Windows 2000 network time protocol

Microsoft and others strongly recommend that you configure a time server with a hardware source rather than from the internet where there is no authentication. If you want to configure Windows Time service to use the internal hardware clock, then first check that w32time is located in the system services list in the registry, to check: Click Start, Run then type regedit then click ok. To reset the local computers' time, type the following on all computers except for the time server which must not be synchronised with itself: w32tm -s To configure the Windows Time service to use an external time source, click Start, Run and type regedit then click OK.

Now in the right pane, right click ReliableTimeSource, then click Modify. Right-click NtpServer in the right pane then click Modify. Now click Ok. Click OK. Editorials » Technology » Networking ». Generally, Windows time clients automatically obtain accurate time for synchronization from domain controllers in the same domain. In a forest, the domain controllers of a child domain synchronize time with domain controllers in their parent domains.

When a time server returns an authenticated NTP packet to a client that requests the time, the packet is signed by means of a Kerberos session key defined by an interdomain trust account. The interdomain trust account is created when a new AD DS domain joins a forest, and the Net Logon service manages the session key.

In this way, the domain controller that is configured as reliable in the forest root domain becomes the authenticated time source for all of the domain controllers in both the parent and child domains, and indirectly for all computers located in the domain tree. The Windows Time service can be configured to work between forests, but it is important to note that this configuration is not secure.

For example, an NTP server might be available in a different forest. However, because that computer is in a different forest, there is no Kerberos session key with which to sign and authenticate NTP packets. To obtain accurate time synchronization from a computer in a different forest, the client needs network access to that computer and the time service must be configured to use a specific time source located in the other forest. If a client is manually configured to access time from an NTP server outside of its own domain hierarchy, the NTP packets sent between the client and the time server are not authenticated, and therefore are not secure.

Even with the implementation of forest trusts, the Windows Time service is not secure across forests. Although the Net Logon secure channel is the authentication mechanism for the Windows Time service, authentication across forests is not supported. Hardware-based clocks such as GPS or radio clocks are often used as highly accurate reference clock devices.

By default, the Windows Time service NTP time provider does not support the direct connection of a hardware device to a computer, although it is possible to create a software-based independent time provider that supports this type of connection.

This type of provider, in conjunction with the Windows Time service, can provide a reliable, stable time reference. Hardware devices, such as a cesium clock or a Global Positioning System GPS receiver, provide accurate current time by following a standard to obtain an accurate definition of time. Cesium clocks are extremely stable and are unaffected by factors such as temperature, pressure, or humidity, but are also very expensive. A GPS receiver is much less expensive to operate and is also an accurate reference clock.

GPS receivers obtain their time from satellites that obtain their time from a cesium clock. Without the use of an independent time provider, Windows time servers can acquire their time by connecting to an external NTP server, which is connected to a hardware device by means of a telephone or the Internet.

Organizations such as the United States Naval Observatory provide NTP servers that are connected to extremely reliable reference clocks.

You can configure your AD DS forest to synchronize time from these external hardware devices only if they are also acting as NTP servers on your network.

To do so, configure the domain controller functioning as the primary domain controller PDC emulator in your forest root to synchronize with the NTP server provided by the GPS device. The primary difference between the two is that SNTP does not have the error management and complex filtering systems that NTP provides. The time service in Windows NT Server 4. For example, if your domain is configured to synchronize time by using the domain hierarchy-based method of synchronization and you want computers in the domain hierarchy to synchronize time with a Windows NT 4.

Windows NT 4. Therefore, to ensure accurate time synchronization across your network, it is recommended that you upgrade any Windows NT 4. The Windows Time service is designed to synchronize the clocks of computers on a network. The network time synchronization process, also called time convergence, occurs throughout a network as each computer accesses time from a more accurate time server.

Time convergence involves a process by which an authoritative server provides the current time to client computers in the form of NTP packets. The information provided within a packet indicates whether an adjustment needs to be made to the computer's current clock time so that it is synchronized with the more accurate server. As part of the time convergence process, domain members attempt to synchronize time with any domain controller located in the same domain.

If the computer is a domain controller, it attempts to synchronize with a more authoritative domain controller. Computers running Windows XP Home Edition or computers that are not joined to a domain do not attempt to synchronize with the domain hierarchy, but are configured by default to obtain time from time.

To establish a computer running Windows Server as authoritative, the computer must be configured to be a reliable time source. By default, the first domain controller that is installed on a Windows Server domain is automatically configured to be a reliable time source. Because it is the authoritative computer for the domain, it must be configured to synchronize with an external time source rather than with the domain hierarchy.

Also by default, all other Windows Server domain members are configured to synchronize with the domain hierarchy. After you have established a Windows Server network, you can configure the Windows Time service to use one of the following options for synchronization:. Synchronization that is based on a domain hierarchy uses the AD DS domain hierarchy to find a reliable source with which to synchronize time. Based on domain hierarchy, the Windows Time service determines the accuracy of each time server.

In a Windows Server forest, the computer that holds the primary domain controller PDC emulator operations master role, located in the forest root domain, holds the position of best time source, unless another reliable time source has been configured.

The following figure illustrates a path of time synchronization between computers in a domain hierarchy. A computer that is configured to be a reliable time source is identified as the root of the time service.

The root of the time service is the authoritative server for the domain and typically is configured to retrieve time from an external NTP server or hardware device. A time server can be configured as a reliable time source to optimize how time is transferred throughout the domain hierarchy. If a domain controller is configured to be a reliable time source, Net Logon service announces that domain controller as a reliable time source when it logs on to the network.

When other domain controllers look for a time source to synchronize with, they choose a reliable source first if one is available. A cycle in the synchronization network occurs when time remains consistent between a group of domain controllers and the same time is shared between them continuously without a resynchronization with another reliable time source.

The Windows Time service's time source selection algorithm is designed to protect against these types of problems. If the computer is not a member of a domain, it must be configured to synchronize with a specified time source. If the computer is a member server or workstation within a domain, by default, it follows the AD DS hierarchy and synchronizes its time with a domain controller in its local domain that is currently running the Windows Time service. If the computer is a domain controller, it makes up to six queries to locate another domain controller to synchronize with.

Each query is designed to identify a time source with certain attributes, such as a type of domain controller, a particular location, and whether or not it is a reliable time source. The time source must also adhere to the following constraints:. A PDC emulator can synchronize with a reliable time source in its own domain or any domain controller in the parent domain.

If the domain controller is not able to synchronize with the type of domain controller that it is querying, the query is not made. The domain controller knows which type of computer it can obtain time from before it makes the query. For example, a local PDC emulator does not attempt to query numbers three or six because a domain controller does not attempt to synchronize with itself. Kerberos uses the workstation's current time as part of the process for generating Kerberos authentication tickets.

The W32Time service startup is set to Automatic on workstations that are members of a domain. It's set to Manual for standalone workstations. You can view the service status and startup mode through the Services console in the Administrative Tools folder. The W32Time service synchronizes time with the domain controller on startup and then every eight hours by default. W32Time adjusts the interval for the check downward depending on how far off the time is between the two.

The minimum interval is 45 minutes. Checking and setting your system clock If you think your system's clock is off, you can perform a manual synchronization using the net time command. Open a command console and type net time without any other parameters to see the time on the domain controller. Windows displays the time on the server see Figure A. Figure A.