Configuring and administering the Windows Time service
Windows 2000 includes the Windows Time service (W32Time), which you can use to make sure that all Windows XP and Win2K computers on your network run on the same time. W32Time synchronizes a computer you designate as an authoritative time server with an outside time source, then synchronizes all computers on your network to that time server. Let's examine W32Time and discuss how to configure and administer the service on your network.
If you choose not to use W32Time on your network, you might not notice any obvious consequences. However, several features and processes depend on accurate and synchronized timestamps. Kerberos, for example, requires timestamps as part of the authentication ticket generation process. By default, Kerberos authentication fails if the clock time of the client computer and the authenticating domain controller (DC) are more than 5 minutes apart. This interval is called the Maximum Tolerance for Synchronization of Computer Clocks. You can use Group Policy to change this value, but doing so can weaken security on your network.
Replication processes on the network also depend on accurate timestamps as they determine whether to replicate data. In fact, if the time difference between two DCs is greater than the Kerberos Maximum Tolerance for Synchronization of Computer Clocks, authentication between DCs fails, and that failure causes DC data replications to fail. Just as important, computers with different times can wreak havoc on data file writes. And inaccurate timestamps can compromise functions such as synchronizing offline files, entering database data, and working with collaborative documents.
Setting Up an Authoritative Time Server
The authoritative time server is a DC that checks its time against an outside clock deemed to be extremely accurate. If you have multiple DCs in a domain, the authoritative time server is the DC that serves as the Flexible Single-Master Operation (FSMO) PDC emulator. By default, the FSMO PDC emulator is the first DC that you install in a domain. If you have multiple domains (i.e., a forest), the FSMO PDC emulator of the first domain you created in the forest is the authoritative time server for the forest.
You must supply the URL or IP address of the authoritative external clock by entering the following command on the DC that serves as the authoritative time server:
The target external server must be a Simple Network Time Protocol (SNTP) time server, and UDP port 123 must be open to the Internet. See the sidebar "Locating Time Servers," page 74, for addresses of time servers near you. If you provide a list of target external servers (i.e., so that if one external server isn't available, the system can try to contact another server), follow each address with a space and enclose the entire list in quotation marks, as in the following example:
When you run the net time /setsntp command, the system writes the results to the registry. Thereafter, your authoritative time server synchronizes its clock to the external source automatically. The system writes the registry entries, which Figure 1 shows, to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters subkey. Table 1 explains the data choices for the required registry entries.
If you use a list of multiple external Network Time Protocol (NTP) servers, use IP addresses instead of URLs. If you specify NTP servers by DNS name, a bug in Win2K causes the OS to attempt to connect to the first name on the list only, instead of trying each name. But if you use IP addresses, the OS attempts to connect to each IP address until it successfully connects with a server and synchronizes the time. (Win2K Service Pack 3—SP3—corrects this problem.)
Using NTP with a Proxy Server
If W32Time runs behind a Microsoft Proxy Server system, the service might not be able to connect to the external NTP server. W32Time runs under the local system account on the internal server, but the proxy server generally uses the Access Control feature. You can resolve this problem in several ways:
- Disable the Access Control feature for the Winsock proxy. To do so, open Microsoft IIS Manager from the Administrative Tools menu, open the Properties dialog box for the Winsock Proxy service, click the Permissions tab, then clear the Enable Access Control check box.
- Set the time server to access the proxy server instead of the external server for its NTP server, then configure the proxy to point to the external server.
- Use the Task Scheduler to schedule a batch file to run every day on the authoritative time server; include the following commands:
net start w32time
The Hierarchical Search for an Accurate Time Source
XP and Win2K Professional workstations, Win2K member servers, and all DCs that aren't authoritative time servers automatically synchronize their clocks to an accurate DC on the network. W32Time uses a hierarchical method to synchronize the time throughout your network. This hierarchical synchronization effort assumes that you've established an authoritative time server. If the search for an accurate time source fails because you haven't established an authoritative time server, you'll find an abundance of error messages in the Event Viewers of your network computers (see the section "Common W32Time Errors" below for a description of these errors). The time service hierarchy has three levels:
- Level 1: The authoritative time server
- Level 2: Other DCs on the domain (if they exist) and other DCs across multiple domains in a forest (if they exist)
- Level 3: Win2K member servers and XP and Win2K workstations
On Level 1, the authoritative time server searches the Internet for an accurate time source, attempting to access the external time servers you designated. You can have only one Level 1 computer, and only that computer can query an external time source. To verify that you configured this computer for the right external time source, type
at a command line. The system should return the Internet address of the external server you configured (or multiple Internet addresses if you entered a list of external time servers).
