Page 1 of 1

Configuring time server on Windows

Posted: 20 Nov 2010, 11:21
by daniele
ORIGINAL ARTICLE: http://robsilver.org/ad/demystifying-time-in-a-forest/
ALL RIGHTS RESERVED TO THE AUTHOR(S) OF THE ORIGINAL ARTICLE.

Demystifying Time in a Forest
by Rob Silver on April 23, 2010

There are a large number of posts on the internet with regards to setting up or troubleshooting time in an Active Directory forest. This blog aims to shed some light on the key principals, configuration and useful resources for time in an Active Directory forest.

One of the key reasons for the posts on Domain Controller time settings is the PDC Emulator not being configured with a reliable time source which generates the following error in DCDiag:

Warning: SERVERNAME is not advertising as a time server or errors related to the server not advertising itself as a Domain Controller.

The TIMESERV flag will not be set for that DC if there are any issues with the Windows Time Service.

Key Principals


Firstly, do you really need accurate time. Not really. In fact, Microsoft don’t even support high time accuracy. http://blogs.technet.com/askds/archive/ ... ments.aspx

However, it would be a really nice feature to have all machines on the network having the correct time. Naturally, there are some instances where accurate time is absolutely necessary; e.g. banking, time logging applications, transport systems etc. The Stratum is the degree to which a computers clock is accurate. The lower the value, the higher the accuracy where a value of 1 is considered the highest accuracy.

So, your time can be a year off and your forest will work fine. PLEASE don’t test this. USN rollback or Certificate expiration may occur if you experiment with this which is a topic for another day…

Next question – do the clocks need to be in sync within the Forest? Yes they do, give or take 5 minutes in order to ensure you don’t break Kerberos as per RFC 1510.

So, it is more important to ensure that the clocks are in sync than to ensure accurate time, although accurate time is nice.

Windows 2000 used SNTP (Simple Network Time Protocol) and Net Time as both the protocol and management tool for managing time. This is pretty much outdated although some Domain Admins are still using the legacy mechanisms (net time /setsntp….) to try and configure the 2003/2008/2008 R2 Domain Controllers.

From Windows Server 2003 onwards, NTP is used as the protocol (uses Coordinated Universal Time [UTC] agnostic of time zones) on UDP port 123. It uses the Windows Time Service (w32time.dll) to manage time which is in turn configured via the w32tm.exe command line tool.

There’s a fundamental difference between w32tm and Net Time command lines. Net time only queries the time of the remote computer using the multi-functional net.exe utility while w32tm specifically queries the Windows Time Service. However, net time is still useful as it can be used to query remote devices which don’t run the Windows Time Service or NTP.

Please note that the command “Net Time” with no switches will query the time of a Domain Controller and not the local machine. This can be overridden with the \\computername switch. To query the time in a different domain, use the /domain:domainname switch. Although the “Net Time” command queries remote computers, the /SET switch only sets the time of the local machine (not the \\computername machine).

Setting up the forest, the best practice is to get the Forest Root PDC Emulator to retrieve it’s time from a reliable time source (Manual NTP Server), while all other DCs retrieve their time from the PDC Emulator in the forest root (Domhier). Clients retrieve their time from any Domain Controller advertising as a time server.

Let’s look at the steps involved in setting up the PDC Emulator in the forest root domain on the assumption that you would like it to synchronise it’s time with a remote reliable NTP server.

PDC Emulator Configuration (Forest Root Domain)


Before starting any configuration, you need to make sure that you can access an external reliable NTP server. If you are struggling to find one, a pool of load balanced NTP servers is available on the Internet in the NTP Pool project. This project will have servers close to you which will provide you with marginally higher accuracy based on reduced round trip inconsistencies. Have a look at http://www.pool.ntp.org to find an NTP Pool near you. Remember that you will need UDP port 123 assess from your PDC Emulator to the desired Internet based NTP server.

Next, find the PDC Emulator. You can find the PDC Emulator for the domain using the “netdom query fsmo” command on any domain controller.

On the PDC Emulator, let’s first clear all the w32tm config on the PDC Emulator. This will allow us to start afresh and not be concerned with previous potential inaccurate configurations. This is optional, but something I usually do to ensure that I am aware of every config entry I make. To do this:

W32tm /unregister

Wait a minute or two

W32tm /register

Now, to configure the PDC Emulator, run the following:

w32tm /configure /manualpeerlist:pool.ntp.org,0×1 /syncfromflags:manual /update

Note: The 0×1 is required as this is a DNS name and not an IP Address.

