Windows IT Pro
Connect With Us
Home > Windows > Windows Time Synchronization Service

Windows Time Synchronization Service

Mar. 20, 2000 Zubair Alexander | Windows IT Pro

Windows 2000 (Win2K) uses a time service, known as Windows Time Synchronization Service (Win32Time), to ensure that all Win2K computers on your network use a common time. In fact, MIT Kerberos 5, Win2K's default authentication protocol, requires the service. In Win2K, time synchronization is crucial because Kerberos uses workstation time as part of the authentication process. Let's discuss the time service, which complies with the Simple Network Time Protocol (SNTP). (For more information about SNTP, see Request for Comments— RFC—1769.)

How Does the Time Service Work?
When a client workstation (i.e., a Windows 2000 Professional—Win2K Pro—machine) boots, it contacts a domain controller for authentication. When the two computers exchange authentication packets, the client adjusts its local time based on the target (i.e., the domain controller's) time. If the target time is ahead of local (i.e., the client's) time by less than 2 minutes, the client immediately adjusts its time to match the target time. If the target time is behind the local time by less than 2 minutes, the client slows its clock over a period of 20 minutes until the two times are in synch. If the local time is off by more than 2 minutes, the client immediately sets its time to match the target time.

Because time synchronization is so critical, the client periodically verifies that its time is in synch with the time server. By default, the client performs these checks every 8 hours. It connects to the authenticating domain controller, which is its inbound time partner, and performs the checks using a strategy that seeks to attain a convergence wherein the two computers are never more than 2 seconds apart. If the local time strays by more than 2 seconds, the client checks its time against the authenticating domain controller more often—in fact, it divides its verifying interval in half, repeating this division until it meets one of the following conditions:

  • The difference between the local and target is no more than 2 seconds
  • The interval reaches its shortest duration (by default, 45 minutes)

When the two computers' times return to within 2 seconds of each other, the verification interval doubles at each check until reaching the maximum interval of 8 hours.

Time Service Hierarchy
Windows Time Synchronization Service uses a hierarchical relationship that focuses on the PDC Emulator at the root of the Active Directory (AD) forest. By default, the first domain controller in a forest acts as the PDC Emulator for the root domain and becomes authoritative for the entire enterprise—an event that the Event Viewer logs in the system log as Event ID 62. You’ve probably seen the Event Viewer filled with Event ID 62 from the source Win32Time. The description field states, "This Machine is a PDC of the domain at the root of the forest. Configure to sync from External time source using the net command, ‘net time /setsntp:<server name>’." In other words, you must configure the PDC Emulator to recognize an external SNTP time server as authoritative using the Net Time command from the command prompt. Type

net time /?

at the command prompt for the syntax. You can use any of the following US Naval Observatory SNTP time servers:

  • tick.usno.navy.mil at 192.4.41.40
  • tock.usno.navy.mil at 192.5.41.41
  • ntp2.usno.navy.mil at 192.5.41.209

Let's look at the time service hierarchy from the bottom up to see how computers synchronize times and dates with their time partners. Workstations and member servers in a domain use the authenticating domain controller as their inbound time partner. Domain controllers use the PDC Emulator in their own domain as their inbound time partner. The PDC Emulator in each domain uses the PDC Emulator in its parent domain as the inbound time partner, until we reach the top of the hierarchy—the root domain. The PDC Emulator in the root of the forest is the authoritative time server, which you should set manually to synchronize time with an external SNTP time server, as I discussed earlier.

One final note: SNTP uses UDP port 123 by default. If you want to synchronize your time server with an SNTP server on the Internet, make sure that port is available.

