Time Synch: Windows Server 2003 R2 and Windows XP Pro in an Active Directory Domain
Some of you out there perhaps are having time synching problems – May of my clients did – here are some notes that can help you fix the problem. Warning, these changes could prevent workstations from being able to log back into the server – please read carefully, if you have any questions please call us.
The problem: The Primary Domain Controller PDC/ Server is off by minutes from the actual time. Workstations synch with the PDC Server and perhaps users use applications that require the correct time – Time-sheets, etc.
Traditionally, the LAN Administrator would log onto the server and correct the time manually. The server would be fine for few months and eventually someone would alert the LAN Administrator the time is off again.
This is an issue with old servers that rely on their internal time clock. The internal time clock is powered by a battery just like you watch and once this battery no longer recharges then the time it constantly needs to be set manually – as part of the solution – You could also change the internal CMOS battery. However, nowadays almost everyone has access to the internet and there are other solutions to this problem. One solution is presented here – I use this solution internally in our Network and it works great.
The traditional method to synch the workstation clock with the server also needs to be recognized as part of the problem as this is a manual command that needs to be automated.
|C:\Users\ENDUSERNAME.BESTNETWORKS>net time \\server /SETCurrent time at \\server is 11/21/2009 3:41:00 PMThe current local clock is 11/21/2009 3:41:00 PMDo you want to set the local computer’s time to match thetime at \\server? (Y/N) [Y]: YThe command completed successfully.|
This command allows the workstation to synch its time against the file server. I have implemented this command as part of the logon script many times. I would like to find a better solution. Perhaps – Visual basic scripting or as part of a Group/Domain Policy.
[Microsoft Article ]
Synching to an Internal Time Source
The simplest solution to time synchronization in an Active Directory environment is to let the PDC Emulator in the forest root domain use its own CMOS clock as the source of reliable time for the forest. To do this, you can simply take no action. The only annoying result is that you will occasionally see the following event logged to the System log in Event Viewer:
Event ID: 12
Event source: W32Time
Event description: Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.
Basically, what this event means is that the PDC Emulator in the forest root domain has not been configured to synchronize its clock with an external stratum 1 time source, and as a result the clocks on all machines in your forest cannot be considered reliable. Now this may be an issue if employees rely upon their workstations’ CMOS clocks for signing in and out, but as far as Kerberos is concerned it’s a non-issue because Kerberos only requires that clocks on clients and authenticators agree with each other, not that they display accurate time. So if every machine’s clock in the forest is one hour late, Kerberos will still work fine and replay attacks will be prevented, which is the purpose of W32Time anyway.
Synching to an External Time Source
If you want to ensure that the clocks on your machines are more accurate in terms of absolute (and not just relative) time, you can sync the PDC Emulator in your forest root domain to one of the reliable time servers available on the Internet. This is a good idea if your company is a large enterprise with sites spanning several countries, or if your organization has two or more forests linked by forest trusts. The procedure for doing this on a PDC Emulator running Windows Server 2003 in the forest root domain is as follows. Open Registry Editor (regedit.exe) and configure the following registry entries:
This registry entry determines which peers W32Time will accept synchronization from. Change this REG_SZ value from NT5DS to NTP so the PDC Emulator synchronizes from the list of reliable time servers specified in the NtpServer registry entry described below.
This registry entry controls whether the local computer is marked as a reliable time server (which is only possible if the previous registry entry is set to NTP as described above). Change this REG_DWORD value from 10 to 5 here.
This registry entry specifies a space-delimited list of stratum 1 time servers from which the local computer can obtain reliable time stamps. The list may consist of one or more DNS names or IP addresses (if DNS names are used then you must append ,0x1 to the end of each DNS name). For example, to synchronize the PDC Emulator in your forest root domain with tock.usno.navy.mil, an open-access SNTP time server run by the United States Naval Observatory, change the value of the NtpServer registry entry from time.windows.com,0x1 to tock.usno.navy.mil,0x1 here. Alternatively, you can specify the IP address of this time server, which is 18.104.22.168 instead.
- NOTE: I’m not sure but… if I’m working on a workstation (say windows XP-PRO or Vista) will it work if I change the name of the external server to the name of the Internal Domain controller Server? After all, the PDC is already synchronizing against the external server per the steps above. I will test this on a vista computer and later on an XP computer!!! The problem I have with this is that this is a manual change and I will like it best to be an automated change – specially if I have to do it on a client site with 100s of computers. Alternatively I would use the net time \\server /set < [mapped-drive path]\yes.txt comand.
Now stop and restart the Windows Time service using the following commands:
4 net stop w32time && net start w32time
It may take an hour or so for the PDC Emulator to fully synchronize with the external time server because of the nature of the polling method W32Time uses. Depending on the latency of your Internet connection, the accuracy of the CMOS clock on your forest root PDC Emulator may be within a second or two of UTC. If you need more accurate time however, you can purchase a hardware time source like an atomic clock and connect it to your PDC emulator.
Alternatively, if you don’t want to wait for time convergence to occur between your stratum 2 time server (your forest root PDC Emulator) and the external stratum 1 time server, you can run the following command on your PDC Emulator:
5 w32tm /resync /rediscover
There are additional registry settings you can configure to ensure external time synchronization operates effectively, see this article in the Microsoft Knowledge Base for details.
All available synchronization mechanisms
The “all available synchronization mechanisms” option is the most valuable synchronization method for users who are on a network. This method enables synchronization with the domain hierarchy and may also provide an alternative time source if the domain hierarchy becomes unavailable, depending on the configuration. If the client cannot synchronize time with the domain hierarchy, the time source automatically falls back to the time source that is specified by the NtpServer setting. This method of synchronization is most likely to provide accurate time to clients.
Windows Time service registry entries
The following registry entries are located under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\
Collapse this tableExpand this table
|Notes||This entry specifies the largest positive time correction in seconds that the service makes. If the service determines that a change larger than this is required, it logs an event. Special case: 0xFFFFFFFF means always make time correction. The default value for domain members is 0xFFFFFFFF. The default value for stand-alone clients and servers is 54,000 (15 hours).|
|Notes||This entry specifies the largest negative time correction in seconds that the service makes. If the service determines that a change larger than this is required, it logs an event instead. Special case: -1 means always make time correction, The default value for domain members is 0xFFFFFFFF. The default value for stand-alone clients and servers is 54,000 (15 hours).|
|Notes||This entry specifies the largest interval, in log seconds, allowed for the system polling interval. Note that while a system must poll according to the scheduled interval, a provider can refuse to produce samples when requested. The default value for domain members is 10. The default value for stand-alone clients and servers is 15.|
|Notes||This entry specifies the special poll interval in seconds for manual peers. When the SpecialInterval 0x1 flag is enabled, W32Time uses this poll interval instead of a poll interval determine by the operating system. The default value on domain members is 3,600. The default value on stand-alone clients and servers is 604,800.|
|Notes||This entry specifies the maximum offset, in seconds, for which W32Time attempts to adjust the computer clock by using the clock rate. When the offset exceeds this rate, W32Time sets the computer clock directly. The default value for domain members is 300. The default value for stand-alone clients and servers is 1.|