Syncfromflags:manual tells the server PDC Emulator that it will use an external NTP server for time, and not the domain.

Remember to restart the Windows Time Service after each configuration change. Use the following commend to restart the Windows Time Service:

Net stop w32time & net start w32time

Once you have done this, you can verify these settings in the Registry in the following location:

HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
Type: NTP

NTPServer: pool.ntp.org

You can also use w32tm to check the new configuration:

W32tm /query /configuration

ONLY the PDC Emulator of the Forest Root Domain should have the Type configured as NTP. All other machines in the domain should have this entry set to NT5DS in order to obtain their time from the Domain and not external NTP servers.

You now need to inform the server to get out there and find what the time is supposed to be using NTP. Use the following command to do this:

W32tm /resync /rediscover

At any time, you can use the following command to monitor the server which is really great for troubleshooting:

w32tm /monitor

You can also check the status of the server as follows:

W32tm /query /status

The following two registry entries specify the maximum time shift that the DC will accept in seconds from it’s peers:

MaxPosPhaseCorrection (default – 172800 seconds)

MaxNegPhaseCorrection (default – 172800 seconds)

Although Microsoft recommends changing this to 900 seconds, others have commented to reduce this to 300 seconds to ensure you don’t have any 300 second Kerberos issues. Use your discretion here. I always use 300 seconds. The default is 2 days (172800 decimal). If you are 2 days out, it might be weekend and you are still working…

Note: If your DC is having difficulty based on any of the above steps, ensure that there are no GPO Time Settings applying to the Domain Controller. You can find this using Resultant Set of Policy in the following GPO Settings path:

Computer Configuration > Administrative Templates > System > Windows Time Service

Client and additional Domain Controller Configuration

On the assumption that not GPO configuration settings have been applied, the clients should work fine under normal circumstances.

All client devices within the domain should receive their time from the domain. To manually tell a client to do this, run the following:

w32tm /config /syncfromflags:domhier /update

This can also be done using Group Policy here:

Computer Configuration > Administrative Templates > System > Windows Time Service

Once you have done this, you can verify these settings on the client in the Registry in the following location:

HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
Type: NT5DS

NTPServer: PDCEmulatorName

Useful Links:

Windows Time Technical Reference

http://technet.microsoft.com/en-us/libr ... S.10).aspx

High Accuracy w32time Requirements:

http://blogs.technet.com/askds/archive/ ... ments.aspx

NTP Pool Project:

http://www.pool.ntp.org/en/use.html

The 10’000 year clock:

http://www.longnow.org/clock/

Time Software Providers:

#1 Ace Software

40Tude Software

Acrovista

Apple Computer

Atom Time

Beagle Software

Bytefusion Ltd.

Dillobits

Thinking Man Software

Express Computing

Getware

Green Parrots Software

Gregory Braun

Greyware Automation Products

HC Mingham-Smith Limited

K & G Group

KezerNet

Masterclock

Meinberg

Mirage Audio Visual Media

MR Technical Solutions

NTP.org

Polygon, Inc.

RBA Software

RJ Software

Luzius Schneider Software

Slipstream Solutions

Soft Shape

Symmetricom

Tolvanen

Talking Time Keeper

VicTech

Visual GPS

W. Clark & Assoc.

WorldClock

Worldtimeserver.com

Time and Frequency Receiver Manufacturers:

Amano

American Time and Signal

Arbiter Systems

Atomic Time

Beaglesoft

Brandywine Communications

BRG Precision

C-MAX

Casio

Chaney Instruments

Chrono-Log

CNS Systems

Control Company

CrossRate Technology

CxR Larus

DICOM

Digital Display Systems, Inc.

EndRun Technologies

ESE

Fluke

Franklin Instrument

Galleon

Garmin

Gorgy Timing

hopf Elektronik GmbH

Horita

Howard Miller

Innotime Industrial, Ltd.

Instrumentation Technology Systems

Javad Navigation Systems

Junghans

Klockit

La Crosse Technology

Lathem Time

Macrodyne

Magellan

Masterclock

Meinberg

Navsys

Novatel

Oregon Scientific

Oscilloquartz

Pendulum Instruments AB

Precision Test Systems LTD

Precitel

Primex USA

Primex Wireless

Precise Time and Frequency, Inc.

Radio Shack

Raven Industries

RE-Resources

San Jose Navigation

Sangean America, Inc

Schweitzer Engineering Laboratories, Inc.

Septentrio

SkyScan

Spectracom

Stanford Research

Symmetricom

Time Tools

Topcon

TRAK Systems

Trimble

Zyfer


Hope this helps,

Rob