Administering the Windows Time Service Part 2
Configuring a Time Source for the Forest
Thanks to MS Technet
Applies To: Windows Server 2008
The first domain controller that you deploy in a domain holds the primary domain controller (PDC) emulator operations master (also known as flexible single master operations or FSMO) role for the domain. By default, the domain controller that holds the PDC emulator master role in the forest root domain is the reliable time source at the top of the time-source domain hierarchy for the forest. As soon as you install the first domain controller in the forest, set the PDC emulator in the forest root domain to synchronize from a valid Network Time Protocol (NTP) source or from a hardware clock that is installed on the network. If no time source is configured on the PDC emulator or any other domain controller in the forest root domain, the PDC emulator advertises as a reliable time source and uses its internal clock as the source for forest synchronization. In this case, no manual configuration is required.
After initial deployment of your network, you typically reconfigure the time service on the PDC emulator in the forest root domain in only two situations:
You move the PDC emulator role to a different computer. In this case, you must configure the Windows Time service for the new PDC emulator master role holder and reconfigure the original PDC emulator master role holder to synchronize from the domain and not from an external or internal time source.
You change the time source for the PDC emulator. For example, you change from synchronizing with an external source to synchronizing with an internal hardware device.
In some environments, one or more domain controllers are configured to act as standby PDC emulator role holders. If the current PDC emulator fails or is otherwise unavailable, the role can quickly be transferred to the standby. If you anticipate moving the PDC emulator role and you want to avoid reconfiguring the new and old PDC emulator every time the role is moved, you can configure a domain controller in the forest root domain that is not the PDC emulator as the reliable time source for the forest. In this way, the root of the time service stays the same and remains properly configured.
Windows includes W32Time, the Time Service tool that is required by the Kerberos authentication protocol. The purpose of the Windows Time service is to make sure that all computers that are running Microsoft Windows 2000 or later versions in an organization use a common time.
To guarantee appropriate common time usage, the Windows Time service uses a hierarchical relationship that controls authority, and the Windows Time service does not permit loops. By default, Windows-based computers use the following hierarchy:
All client desktop computers nominate the authenticating domain controller as their in-bound time partner.
All member servers follow the same process that client desktop computers follow.
All domain controllers in a domain nominate the primary domain controller (PDC) operations master as their in-bound time partner.
All PDC operations masters follow the hierarchy of domains in the selection of their in-bound time partner.
In this hierarchy, the PDC operations master at the root of the forest becomes authoritative for the organization. We highly recommend that you configure the authoritative time server to gather the time from a hardware source. When you configure the authoritative time server to sync with an Internet time source, there is no authentication. We also recommend that you reduce your time correction settings for your servers and stand-alone clients. These recommendations provide more accuracy and security to your domain.
Configuring the Windows Time service to use an internal hardware clock
This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the
To configure the PDC master without using an external time source, change the announce flag on the PDC master. The PDC master is the server that holds the forest root PDC master role for the domain. This configuration forces the PDC master to announce itself as a reliable time source and uses the built-in complementary metal oxide semiconductor (CMOS) clock. To configure the PDC master by using an internal hardware clock, follow these steps:
1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags
3. In the right pane, right-click AnnounceFlags, and then click Modify.
4. In Edit DWORD Value, type A in the Value data box, and then click OK.
5. Quit Registry Editor.
6. At the command prompt, type the following command to restart the Windows Time service, and then press ENTER:
net stop w32time && net start w32time
Note The PDC master must not be configured to synchronize with itself. For more information about why the PDC master must not be configured to synchronize with itself, visit the following Web site to view Request For Comment (RFC) 1305:
http://www.rfc-editor.org/ (http://www.rfc-editor.org/)
Configuring the Windows Time service to use an external time source
To configure an internal time server to synchronize with an external time source, follow these steps:
1. Change the server type to NTP. To do this, follow these steps:
a. Click Start, click Run, type regedit, and then click OK.
b.. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type
c. In the right pane, right-click Type, and then click Modify.
d. In Edit Value, type NTP in the Value data box, and then click OK.
2. Set AnnounceFlags to 5. To do this, follow these steps:
. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags
a. In the right pane, right-click AnnounceFlags, and then click Modify.
b. In Edit DWORD Value, type 5 in the Value data box, and then click OK.
3. Enable NTPServer. To do this, follow these steps:
. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer
a. In the right pane, right-click Enabled, and then click Modify.
b. In Edit DWORD Value, type 1 in the Value data box, and then click OK.
4. Specify the time sources. To do this, follow these steps:
. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
a. In the right pane, right-click NtpServer, and then click Modify.
b. In Edit Value, type Peers in the Value data box, and then click OK.
Note Peers is a placeholder for a space-delimited list of peers from which your computer obtains time stamps. Each DNS name that is listed must be unique. You must append ,0x1 to the end of each DNS name. If you do not append ,0x1 to the end of each DNS name, the changes made in step 5 will not take effect.
