The Computers running Windows
Server 2003, XP use the Network Time Protocol (NTP),
Is used which give benefits such
as more reliable time due to better correction methods.This is configured using the new W32TM commands which we will look at later on.
Whereas Computers running Windows 2000 use the Simple Network Time Protocol (SNTP).
Configured with the NET TIME command.
Benefits and Purposes of Windows Time Service
The first question that we need to ask ourselves why
do we need time synchronization? Well, in an Active
Directory domain, it is
very important for all clocks to be within 5 minutes of each other (by default)
due to
the implementation of the Kerberos protocol for authentication which
relies on time stamped packets to prevent amongst other things,
man-in-the-middle attacks. Another reason time sync is important for is because
now Active Directory uses multi-master domain controllers (DCs) it is important
that changes made at a later actual time on one DC don’t get overwritten by
similar changes on another DC whose time is set wrong thus making it look like
the most recent change!
The Kerberos V5
authentication protocol on a Windows Server 2003 family domain has a
default time synchronization threshold of 5 minutes. Computers that are more
than five minutes out of synchronization on the domain will fail to
authenticate using the Kerberos protocol. This time value is also configurable,
allowing for greater or lesser thresholds. Failure to authenticate using the
Kerberos protocol can prevent logons and access to Web sites, file shares,
printers, and other resources or services within a domain.The Windows Time service is implemented in a dynamic link library called W32Time.dll. W32Time.dll is installed by default in the Systemroot\System32 folder during Windows Server 2003 setup and installation.
Port
and Protocol
Port: NTP and SNTP use User Datagram Protocol (UDP) port 123 on time servers.
If this port is not open to the Internet, you cannot synchronize your server to
Internet SNTP or NTP servers.
Protocol: The service on Windows Server 2003 implements
NTP to communicate with other computers on the network.
Forest Time Server configuration
for Windows 2000 and 2003:
I am now going to look at how you setup your Windows 2000 machine to sync over the Internet and what protocol Windows 2000 users to do this. As mentioned briefly above, this is one of the differences between Windows 2003/XP and 2000. The protocol used for Windows 2000, is called Simple Network Time Protocol or SNTP. It is a “simple” version of NTP and lacks some of the more complex algorithms which provide more accurate and stable time for NTP clients. The way you set this up is to use the command line to enter the following:
NET TIME /SETSNTP:dnsnameofserver
For example, you could use the following:
NET TIME /SETSNTP:time.window.com
If you what to find out which server you setup a machine to sync to you can use the following command:
NET TIME /QUERYSNTP
As I mentioned above, Windows Server 2003 and Windows XP now use NTP instead of SNTP. Alongside that they now have a new way of configuring the WTS. The command that now does everything regarding WTS is:
w32tm
What these
parameters actually do is control a registry entry called "Type"
in:
HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
This key is either set to
HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
This key is either set to
"NT5DS"
if you're in an AD,
or "NTP" if you're either not an AD
member, or if you're the root domain's PDCe.
Actually, this key
could also be set to “NoSync” to prevent any time sync taking place.
Once you have setup the PDC to sync with an
external time source then what will happens?
Well, it tries to sync every 45 minutes until
it achieves its first sync. Then after that, it syncs again every 45 minutes
until it has done three successful syncs in a row. After that it syncs once
every 8 hours.
If a domain controller is configured to be a
reliable time source, in other words, it syncs with an external time source,
the NetLogon service announces that domain controller as a reliable time source
when it logs on to the network. When other domain controllers look for a time
source to synchronize with, they choose a reliable source first if one is
available. When a DC is intended to be a reliable time source you should ensure
that the following registry key has a value of 5 if not then the default value
10 should be left in place.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time
\Config\AnnounceFlags
Group Policy Settings:
Group Policy can be used to
control Windows Time Service for computers that are running Windows
Server 2003 to limit the flow of information to and from the Internet.The synchronization type and NTP time server information can be managed and controlled through Group Policy. The Windows Time Service Group Policy object (GPO) contains configuration settings that specify the synchronization type. When the synchronization type is set to NT5DS, Windows Time Service synchronizes its time resource with the network domain controller. Alternatively, setting the type attribute to NTP configures Windows Time Service to synchronize with a specified NTP time server. The NTP server is specified by either its Domain Name System (DNS) name or its IP address when you select NTP as the synchronization type.
