How do I troubleshoot time issues with my EC2 Windows instance?

Last updated: 2021-06-24

I want to permanently change the time settings on my Amazon Elastic Compute Cloud (Amazon EC2) Windows instance to my local time zone. I’m unable to change the time and date on my Instance. How do I troubleshoot this?

Short description

The following are common time-related issues that occur on Windows instances:

  • Unable to change the time using Systems Settings or the Control Panel due to the following reasons:
    The Set Time Zone Automatically option is greyed out.
    The You do not have permission to perform this task error displays when trying to change time settings using the Control Panel.
  • The time change doesn't persist after system reboots.
  • The Amazon Time Sync Service is behind other atomic clocks by X minutes.

It's a best practice to use Coordinated Universal Time (UTC) for your instances to avoid human error. Using UTC on your instances also facilitates synchronization across your AWS CloudWatch logs, metrics, local logs, and other services. You can use a different time zone to suit your requirements, if needed.

Resolution

Unable to change the time using Systems Settings or the Control Panel

Amazon provides the Amazon Time Sync Service, which is accessible from all EC2 instances. If you can't change the time zone and time/date, use the Command Prompt window to configure Amazon Time Sync Service on your instance.

Before you begin, use the following steps to verify that the Prohibit access to Control Panel and PC settings policy is disabled in the Local Group Policy Editor:

  1. Open the Local Group Policy Editor.
  2. Select User Configuration, Administrative Templates, Control Panel.
  3. Highlight Prohibit access to Control Panel and PC settings, and then select Edit policy setting.
  4. Select Disabled.

Change the time zone using Command Prompt

After verifying the policy setting, you can change the time zone from the Command Prompt window.

Change the time and date settings using Command Prompt

  1. Run a Command Prompt window as Administrator.
  2. Enter time or date in the Command Prompt window, then select OK.
  3. Enter the new time or date at the prompt.
    Enter a new time in HH:MM:SS AM/PM format. For example, 08:35:00 AM.
    Enter a new date in mm-dd-yyyy format. For example, 01-01-2021.

The new time and date settings take effect immediately.

Alternatively, you can use external network time protocol (NTP) sources. For more information, see Configure network time protocol (NTP).

Note: Because the Citrix Xen Guest Agent service might cause issues with time synchronization, it's a best practice to update Citrix PV drivers to Amazon PV drivers.

The time change doesn't persist after system reboots

If you're running Windows Server 2008 or later, add a RealTimeIsUniversal registry key to make the new time persist after reboot.

If your instance is domain joined to an AWS Managed Microsoft AD directory, change the time settings on your instance to use the domain controller as the time source to avoid a time skew. Skewing the time breaks authentication due to Kerberos restrictions. This might cause issues logging in to the instance. To prevent this, make sure that the RealTimeIsUniversal registry key is enabled before rebooting your instance.

The Amazon Time Sync Service is behind other atomic clocks by X minutes

To resync the Amazon Time Sync Service to your instance, do the following:

1.    Run the following command to reset the NTP server to point to the Amazon Time Sync Service server:

w32tm /config /manualpeerlist:”169.254.169.123,0x9” /syncfromflags:manual /update

2.    Run the following commands:

net stop w32time
w32tm /unregister

3.    From the Start menu on the instance, select Run, and enter services.msc. Verify that Windows Time is deleted.

4.    Run the following commands:

W32tm /register
Net start w32time
w32tm /query /configuration /verbose
w32tm /resync /rediscover and w32tm /resync /force
w32tm /query /status /verbose
w32tm /stripchart /computer:169.254.169.123 /period:5
w32tm /query /source

Note: If you see the local CMOS clock, wait a few minutes and then run the w32tm /query /source command again to verify the source.