How to Configure an Authoritative Time Server in Windows Server
-
Upload
shahzad-malik -
Category
Documents
-
view
91 -
download
0
Transcript of How to Configure an Authoritative Time Server in Windows Server
How to configure an authoritative time server in Windows Server
View products that this article applies to.
If you are a Small Business customer, find additional troubleshooting and learning resources at the Support for Small Business site.
On This Page
Expand all | Collapse all
INTRODUCTION
Windows includes W32Time, the Time Service tool that is required by the Kerberos
authentication protocol. The purpose of the Windows Time service is to make sure that all
computers that are running Microsoft Windows 2000 or later versions in an organization use a
common time.
To guarantee appropriate common time usage, the Windows Time service uses a hierarchical
relationship that controls authority, and the Windows Time service does not permit loops. By
default, Windows-based computers use the following hierarchy:
All client desktop computers nominate the authenticating
domain controller as their in-bound time partner.
All member servers follow the same process that client
desktop computers follow.
All domain controllers in a domain nominate the primary
domain controller (PDC) operations master as their in-
bound time partner.
All PDC operations masters follow the hierarchy of domains
in the selection of their in-bound time partner.
In this hierarchy, the PDC operations master at the root of the forest becomes authoritative for
the organization. We highly recommend that you configure the authoritative time server to gather
the time from a hardware source. When you configure the authoritative time server to sync with
an Internet time source, there is no authentication. We also recommend that you reduce your
time correction settings for your servers and stand-alone clients. These recommendations provide
more accuracy and security to your domain.
Back to the top
Configuring the Windows Time service to use an internal hardware clock
To have us configure the Windows Time service to use an internal hardware clock for you, go to
the "Fix it for me" section. If you prefer to fix this problem yourself, go to the "Let me fix it
myself" section.
Fix it for me
To fix this problem automatically, click the Fix it button or link. Click Run in the File
Download dialog box, and follow the steps in the Fix it wizard.
Fix this problem
Microsoft Fix it 50394
Notes
This wizard may apply to English versions only; however,
the automatic fix also works for other language versions of
Windows.
If you are not on the computer that has the problem, save the
Fix it solution to a flash drive or a CD and then run it on the
computer that has the problem.
Let me fix it myself
Important This section, method, or task contains steps that tell you how to modify the registry.
However, serious problems might occur if you modify the registry incorrectly. Therefore, make
sure that you follow these steps carefully. For added protection, back up the registry before you
modify it. Then, you can restore the registry if a problem occurs. For more information about
how to back up and restore the registry, click the following article number to view the article in
the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
To configure the PDC master without using an external time source, change the announce flag on
the PDC master. The PDC master is the server that holds the forest root PDC master role for the
domain. This configuration forces the PDC master to announce itself as a reliable time source
and uses the built-in complementary metal oxide semiconductor (CMOS) clock. To configure the
PDC master by using an internal hardware clock, follow these steps:
1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\W32Time\Config\
AnnounceFlags
3. In the right pane, right-click AnnounceFlags, and then
click Modify.
4. In Edit DWORD Value, type A in the Value data box, and
then click OK.
5. Quit Registry Editor.
6. At the command prompt, type the following command to
restart the Windows Time service, and then press ENTER:
net stop w32time && net start w32time
Note The PDC master must not be configured to synchronize with itself. For more information
about why the PDC master must not be configured to synchronize with itself, visit the following
Web site to view Request For Comment (RFC) 1305:
http://www.rfc-editor.org/
If the PDC master is configured to synchronize with itself, the following events are logged in the
System log:
Event Type: Information
Event Source: W32Time
Event Category: None
Event ID: 38
Computer: ComputerName
Description: The time provider NtpClient cannot reach or is currently receiving invalid time data
fromNTP_server_IP_Address. For more information, see Help and Support Center at
http://support.microsoft.com.
Event Type: Warning
Event Source: W32Time
Event Category: None
Event ID: 47
Computer: ComputerName
Description: Time Provider NtpClient: No valid response has been received from manually
configured peerNTP_server_IP_Address after 8 attempts to contact it. This peer will be
discarded as a time source and NtpClient will attempt to discover a new peer with this DNS
name. For more information, see Help and Support Center at http://support.microsoft.com.