5.. Select the poll interval. To do this, follow these steps:
. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollInterval
a. In the right pane, right-click SpecialPollInterval, and then click Modify.
b. In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.
Note TimeInSeconds is a placeholder for the number of seconds that you want between each poll. A recommended value is 900 Decimal. This value configures the Time Server to poll every 15 minutes.
6. Configure the time correction settings. To do this, follow these steps:
. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxPosPhaseCorrection
a. In the right pane, right-click MaxPosPhaseCorrection, and then click Modify.
b. In Edit DWORD Value, click to select Decimal in the Base box.
c. In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.
Note TimeInSeconds is a placeholder for a reasonable value, such as 1 hour (3600) or 30 minutes (1800). The value that you select will depend upon the poll interval, network condition, and external time source.
d. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxNegPhaseCorrection
e. In the right pane, right-click MaxNegPhaseCorrection, and then click Modify.
f. In Edit DWORD Value, click to select Decimal in the Base box.
g. In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.
Note TimeInSeconds is a placeholder for a reasonable value, such as 1 hour (3600) or 30 minutes (1800). The value that you select will depend upon the poll interval, network condition, and external time source.
7. Quit Registry Editor.
8. At the command prompt, type the following command to restart the Windows Time service, and then press ENTER:
net stop w32time && net start w32time
Troubleshooting
For the Windows Time service to function correctly, the networking infrastructure must function correctly. The most common problems that affect the Windows Time service include the following:
There is a problem with TCP/IP connectivity, such as a dead gateway.
The Name Resolution service is not working correctly.
The network is experiencing high volume delays, especially when synchronization occurs over high-latency wide area network (WAN) links.
The Windows Time service is trying to synchronize with inaccurate time sources.
We recommend that you use the Netdiag.exe utility to troubleshoot network-related issues. Netdiag.exe is part of the Windows Server 2003 Support Tools package. See Tools Help for a complete list of command-line parameters that you can use with Netdiag.exe. If your problem is still not solved, you can turn on the Windows Time service debug log. Because the debug log can contain very detailed information, we recommend that you contact Microsoft Product Support Services when you turn on the Windows Time service debug log.
Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.
NTP supports several different packet types. Typically, NTP clients and Simple N...
NTP supports several different packet types. Typically, NTP clients and Simple Network Time Protocol (SNTP) clients send client mode request packets to an NTP server. The NTP server responds with a server mode packet. To configure the W32time service to send symmetric active mode packets instead of client mode packets to an NTP server, type the following command at a command prompt:
w32tm /config /manualpeerlist:,0x4 /syncfromflags:MANUAL
Note Use the 0x8 flag to force W32time to send normal client requests instead of symmetric active mode packets. The NTP server replies to these normal client requests as usual.
Reliable time source configuration
A computer that is configured to be a reliable time source is identified as the root of the Windows Time service. The root of the Windows Time service is the authoritative server for the domain and typically is configured to retrieve time from an external NTP server or hardware device. A time server can be configured as a reliable time source to optimize how time is transferred throughout the domain hierarchy. If a domain controller is configured to be a reliable time source, the Net Logon service announces that domain controller as a reliable time source when it logs on to the network. When other domain controllers look for a time source to synchronize with, they select a reliable source first, if one is available.
Manually-specified synchronization
With manually-specified synchronization, you can designate a single peer or list of peers that a computer obtains time from. If the computer is not a member of a domain, it must be manually configured to synchronize with a specified time source. By default, a computer that is a member of a domain is configured to synchronize from the domain hierarchy. Manually-specified synchronization is most useful for the forest root of the domain or for computers that are not joined to a domain. When you manually specify an external NTP server to synchronize with the authoritative computer for your domain, you provide reliable time. However, to provide high accuracy and security to your domain, we recommend that you configure the authoritative computer for your domain to synchronize with a hardware clock.
Without a hardware time source, W32time is configured as a NTP type. You must reconfigure the MaxPosPhaseCorrection and MaxNegPhaseCorrection registry entries. The recommended value should be 15 minutes or even lower, depending on time source, network condition, and security requirement. This requirement also applies to any reliable time source that is configured as the forest root time source in the time sync subnet. For more information about these registry entries, see the "Windows Time service registry entries" section in this article.
Applies To: Windows Server 2008
The first domain controller that you deploy in a domain holds the primary domain controller (PDC) emulator operations master (also known as flexible single master operations or FSMO) role for the domain. By default, the domain controller that holds the PDC emulator master role in the forest root domain is the reliable time source at the top of the time-source domain hierarchy for the forest. As soon as you install the first domain controller in the forest, set the PDC emulator in the forest root domain to synchronize from a valid Network Time Protocol (NTP) source or from a hardware clock that is installed on the network. If no time source is configured on the PDC emulator or any other domain controller in the forest root domain, the PDC emulator advertises as a reliable time source and uses its internal clock as the source for forest synchronization. In this case, no manual configuration is required.
