Saturday, July 31, 2010

How to configure an authoritative time server in Windows 2000

http://support.microsoft.com/kb/216734

This article was previously published under Q216734
Notice
This article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center (http://support.microsoft.com/?scid=http%3a%2f%2fsupport.microsoft.com%2fwin2000) is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle Policy (http://support.microsoft.com/lifecycle/) .
For a Microsoft Windows XP version of this article, see 314054 (http://support.microsoft.com/kb/314054/ ) .
Notice
This article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center (http://support.microsoft.com/?scid=http%3a%2f%2fsupport.microsoft.com%2fwin2000) is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle Policy (http://support.microsoft.com/lifecycle/) .

On This Page

Expand all | Collapse all

SUMMARY
This article describes how to configure the Windows Time service in Microsoft Wi...

This article describes how to configure the Windows Time service in Microsoft Windows Server 2000. The Windows Time service can be configured to use an internal hardware clock or an external time source. We recommend that you use an internal hardware clock.
Back to the top

Introduction
Windows includes W32Time, the Time service tool that is required by the Kerbero...

Windows includes W32Time, the Time service tool that is required by the Kerberos authentication protocol. The purpose of the Windows Time service is to make sure that all computers that are running Windows 2000 or later versions in an organization use a common time. To guarantee appropriate common time usage, the Windows Time service uses a hierarchical relationship that controls authority and does not permit loops.

By default, Windows-based computers use the following hierarchy:
  • All client desktop computers nominate the authenticating domain controller as their in-bound time partner.
  • All member servers follow the same process as client desktop computers.
  • Domain controllers may nominate the primary domain controller (PDC) operations master as their in-bound time partner but may use a parent domain controller based on stratum numbering.
  • All PDC operations masters follow the hierarchy of domains in the selection of their in-bound time partner.
Following this hierarchy, the PDC operations master at the root of the forest becomes authoritative for the organization. We highly recommend that you configure the authoritative Time Server to gather the time from a hardware source. When you configure the authoritative Time Server to sync with an Internet time source, there is no authentication. We also recommend that you reduce your time correction settings for your servers and stand-alone clients. These recommendations provide more accuracy and security to your domain.
Back to the top

MORE INFORMATION
Configuring the Windows Time service to use an internal hardware clock Important...

Configuring the Windows Time service to use an internal hardware clock

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows


We highly recommend that you configure the authoritative time server to gather the time from a hardware source. When you configure the authoritative Time Server to sync with an Internet time source, there is no authentication. To configure Windows Time service to use an internal hardware clock, follow these steps:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey:
    HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
  3. In the right pane, right-click ReliableTimeSource, and then click Modify.
  4. In Edit DWORD Value, type 1 in the Value data box, and then click OK.
  5. Locate and then click the following registry subkey:
    HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
  6. In the right pane, right-click LocalNTP, and then click Modify.
  7. In Edit DWORD Value, type 1 in the Value data box, and then click OK.
  8. Quit Registry Editor.
  9. At the command prompt, type the following command to restart the Windows Time service, and then press ENTER:
    net stop w32time && net start w32time
  10. Run the following command on all the computers other than the Time Server to reset the local computer's time against the Time Server:
    w32tm -s
Note You must not configure the Time Server to synchronize with itself. If you configure the Time Server to synchronize with itself, the following events are logged in the Application log:

The time provider NtpClient cannot reach or is currently receiving invalid time data from 192.168.1.1 (ntp.m|0x0|192.168.1.1:123->192.168.1.1:123).



No response has been received from Manual peer 192.168.1.1 after 8 attempts to contact it. This peer will be discarded as a time source and NtpClient will attempt to discover a new peer from which to synchronize.



The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 960 minutes. NtpClient has no source of accurate time.



For more information about the w32tm command, type the following command at a command prompt:
w32tm /?

