Adversarial training is an important approach to improving Deep Learning model robustness. It uses attack methods to generate adversarial samples that can maximize the chance of misclassification and updates model weight values accordingly to ensure these samples are not misclassified. It is difficult to retain model accuracy while improving robustness using adversarial training. In this paper, we study one of the important factors causing this undesirable effect - batch normalization. We find that batch normalization has three confoundings in adversarial training, which may cause model accuracy degradation and/or sub-optimal robustness improvement. We propose a novel adversarial training method called norm shaping, in which a model always uses batch norms, in both adversarial training and inference. It enforces that a batch (in both training and inference) should always have at least a dominating portion of clean samples such that the batch norms follow a distribution similar to that of clean sample batches. Our results show that it can substantially improve existing adversarial training methods (for models with batch normalization layers), such as PGD and TRADES. On CIFAR-10, it can achieve much better model accuracy and robustness on a list of existing attacks. For example, it can achieve 0.94 model accuracy and 0.81 robustness against PGD attack while TRADES and PGD adversarial trainings can achieve around 0.88 accuracy and 0.47 robustness. Our method also has 0.51 robustness against the strongest adaptive attack.