere to the out-of-the-box defaults except in cases where changes are required to function on EC2 infrastructure. The following settings have been determined to work well in a virtual environment, as well as to keep any clock drift to within one second of accuracy:
-
Update Interval – Governs how frequently the time service will adjust system time towards accuracy. AWS configures the update interval to occur once every two minutes.
-
NTP Server – Starting with the August 2018 release, AMIs use the Amazon Time Sync Service by default. This time service is accessible from any AWS Region at the 169.254.169.123 IPv4 endpoint. Additionally, the 0x9 flag indicates that the time service is acting as a client, and to use
SpecialPollIntervalto determine how frequently to check in with the configured time server. -
Type – "NTP" means that the service acts as a standalone NTP client instead of acting as part of a domain.
-
Enabled and InputProvider – The time service is enabled and provides time to the operating system.
-
Special Poll Interval – Checks against the configured NTP Server every 900 seconds, or 15 minutes.
| Registry path | Key name | Data |
|---|---|---|
|
HKLM:\System\CurrentControlSet\services\w32time\Config |
UpdateInterval |
120 |
HKLM:\System\CurrentControlSet\services\w32time\Parameters |
NtpServer |
169.254.169.123,0x9 |
HKLM:\System\CurrentControlSet\services\w32time\Parameters |
Type |
NTP |
HKLM:\System\CurrentControlSet\services\w32time\TimeProviders\NtpClient |
Enabled |
1 |
HKLM:\System\CurrentControlSet\services\w32time\TimeProviders\NtpClient |
InputProvider |
1 |
HKLM:\System\CurrentControlSet\services\w32time\TimeProviders\NtpClient |
SpecialPollInterval |
900 |
Connect to the PTP hardware clock
Windows instances support only an NTP connection to the PTP hardware clock.
The NTP endpoints to the PTP hardware clock are the same as the regular Amazon Time Sync Service connection over IPv4 or IPv6. If your software is configured to connect to an NTP endpoint and is running on an instance with a PTP hardware clock, it will automatically be connected to the PTP hardware clock over NTP.
Requirements
The PTP hardware clock is available on an instance when the following requirements are met:
-
Supported AWS Regions: US East (N. Virginia) and Asia Pacific (Tokyo)
-
Supported instance families: C7a | C7i | M7a | M7g | M7i | R7a | R7g | R7i
Set your instance or any internet-connected device to use the public Amazon Time Sync Service
You can set your instance, or any internet-connected device such as your local
computer or an on-prem server, to use the public Amazon Time Sync Service, which is accessible over the
internet at time.aws.com. You can use the public Amazon Time Sync Service as a backup for the
local Amazon Time Sync Service and to connect resources outside of AWS to the Amazon Time Sync Service.
Depending on the operating system of your instance or device, use one of the following procedures to set your instance or device to use the public Amazon Time Sync Service.
Change the time zone on your instance
Windows instances are set to the UTC (Coordinated Universal Time) time zone by default. You can change the time on an instance to the local time zone or to another time zone in your network.
To change the time zone on a Windows instance
-
From your instance, open a Command Prompt window.
-
Identify the time zone to use on the instance. To get a list of time zones, use the following command:
tzutil /lThis command returns a list of all available time zones in the following format:
display nametime zone ID -
Locate the time zone ID to assign to the instance.
-
Assign to another time zone by using the following command:
tzutil /s"Pacific Standard Time"The new time zone should take effect immediately.
Note
You can assign the UTC time zone by using the following command:
tzutil /s "UTC"
To prevent your time zone from changing once you set it for Windows Server
When you change the time zone on a Windows instance, you must ensure that the time zone persists through system restarts. Otherwise, when the instance restarts, it reverts back to using UTC time. You can persist your time zone setting by adding a RealTimeIsUniversal registry key. This key is set by default on all current generation instances. To verify whether the RealTimeIsUniversal registry key is set, see step 4 in the following procedure. If the key is not set, follow these steps from the beginning.
To set the RealTimeIsUniversal registry key
-
From the instance, open a Command Prompt window.
-
Use the following command to add the registry key:
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation" /v RealTimeIsUniversal /d 1 /t REG_DWORD /f -
If you are using a Windows Server 2008 AMI (not Windows Server 2008 R2) that was created before February 22, 2013, we recommend updating to the latest AWS Windows AMI. If you are using an AMI running Windows Server 2008 R2 (not Windows Server 2008), you must verify that the Microsoft hotfix KB2922223
is installed. If this hotfix is not installed, we recommend updating to the latest AWS Windows AMI. -
(Optional) Verify that the instance saved the key successfully using the following command:
reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation" /sThis command returns the subkeys for the TimeZoneInformation registry key. You should see the RealTimeIsUniversal key at the bottom of the list, similar to the following:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation Bias REG_DWORD 0x1e0 DaylightBias REG_DWORD 0xffffffc4 DaylightName REG_SZ @tzres.dll,-211 DaylightStart REG_BINARY 00000300020002000000000000000000 StandardBias REG_DWORD 0x0 StandardName REG_SZ @tzres.dll,-212 StandardStart REG_BINARY 00000B00010002000000000000000000 TimeZoneKeyName REG_SZ Pacific Standard Time DynamicDaylightTimeDisabled REG_DWORD 0x0 ActiveTimeBias REG_DWORD 0x1a4 RealTimeIsUniversal REG_DWORD 0x1
Leap seconds
Leap seconds, introduced in 1972, are occasional one-second adjustments to UTC time to
factor in irregularities in the earth’s rotation in order to accommodate differences
between International Atomic Time (TAI) and solar time (Ut1). To manage leap seconds on
behalf of customers, we designed leap second smearing within the Amazon Time Sync Service. For more
information, see Look Before You
Leap – The Coming Leap Second and AWS
Leap seconds are going away, and we are in full support of the decision made at the 27th General Conference on
Weights and Measures to abandon leap seconds by or before 2035
To support this transition, we still plan on smearing time during a leap second event
when accessing the Amazon Time Sync Service over the local NTP connection or our public NTP pools
(time.aws.com). The PTP hardware clock, however, does not provide a
smeared time option. In the event of a leap second, the PTP hardware clock will add the
leap second following UTC standards. Leap-smeared and leap second time sources are the
same in most cases. But because they differ during a leap second event, we do not
recommend using both smeared and non-smeared time sources in your time client
configuration during a leap second event.
Related resources
-
How the Windows Time Service Works
(Microsoft) -
W32tm
(Microsoft) -
How the Windows Time service treats a leap second
(Microsoft) -
The story around Leap Seconds and Windows: It's likely not Y2K
(Microsoft)