Discuss this Article 27

Brian M. Russell (not verified)
on Jun 22, 2001
RFC 2030, October 1996, is also very interesting. It obsoletes RFC 1769, March 1995, to which you refer.
Anonymous User (not verified)
on Nov 23, 2004
The article was an eye opener ... spl thanks to the author
Anonymous User (not verified)
on Jan 30, 2005
My dog ate my homework.
Marc Chang (not verified)
on Jan 9, 2001
Read this Article - very simple with examples http://www.windows2000faq.com/Articles/Index.cfm?ArticleID=14943
Kit Skinner (not verified)
on Mar 21, 2000
This is something thats been a long time coming and should have been implemented a while ago. We have been using a third-party utility since NT 3.51 to keep our domain in sync (Greyware Domain Time), and probably will continue to do so through Win2k. It provides many features and higher accuarcy than the default time service does while working with Win9x, NT, and Win2k, among others. The time service is an improvement on what was there (nothing), but still leaves a lot to be desired.
Mitch (not verified)
on Mar 21, 2000
Did you know that Novell has had a time sync feature built in for a while now? I'm not a big novell fan but, this time thing is no big deal It's been done and as Microsoft usually does is just copy other peoples ideas.
Justen Brydon (not verified)
on Mar 21, 2000
You mention that to sync your root domain controller, you have to type /net time 192.x.x.x for which ever time server you want to sync with. However, if you don't want your servers on the internet at all, then how do you get around this?
Anonymous User (not verified)
on Nov 7, 2004
I GOT NICE HELP HERE
Rob Wood (not verified)
on Mar 22, 2000
A great and timely article. I had been using the Resource Kit for NT 4 Time service on all my systems. It is good to see it built in, but I did not know it was there before I read this. I was disappointed to see it missing from the Win2K resource kit, but now I know why! It is strange that as I searched the KB at MS, I could not find out about this change. Thanks for a good article.
Herb Martin (not verified)
on May 22, 2000
Obviously the author didn't spend any time trying to get the time service commands to WORK using "Net TIME"; I did and I STILL cannot figure out the correct syntax; it is NOT documented as far as I can tell.
Wayne Randall (not verified)
on May 5, 2004
The command seems to work, but when I look in my event logs I see the error: The NTP server didn't respond Source: w32Time ID: 11 Also, is there a command that will force a client to sync with the Domain Controller without the need for user interaction? Net Time \\server /set in a logon script requests confirmation from the user.
al odlum (not verified)
on Mar 20, 2000
I presently operate one Novell netware ver 5 server with various win 98 and NT workstations. I am adding one win2000 server and a win2000 workstation this week. Hopefully, the added enviroment of a win server will go smoothly
Michael Pollock (not verified)
on Jun 1, 2004
Open up port 123 in your firewall for your domain controller to be able to access an outside NTP server. Also, put /YES at the end to force the client to sync... net time \\server /set /yes
Dave B (not verified)
on Mar 22, 2000
Is it possible to make my standalone Win2K Pro machine synchronize directly to the servers you listed?
Eric (not verified)
on Nov 21, 2002
How does one set and forget? Must you type this every time to set clock? Where ar paramaters stored?
James Turner (not verified)
on Mar 22, 2000
Is the W32time version that ships w/ W2K different from the W32Time.exe and W32time.ini that exists at ftp://ftp.microsoft.com/ResKit/y2kfix/x86/w32time The documentation at that location is pretty much identical to the original TimeServ doc. I'd like to know if setting up Time Services for W2k is going differ from what the Documentation at the above site indicates. If so, could you possibly go into more detail as to how this is setup on the Master, Secondary and Primary servers of Windows 2000?

Please or Register to post comments.

Related Articles
IT/Dev Connections

Las Vegas
September 30th - October 4th

Paul ThurottYou'll have the opportunity to experience:
• The Microsoft
Technology Roadmap
• Office 365 Implementation
• Hyper-V Optimizing
• Windows 8 Deployment
and much more!

Come See Paul Thurrott & Rod Trent in Person!

Early Registration Now Open

Upcoming Training

Mastering System Center 2012

During over 6 hours of training you can join John Savill from your computer as he will walk you through the key components and capabilities of System Center 2012, what’s involved in using the components, and the benefit they can bring to your environment.

Register Now

Current Issue

May 2013 - The NameTranslate object is useful when you need to translate Active Directory object names between different formats, but it's awkward to use from PowerShell. Here's a PowerShell script that eliminates the awkwardness.

CURRENT ISSUE / ARCHIVE / SUBSCRIBE

Windows Forums

Get answers to questions, share tips, and engage with the Windows Community in our Forums.

Featured Products
Windows 8 Tips
Windows 8 Tips

You’ve been told that Microsoft has somehow compromised the beloved desktop environment and ruined it with Metro...

VIP - Premium Membership
For the IT Professional that needs access to training, premium content, discounts, and more, joining our VIP group just...
Testing with Visual Studio 2012

June 25th
Presented by: Brian Minisi

EARLY BIRD DISCOUNT -...

View CatalogView Shopping Cart

WindowsITPro.com
Related Sites
Copyright © 2013 Penton Media, Inc