Windows 2000 (Win2K) uses a time service, known as Windows Time Synchronization Service (Win32Time), to ensure that all Win2K computers on your network use a common time. In fact, MIT Kerberos 5, Win2K's default authentication protocol, requires the service. In Win2K, time synchronization is crucial because Kerberos uses workstation time as part of the authentication process. Let's discuss the time service, which complies with the Simple Network Time Protocol (SNTP). (For more information about SNTP, see Request for Comments— RFC—1769.)

How Does the Time Service Work?
When a client workstation (i.e., a Windows 2000 Professional—Win2K Pro—machine) boots, it contacts a domain controller for authentication. When the two computers exchange authentication packets, the client adjusts its local time based on the target (i.e., the domain controller's) time. If the target time is ahead of local (i.e., the client's) time by less than 2 minutes, the client immediately adjusts its time to match the target time. If the target time is behind the local time by less than 2 minutes, the client slows its clock over a period of 20 minutes until the two times are in synch. If the local time is off by more than 2 minutes, the client immediately sets its time to match the target time.

Because time synchronization is so critical, the client periodically verifies that its time is in synch with the time server. By default, the client performs these checks every 8 hours. It connects to the authenticating domain controller, which is its inbound time partner, and performs the checks using a strategy that seeks to attain a convergence wherein the two computers are never more than 2 seconds apart. If the local time strays by more than 2 seconds, the client checks its time against the authenticating domain controller more often—in fact, it divides its verifying interval in half, repeating this division until it meets one of the following conditions:

  • The difference between the local and target is no more than 2 seconds
  • The interval reaches its shortest duration (by default, 45 minutes)

When the two computers' times return to within 2 seconds of each other, the verification interval doubles at each check until reaching the maximum interval of 8 hours.

Time Service Hierarchy
Windows Time Synchronization Service uses a hierarchical relationship that focuses on the PDC Emulator at the root of the Active Directory (AD) forest. By default, the first domain controller in a forest acts as the PDC Emulator for the root domain and becomes authoritative for the entire enterprise—an event that the Event Viewer logs in the system log as Event ID 62. You’ve probably seen the Event Viewer filled with Event ID 62 from the source Win32Time. The description field states, "This Machine is a PDC of the domain at the root of the forest. Configure to sync from External time source using the net command, ‘net time /setsntp:<server name>’." In other words, you must configure the PDC Emulator to recognize an external SNTP time server as authoritative using the Net Time command from the command prompt. Type

net time /?

at the command prompt for the syntax. You can use any of the following US Naval Observatory SNTP time servers:

  • tick.usno.navy.mil at 192.4.41.40
  • tock.usno.navy.mil at 192.5.41.41
  • ntp2.usno.navy.mil at 192.5.41.209

Let's look at the time service hierarchy from the bottom up to see how computers synchronize times and dates with their time partners. Workstations and member servers in a domain use the authenticating domain controller as their inbound time partner. Domain controllers use the PDC Emulator in their own domain as their inbound time partner. The PDC Emulator in each domain uses the PDC Emulator in its parent domain as the inbound time partner, until we reach the top of the hierarchy—the root domain. The PDC Emulator in the root of the forest is the authoritative time server, which you should set manually to synchronize time with an external SNTP time server, as I discussed earlier.

One final note: SNTP uses UDP port 123 by default. If you want to synchronize your time server with an SNTP server on the Internet, make sure that port is available.