On Level 2, all DCs on your network search the parent domain (if you have a forest), then search the current domain to find the authoritative time server. When the DCs find the authoritative time server, they synchronize their clocks with it. The authoritative time server is the NTP server for the DCs.
On Level 3, computers synchronize their clocks with their authenticating DCs. The authenticating DC clock is deemed accurate because it's synchronized with the authoritative time server. The authenticating DC is the NTP server for Level 3 clients. Only XP and Win2K computers can perform this automatic synchronization. (To learn about synchronizing computers running earlier versions of Windows, see the section "Synchronizing NT 4.0 and Win9x Clients" below.)
The Time Synchronization Process
As computers join a domain during the logon process, the time service checks the time on an appropriate computer to determine the "target time." For Level 2 computers, the target time is the time on the authoritative time server. For all other computers, the target time is the time on the authenticating DC (a Level 2 computer). To adjust its local time to the target time, the local (client) computer takes the following steps:
- If the target time is later than local time, Win32Time automatically sets the local time to the target time.
- If the target time is 3 minutes or fewer earlier than local time, Win32Time slews (the time service jargon for "slows") the local clock until the times match. If the local time is more than 3 minutes ahead of the target time, Win32Time automatically resets the local time.
Alternatively, you can synchronize clocks manually for any XP or Win2K computer on the network (except the authenticated time server) by typing
at a command line. The system will return the message that Figure 2 shows. Press Y to reset the local clock to the time on the authenticating DC.
Time synchronization isn't only a startup process. XP and Win2K computers synchronize clocks periodically. By default, client computers connect to their time source computers once each "period," as follows:
- The initial period is 45 minutes.
- If the time synchronization process is successful three consecutive times, the period becomes 8 hours.
- If time synchronization isn't successful for three consecutive attempts, the period becomes 45 minutes and the process of defining the period starts over.
Using the net time /set command to synchronize clocks manually has no effect on the successful synchronization count.
Synchronizing NT 4.0 and Win9x Clients
If you have Windows NT 4.0 or Windows 9x clients on your network, you must synchronize their clocks manually. Type
at a command line, where ComputerName is the name of a computer within the domain that you believe has an accurate clock. Because the W32Time service doesn't run on NT 4.0 and Win9x computers, no automated periodic synchronization occurs. You can put the command in a batch file and place a shortcut to the batch file in the Startup folder to synchronize time every time the computer starts up; or, you can place a shortcut to the command on the desktop and let users synchronize time at will.
Common W32Time Errors
W32Time error messages appear in the Event Viewer's System log with the source W32Time (click the Source column heading to sort the log by source). Many of the events that the time service records are Informational, but if you see a Warning event, you should try to fix the problem.
If you don't configure an authoritative time server, the first DC in your domain (or in the first domain, if you have a forest) will record the following event in its System log: This Machine is a PDC of the domain at the root of the forest. Configure to sync from External time source using the net command, 'net time /setsntp:
If the authoritative time server isn't available and you experience DC replication problems, you might not realize that the problem lies with the time service. W32Time doesn't generate error messages in the System log when hosts become unavailable, which is an oversight that I hope Microsoft will correct in future versions of Windows. However, if you see the error message The RPC server is unavailable, a time synchronization failure is the likely source.
If an XP or Win2K client can't find a DC for authentication (most likely on small networks that have only one DC), the client can log on anyway because the system caches authentication credentials by default. However, the time synchronization process fails, which causes W32Time to log event ID 11 (The NTP Server didn't respond) in the System log.
Event ID 11 is a common Warning on the authoritative time server. If you see this warning often, reenter the net time /setsntp: command and change the Internet time server or add IP addresses for multiple NTP servers.
If your network is busy or if a computer is having a problem with a NIC or a cable, you might see a Warning event ID 64 in the System log. W32Time is the source of this event, but the problem isn't a W32Time problem. Nevertheless, this event might be the only clue you receive about a failing connection. Figure 3 shows the error message for event ID 64. This error message refers to w32tm.exe, which you can use to examine and modify W32Time. Type
at a command prompt to learn how to use this tool.
A Matter of Time
Using W32Time correctly to synchronize your computers isn't just a matter of synchronization for its own sake. Many important functions, including Kerberos security and data replication, depend on accurate computer clocks.