Event Type: Error
Event Source: W32Time
Event Category: None
Event ID: 29
Computer: ComputerName
Description: The time provider NtpClient is configured to acquire time from one or more time
sources, however none of the sources are currently accessible. No attempt to contact a source
will be made for 15 minutes. NtpClient has no source of accurate time. For more information,
see Help and Support Center at http://support.microsoft.com.
When the PDC master runs without using an external time source, the following event is logged
in the Application log:
Event Type: Error
Event Source: W32Time
Event Category: None
Event ID: 12
Description: Time Provider NtpClient: This machine is configured to use the domain hierarchy
to determine its time source, but it is the PDC emulator for the domain at the root of the forest, so
there is no machine above it in the domain hierarchy to use as a time source. It is recommended
that you either configure a reliable time service in the root domain, or manually configure the
PDC to synchronize with an external time source. Otherwise, this machine will function as the
authoritative time source in the domain hierarchy. If an external time source is not configured or
used for this computer, you may choose to disable the NtpClient.
This text is a reminder to use an external time source, and it can be ignored.
Back to the top
Configuring the Windows Time service to use an external time source
To have us help you configure an internal time server to synchronize with an external time
source, go to the "Fix it for me" section. If you prefer to fix this problem yourself, go to the "Let
me fix it myself" section.
Fix it for me
To fix this problem automatically, click the Fix it button or link. Click Run in the File
Download dialog box, and follow the steps in the Fix it wizard.
Fix this problem
Microsoft Fix it 50395
Notes
This wizard may apply to English versions only; however,
the automatic fix also works for other language versions of
Windows.
If you are not on the computer that has the problem, save the
Fix it solution to a flash drive or a CD and then run it on the
computer that has the problem.
Let me fix it myself
To configure an internal time server to synchronize with an external time source, follow these
steps:
1. Change the server type to NTP. To do this, follow these
steps:
a. Click Start, click Run, type regedit, and then
click OK.
b. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\W32Time\
Parameters\Type
c. In the right pane, right-click Type, and then
click Modify.
d. In Edit Value, type NTP in the Value data box, and
then click OK.
2. Set
AnnounceFlags
to 5. To do this, follow these steps:
a. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\W32Time\Config\
AnnounceFlags
b. In the right pane, right-click AnnounceFlags, and
then click Modify.
c. In Edit DWORD Value, type 5 in the Value
data box, and then click OK.
Notes
If an authoritative time server that is configured
to use an AnnounceFlag value of 0x5 does not
synchronize with an upstream time server, a
client server may not correctly synchronize
with the authoritative time server when the time
synchronization between the authoritative time
server and the upstream time server resumes.
Therefore, if you have a poor network
connection or other concerns that may cause
time synchronization failure of the authoritative
server to an upstream server, set the
AnnounceFlag value to 0xA instead of to 0x5.
If an authoritative time server that is configured
to use an AnnounceFlag value of 0x5 and to
synchronize with an upstream time server at a
fixed interval that is specified in
SpecialPollInterval, a client server may not
correctly synchronize with the authoritative
time server after the authoritative time server
restarts. Therefore, if you configure your
authoritative time server to synchronize with an
upstream NTP server at a fixed interval that is
specified in SpecialPollInterval, set the
AnnounceFlag value to 0xA instead of 0x5.
3. Enable NTPServer. To do this, follow these steps:
a. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\W32Time\
TimeProviders\NtpServer
b. In the right pane, right-click Enabled, and then
click Modify.
c. In Edit DWORD Value, type 1 in the Value
data box, and then click OK.
4. Specify the time sources. To do this, follow these steps:
a. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\W32Time\Parameters
b. In the right pane, right-click NtpServer, and then
click Modify.
c. In Edit Value, type Peers in the Value data box, and
then click OK.
Note Peers is a placeholder for a space-delimited list
of peers from which your computer obtains time
stamps. Each DNS name that is listed must be unique.
You must append ,0x1to the end of each DNS name.
If you do not append ,0x1 to the end of each DNS
name, the changes made in step 5 will not take effect.