Back to the top

Configuring Windows Time service to use an external time source

Administrators can configure the Windows Time service on the PDC operations master at the root of the forest to recognize an external Simple Network Time Protocol (SNTP) time server as authoritative. For example, you can use the Microsoft time server (time.windows.com) as the external SNTP time server. To configure Windows Time service to use an external SNTP time server, follow these steps:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Follow these steps to change the server type to NTP:
    1. Locate and then click the following registry subkey:
      HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
    2. In the right pane, right-click TYPE, and then click Modify.
    3. In Edit Value, type NTP in the Value data box, and then click OK.
  3. Follow these steps to configure the server as a reliable time source:
    1. In the right pane, right-click ReliableTimeSource, and then click Modify.
    2. In Edit DWORD Value, type 1 in the Value data box, and then click OK.
  4. Follow these steps to configure the server LocalNTP to 0:
    1. In the right pane, right-click LocalNTP, and then click Modify.
    2. In Edit DWORD Value, type 0 in the Value data box, and then click OK.
  5. Follow these steps to specify the time sources:
    1. In the right pane, right-click NtpServer, and then click Modify.
    2. In Edit Value, type Peers in the Value data box, and then click OK.

      Note Peers is a placeholder for a space-delimited list of peers from which your computer obtains time stamps. Each DNS name that is listed must be unique.
  6. For Windows 2000 Service Pack 4 only, set the time correction setting. To do this, follow these steps:
    1. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
    2. In the right pane, right-click MaxAllowedClockErrInSecs, and then click Modify.
    3. In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.

      Note TimeInSeconds is a placeholder for the max number of seconds difference between the local clock and the time received from the NTP server in order to be considered a valid new time.
  7. Follow these steps to set the poll interval:
    1. Locate and then click the following registry subkey:
      HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
    2. In the right pane, right-click Period, and then click Modify.
    3. In Edit DWORD Value, type 24 in the Value data box, and then click OK.
  8. On the File menu, click Exit to exit Registry Editor.
  9. At the command prompt, type the following command to restart the Windows Time service, and then press ENTER:
    net stop w32time && net start w32time
  10. Run the following command on all the computers other than the Time Server to reset the local computer's time against the Time Server:
    w32tm -s

By default, SNTP uses User Datagram Protocol (UDP) port 123. If this port is not open to the Internet, you cannot synchronize your server to Internet SNTP servers. A computer that is configured to be a reliable time source is identified as the root of the Windows Time service. The root of the Time service is the authoritative server for the domain and typically is configured to retrieve time from an external NTP server or a hardware device. A time server can be configured as a reliable time source to optimize how time is transferred throughout the domain hierarchy. If a domain controller is configured to be a reliable time source, the Net Logon service announces that domain controller as a reliable time source when it logs on to the network. When other domain controllers look for a time source to synchronize with, they choose a reliable source first if one is available.

The HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Period registry key controls how frequently the Windows Time service synchronizes. If a value is specified, it must be one of the special values in the following list:
  • 65531, "DailySpecialSkew" - Sets synchronization to one time every 45 minutes until successful one time, then one time every day.
  • 65532, "SpecialSkew" - Sets synchronization to one time every 45 minutes until successful three times, then one time every eight hours. This is the default setting.
  • 65533, "Weekly" - Sets synchronization to one time every seven days.
  • 65534, "Tridaily" - Sets synchronization to one time every three days.
  • 65535, "BiDaily" - Sets synchronization to one time every two days.
  • 0 - For NT5DS, the synchronization is one time every 45 minutes until successful three times, then one time every eight hours. For NTP, the synchronization is one time every 8 hours.
  • freq - freq stands for the number of times per day you want Windows Time service to synchronize. If want to use a value other than any one of those specified earlier, you must use this option.

Back to the top

REFERENCES
For more information about the Windows Time service, click the following articl...

For more information about the Windows Time service, click the following article numbers to view the articles in the Microsoft Knowledge Base:
884776 (http://support.microsoft.com/kb/884776/ ) Configuring the Windows Time service against a large time offset
816042 (http://support.microsoft.com/kb/816042/ ) How to configure an authoritative time server in Windows Server 2003
314054 (http://support.microsoft.com/kb/314054/ ) How to configure an authoritative time server in Windows XP


For additional information about the Windows Time service in a Windows Server 2003-based forest, visit the following Web site:
http://technet.microsoft.com/en-us/library/cc773061.aspx (http://technet.microsoft.com/en-us/library/cc773061.aspx)
Back to the top
APPLIES TO
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition
  • Microsoft Windows 2000 Datacenter Server
Back to the top
Keywords:
kbproductlink kbsecurity kbenv kbfsmo kbhowto KB216734
Back to the top
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)