Windows Time Synchronization Service

Windows 2000 (Win2K) uses a time service, known as Windows Time Synchronization Service (Win32Time), to ensure that all Win2K computers on your network use a common time. In fact, MIT Kerberos 5, Win2K's default authentication protocol, requires the service. In Win2K, time synchronization is crucial because Kerberos uses workstation time as part of the authentication process. Let's discuss the time service, which complies with the Simple Network Time Protocol (SNTP). (For more information about SNTP, see Request for Comments— RFC—1769.)

How Does the Time Service Work?
When a client workstation (i.e., a Windows 2000 Professional—Win2K Pro—machine) boots, it contacts a domain controller for authentication. When the two computers exchange authentication packets, the client adjusts its local time based on the target (i.e., the domain controller's) time. If the target time is ahead of local (i.e., the client's) time by less than 2 minutes, the client immediately adjusts its time to match the target time. If the target time is behind the local time by less than 2 minutes, the client slows its clock over a period of 20 minutes until the two times are in synch. If the local time is off by more than 2 minutes, the client immediately sets its time to match the target time.

Because time synchronization is so critical, the client periodically verifies that its time is in synch with the time server. By default, the client performs these checks every 8 hours. It connects to the authenticating domain controller, which is its inbound time partner, and performs the checks using a strategy that seeks to attain a convergence wherein the two computers are never more than 2 seconds apart. If the local time strays by more than 2 seconds, the client checks its time against the authenticating domain controller more often—in fact, it divides its verifying interval in half, repeating this division until it meets one of the following conditions:

The difference between the local and target is no more than 2 seconds
The interval reaches its shortest duration (by default, 45 minutes)

When the two computers' times return to within 2 seconds of each other, the verification interval doubles at each check until reaching the maximum interval of 8 hours.

Time Service Hierarchy
Windows Time Synchronization Service uses a hierarchical relationship that focuses on the PDC Emulator at the root of the Active Directory (AD) forest. By default, the first domain controller in a forest acts as the PDC Emulator for the root domain and becomes authoritative for the entire enterprise—an event that the Event Viewer logs in the system log as Event ID 62. You’ve probably seen the Event Viewer filled with Event ID 62 from the source Win32Time. The description field states, "This Machine is a PDC of the domain at the root of the forest. Configure to sync from External time source using the net command, ‘net time /setsntp:<server name>’." In other words, you must configure the PDC Emulator to recognize an external SNTP time server as authoritative using the Net Time command from the command prompt. Type

net time /?

at the command prompt for the syntax. You can use any of the following US Naval Observatory SNTP time servers:

tick.usno.navy.mil at 192.4.41.40
tock.usno.navy.mil at 192.5.41.41
ntp2.usno.navy.mil at 192.5.41.209

Let's look at the time service hierarchy from the bottom up to see how computers synchronize times and dates with their time partners. Workstations and member servers in a domain use the authenticating domain controller as their inbound time partner. Domain controllers use the PDC Emulator in their own domain as their inbound time partner. The PDC Emulator in each domain uses the PDC Emulator in its parent domain as the inbound time partner, until we reach the top of the hierarchy—the root domain. The PDC Emulator in the root of the forest is the authoritative time server, which you should set manually to synchronize time with an external SNTP time server, as I discussed earlier.

One final note: SNTP uses UDP port 123 by default. If you want to synchronize your time server with an SNTP server on the Internet, make sure that port is available.

End of Article

I presently operate one Novell netware ver 5 server with various win 98 and NT workstations.
I am adding one win2000 server and a win2000 workstation this week.
Hopefully, the added enviroment of a win server will go smoothly

al odlum March 20, 2000

Did you know that Novell has had a time sync feature built in for a while now? I'm not a big novell fan but, this time thing is no big deal It's been done and as Microsoft usually does is just copy other peoples ideas.

Mitch March 21, 2000

You mention that to sync your root domain controller, you have to type /net time 192.x.x.x for which ever time server you want to sync with.

However, if you don't want your servers on the internet at all, then how do you get around this?

Justen Brydon March 21, 2000

This is something thats been a long time coming and should have been implemented a while ago. We have been using a third-party utility since NT 3.51 to keep our domain in sync (Greyware Domain Time), and probably will continue to do so through Win2k. It provides many features and higher accuarcy than the default time service does while working with Win9x, NT, and Win2k, among others. The time service is an improvement on what was there (nothing), but still leaves a lot to be desired.

Kit Skinner March 21, 2000

A great and timely article. I had been using the Resource Kit for NT 4 Time service on all my systems. It is good to see it built in, but I did not know it was there before I read this. I was disappointed to see it missing from the Win2K resource kit, but now I know why! It is strange that as I searched the KB at MS, I could not find out about this change. Thanks for a good article.

Rob Wood March 22, 2000

Is it possible to make my standalone Win2K Pro machine synchronize directly to the servers you listed?

Dave B March 22, 2000

Is the W32time version that ships w/ W2K different from the W32Time.exe and W32time.ini that exists at

ftp://ftp.microsoft.com/ResKit/y2kfix/x86/w32time

The documentation at that location is pretty much identical to the original TimeServ doc. I'd like to know if setting up Time Services for W2k is going differ from what the Documentation at the above site indicates.

If so, could you possibly go into more detail as to how this is setup on the Master, Secondary and Primary servers of Windows 2000?

James Turner March 22, 2000

Obviously the author didn't spend any time trying to get the time service commands to WORK using "Net TIME";

I did and I STILL cannot figure out the correct syntax; it is NOT documented as far as I can tell.

Herb Martin May 22, 2000

Read this Article - very simple with examples http://www.windows2000faq.com/Articles/Index.cfm?ArticleID=14943

Marc Chang January 09, 2001

RFC 2030, October 1996, is also very interesting. It obsoletes RFC 1769, March 1995, to which you refer.

Brian M. Russell June 22, 2001

See More Comments 1 2

You must log on before posting a comment.

If you don't have a username & password, please register now.