5. Select the poll interval. To do this, follow these steps:
a. Locate and then click the following registry
subkey:
HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\W32Time\
TimeProviders\NtpClient\SpecialPollInterval
b. In the right pane, right-click SpecialPollInterval, and
then click Modify.
c. In Edit DWORD Value, type TimeInSeconds in
the Value data box, and then click OK.
Note TimeInSeconds is a placeholder for the number
of seconds that you want between each poll. A
recommended value is 900 Decimal. This value
configures the Time Server to poll every 15 minutes.
6. Configure the time correction settings. To do this, follow
these steps:
a. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\W32Time\Config\
MaxPosPhaseCorrection
b. In the right pane, right-
click MaxPosPhaseCorrection, and then
click Modify.
c. In Edit DWORD Value, click to select Decimal in
the Base box.
d. In Edit DWORD Value, type TimeInSeconds in
the Value data box, and then click OK.
Note TimeInSeconds is a placeholder for a reasonable
value, such as 1 hour (3600) or 30 minutes (1800).
The value that you select will depend upon the poll
interval, network condition, and external time source.
e. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\W32Time\Config\
MaxNegPhaseCorrection
f. In the right pane, right-
click MaxNegPhaseCorrection, and then
click Modify.
g. In Edit DWORD Value, click to select Decimal in
the Base box.
h. In Edit DWORD Value, type TimeInSeconds in
the Value data box, and then click OK.
Note TimeInSeconds is a placeholder for a reasonable
value, such as 1 hour (3600) or 30 minutes (1800).
The value that you select will depend upon the poll
interval, network condition, and external time source.
7. Quit Registry Editor.
8. At the command prompt, type the following command to
restart the Windows Time service, and then press ENTER:
net stop w32time && net start w32time
NOTE: For a list of available time servers, see Microsoft KB Article 262680 - A list of the
Simple Network Time Protocol (SNTP) time servers that are available on the Internet
Back to the top
Troubleshooting
For the Windows Time service to function correctly, the networking infrastructure must function
correctly. The most common problems that affect the Windows Time service include the
following:
There is a problem with TCP/IP connectivity, such as a dead
gateway.
The Name Resolution service is not working correctly.
The network is experiencing high volume delays, especially
when synchronization occurs over high-latency wide area
network (WAN) links.
The Windows Time service is trying to synchronize with
inaccurate time sources.
We recommend that you use the Netdiag.exe utility to troubleshoot network-related issues.
Netdiag.exe is part of the Windows Server 2003 Support Tools package. See Tools Help for a
complete list of command-line parameters that you can use with Netdiag.exe. If your problem is
still not solved, you can turn on the Windows Time service debug log. Because the debug log
can contain very detailed information, we recommend that you contact Microsoft Product
Support Services when you turn on the Windows Time service debug log.
For a complete list of Microsoft Product Support Services phone numbers and information about
support costs, visit the following Microsoft Web site:
http://support.microsoft.com/default.aspx?scid=fh;[LN];CNTACTMS
Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a
Microsoft Support Professional determines that a specific update will resolve your problem. The
usual support costs will apply to additional support questions and issues that do not qualify for
the specific update in question.
Back to the top
MORE INFORMATION
NTP supports several different packet types. Typically, NTP clients and Simple Network Time
Protocol (SNTP) clients send client mode request packets to an NTP server. The NTP server
responds with a server mode packet. To configure the W32time service to send symmetric active
mode packets instead of client mode packets to an NTP server, type the following command at a
command prompt:
w32tm /config /manualpeerlist:<server>,0x4 /syncfromflags:MANUAL
Note Use the 0x8 flag to force W32time to send normal client requests instead of symmetric
active mode packets. The NTP servier replies to these normal client requests as usual.
Back to the top
Reliable time source configuration
A computer that is configured to be a reliable time source is identified as the root of the
Windows Time service. The root of the Windows Time service is the authoritative server for the
domain and typically is configured to retrieve time from an external NTP server or hardware
device. A time server can be configured as a reliable time source to optimize how time is
transferred throughout the domain hierarchy. If a domain controller is configured to be a reliable
time source, the Net Logon service announces that domain controller as a reliable time source
when it logs on to the network. When other domain controllers look for a time source to
synchronize with, they select a reliable source first, if one is available.