You can set the
global configuration settings for Windows Time Service by using Group Policy.
In Computer
Configuration\Administrative Templates\System\Windows Time Service\Global
Configuration Settings, there is only one setting that might, in certain
scenarios, affect the way that Windows Time Service communicates when the
computer is in a domain.
This setting is
AnnounceFlags, which controls whether this computer is marked as a
reliable time server. A computer is not marked as reliable unless it is also
marked as a time server. The settings are as follows:
0 Not a time
server
1 Always a time
server
2 Automatic
time server, meaning the role is decided by Windows Time Service
4 Always a
reliable time server
Automatic
reliable time server, meaning the role is decided by Windows Time Service
The default is
10, meaning that Windows Time Service decides the role.
In the Group
Policy settings located in Computer Configuration\Administrative
Templates\System\Windows Time Service\Time Providers, there are a number of
settings that might affect the way that Windows Time Service communicates
across the Internet. The following table describes some of these policy
settings.
|
Selected
Group Policy Settings for Configuring the Windows Time Service NTP Client for
Computers Running Windows Server 2003
Policy Setting
|
Effect of Setting
|
Default Setting
|
| NtpServer |
Establishes a space-delimited list of peers from which a computer obtains
time stamps, consisting of one or more DNS names or IP addresses per line.
Computers connected to a domain must synchronize with a more reliable time
source, such as the official U.S. time clock. This setting is used only when
Type is set to NTP or AllSync. 0x01 SpecialInterval 0x02 UseAsFallbackOnly 0x04 SymmetricActive 0x08 NTP request in Client mode |
time.windows.com, 0x1 |
| Type |
Indicates which peers to accept synchronization from: NoSync. The time service does not synchronize with other sources. NTP. The time service synchronizes from the servers specified in the NtpServer registry entry. NT5DS. The time service synchronizes from the domain hierarchy. AllSync. The time service uses all the available synchronization mechanisms |
Default options NTP. Use on computers that are not joined to a domain. NT5DS. Use on computers that are joined to a domain. |
| CrossSiteSyncFlags |
Determines whether the service chooses synchronization partners outside
the domain of the computer. None 0 PdcOnly 1 All 2 This value is ignored if the NT5DS value is not set. |
2 |
| ResolvePeerBackoffMinutes |
Specifies the initial interval to wait, in minutes, before attempting to
locate a peer to synchronize with. If the Windows Time Service cannot
successfully synchronize with a time source, it will keep retrying, using the
settings specified in ResolvePeerBackOffMinutes and
ResolvePeerBackoffMaxTimes. |
15 |
| ResolvePeerBackoffMaxTimes |
Specifies the maximum number of times to double the wait interval when
repeated attempts fail to locate a peer to synchronize with. A value of zero
means that the wait interval is always the initial interval in
ResolvePeerBackoffMinutes. |
7 |
| SpecialPollInterval |
Specifies the special poll interval in seconds for peers that have been
configured manually. When a special poll is enabled, Windows Time Service
will use this poll interval instead of a dynamic one that is determined by
synchronization algorithms built into Windows Time Service. |
604800 (workgroup) 3600 (domain) |
Troubleshooting Commands:
To Manually
Start Windows Time Service Using the Net Command
Net Start
w32time
To Manually
Stop Windows Time Service Using the Net Command
Net Stop
w32time
To
Synchronize the Client Time with a Time Server
w32tm
/resync
To
Resynchronize the Client Time with a Time Server
By default, a computer running
Windows Time Service will not synchronize with a time source if the computer's
time is more than 15 hours off
w32tm
/resync /rediscover
After
running this command we should get event id 35 / 37 and event itself is self
explanatory.
Event
id 35 and Event 37 are for successfully Time sync.
Registry
Values:
In
domain based environment for time sync, in registry there a key called “Type”
should have value as “NT5DS” under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
Event IDs
Event
id 35 and Event 37 are for successfully Time sync.