Back to the top
Manually-specified synchronization
With manually-specified synchronization, you can designate a single peer or list of peers that a
computer obtains time from. If the computer is not a member of a domain, it must be manually
configured to synchronize with a specified time source. By default, a computer that is a member
of a domain is configured to synchronize from the domain hierarchy. Manually-specified
synchronization is most useful for the forest root of the domain or for computers that are not
joined to a domain. When you manually specify an external NTP server to synchronize with the
authoritative computer for your domain, you provide reliable time. However, to provide high
accuracy and security to your domain, we recommend that you configure the authoritative
computer for your domain to synchronize with a hardware clock.
Without a hardware time source, W32time is configured as a NTP type. You must reconfigure
the MaxPosPhaseCorrection and MaxNegPhaseCorrection registry entries. The recommended
value should be 15 minutes or even lower, depending on time source, network condition, and
security requirement. This requirement also applies to any reliable time source that is configured
as the forest root time source in the time sync subnet. For more information about these registry
entries, see the "Windows Time service registry entries" section in this article.
Note Manually-specified time sources are not authenticated unless a specific time provider is
written for them, and these time sources are therefore vulnerable to attacks. Also, if a computer
synchronizes with a manually-specified source instead of its authenticating domain controller,
the two computers might be out of synchronization. This scenario causes Kerberos authentication
to fail and could also cause other actions that require network authentication to fail, such as
printing or file sharing. If only the forest root is configured to synchronize with an external
source, all other computers within the forest remain synchronized with each other. This
configuration makes replay attacks difficult.
Back to the top
All available synchronization mechanisms
The "all available synchronization mechanisms" option is the most valuable synchronization
method for users on a network. This method enables synchronization with the domain hierarchy
and may also provide an alternative time source if the domain hierarchy becomes unavailable,
depending on the configuration. If the client cannot synchronize time with the domain hierarchy,
the time source automatically falls back to the time source that is specified by
the NtpServer setting. This method of synchronization is most likely to provide accurate time to
clients.
Back to the top
Windows Time service registry entries
The following registry entries are located under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\
:
Registry Entry
MaxPosPhaseCorrection
Path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
Notes This entry specifies the largest positive time correction in seconds that the service makes. If the service determines that a change that is larger than this is required, the service logs an event. (0xFFFFFFFF is a special case that means always make a time correction.) The default value for domain members is 0xFFFFFFFF. The default value for stand-alone clients and servers is 54,000 or 15 hours.
Registry Entry
MaxNegPhaseCorrection
Path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
Notes This entry specifies the largest negative time correction in seconds that the service makes. If the service determines that a change that is larger than this is required, the service logs an event instead. (-1 is a special case that means always make a time correction.) The default value for domain members is 0xFFFFFFFF. The default value for stand-alone clients and servers is 54,000 or 15 hours.
Registry Entry
MaxPollInterval
Path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
Note This entry specifies the largest interval, in log seconds, that is allowed for the system polling interval. While a system must poll according to the scheduled interval, a provider can refuse to produce samples when requested. The default value for domain members is 10. The default value for stand-alone clients and servers is 15.
Registry Entry
SpecialPollInterval
Path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient
Note This entry specifies the special poll interval in seconds for manual peers. When the SpecialInterval 0x1 flag is enabled, W32Time uses this poll interval instead of a poll interval that is determined by the operating system. The default value on domain members is 3,600. The default value on stand-alone clients and servers is 604,800.
Registry Entry
MaxAllowedPhaseOffset
Path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
Note This entry specifies the maximum offset, in seconds, for which W32Time tries to adjust the computer clock by using the clock rate. When the offset is greater than this rate, W32Time sets the computer clock directly. The default value for domain members is 300. The default value for stand-alone clients and servers is 1.
Back to the top
REFERENCES
For more information about Windows Time service, click the following article numbers to view
the articles in the Microsoft Knowledge Base:
816043 How to turn on debug logging in the Windows Time service
884776 Configuring the Windows Time service against a large time offset
321708 How to use the Network Diagnostics Tool (Netdiag.exe) in Windows 2000
314054 How to configure an authoritative time server in Windows XP
216734 How to configure an authoritative time server in Windows 2000
For more information about the Windows Time service in a Windows Server 2003-based forest,
visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/library/cc773061.aspx
Back to the top
APPLIES TO