After initial deployment of your network, you typically reconfigure the time service on the PDC emulator in the forest root domain in only two situations:
You move the PDC emulator role to a different computer. In this case, you must configure the Windows Time service for the new PDC emulator master role holder and reconfigure the original PDC emulator master role holder to synchronize from the domain and not from an external or internal time source.
You change the time source for the PDC emulator. For example, you change from synchronizing with an external source to synchronizing with an internal hardware device.
In some environments, one or more domain controllers are configured to act as standby PDC emulator role holders. If the current PDC emulator fails or is otherwise unavailable, the role can quickly be transferred to the standby. If you anticipate moving the PDC emulator role and you want to avoid reconfiguring the new and old PDC emulator every time the role is moved, you can configure a domain controller in the forest root domain that is not the PDC emulator as the reliable time source for the forest. In this way, the root of the time service stays the same and remains properly configured.
Windows includes W32Time, the Time Service tool that is required by the Kerberos authentication protocol. The purpose of the Windows Time service is to make sure that all computers that are running Microsoft Windows 2000 or later versions in an organization use a common time.
To guarantee appropriate common time usage, the Windows Time service uses a hierarchical relationship that controls authority, and the Windows Time service does not permit loops. By default, Windows-based computers use the following hierarchy:
All client desktop computers nominate the authenticating domain controller as their in-bound time partner.
All member servers follow the same process that client desktop computers follow.
All domain controllers in a domain nominate the primary domain controller (PDC) operations master as their in-bound time partner.
All PDC operations masters follow the hierarchy of domains in the selection of their in-bound time partner.
In this hierarchy, the PDC operations master at the root of the forest becomes authoritative for the organization. We highly recommend that you configure the authoritative time server to gather the time from a hardware source. When you configure the authoritative time server to sync with an Internet time source, there is no authentication. We also recommend that you reduce your time correction settings for your servers and stand-alone clients. These recommendations provide more accuracy and security to your domain.
Configuring the Windows Time service to use an internal hardware clock
This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the
To configure the PDC master without using an external time source, change the announce flag on the PDC master. The PDC master is the server that holds the forest root PDC master role for the domain. This configuration forces the PDC master to announce itself as a reliable time source and uses the built-in complementary metal oxide semiconductor (CMOS) clock. To configure the PDC master by using an internal hardware clock, follow these steps:
1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags
3. In the right pane, right-click AnnounceFlags, and then click Modify.
4. In Edit DWORD Value, type A in the Value data box, and then click OK.
5. Quit Registry Editor.
6. At the command prompt, type the following command to restart the Windows Time service, and then press ENTER:
net stop w32time && net start w32time
Note The PDC master must not be configured to synchronize with itself. For more information about why the PDC master must not be configured to synchronize with itself, visit the following Web site to view Request For Comment (RFC) 1305:
http://www.rfc-editor.org/ (http://www.rfc-editor.org/)
Configuring the Windows Time service to use an external time source
To configure an internal time server to synchronize with an external time source, follow these steps:
1. Change the server type to NTP. To do this, follow these steps:
a. Click Start, click Run, type regedit, and then click OK.
b.. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type
c. In the right pane, right-click Type, and then click Modify.
d. In Edit Value, type NTP in the Value data box, and then click OK.
2. Set AnnounceFlags to 5. To do this, follow these steps:
. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags
a. In the right pane, right-click AnnounceFlags, and then click Modify.
b. In Edit DWORD Value, type 5 in the Value data box, and then click OK.
3. Enable NTPServer. To do this, follow these steps:
. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer
a. In the right pane, right-click Enabled, and then click Modify.
b. In Edit DWORD Value, type 1 in the Value data box, and then click OK.
4. Specify the time sources. To do this, follow these steps:
. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
a. In the right pane, right-click NtpServer, and then click Modify.
b. In Edit Value, type Peers in the Value data box, and then click OK.
Note Peers is a placeholder for a space-delimited list of peers from which your computer obtains time stamps. Each DNS name that is listed must be unique. You must append ,0x1 to the end of each DNS name. If you do not append ,0x1 to the end of each DNS name, the changes made in step 5 will not take effect.
5.. Select the poll interval. To do this, follow these steps:
. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollInterval
a. In the right pane, right-click SpecialPollInterval, and then click Modify.
b. In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.
Note TimeInSeconds is a placeholder for the number of seconds that you want between each poll. A recommended value is 900 Decimal. This value configures the Time Server to poll every 15 minutes.
6. Configure the time correction settings. To do this, follow these steps:
. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxPosPhaseCorrection
a. In the right pane, right-click MaxPosPhaseCorrection, and then click Modify.
b. In Edit DWORD Value, click to select Decimal in the Base box.
c. In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.
Note TimeInSeconds is a placeholder for a reasonable value, such as 1 hour (3600) or 30 minutes (1800). The value that you select will depend upon the poll interval, network condition, and external time source.
d. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxNegPhaseCorrection
e. In the right pane, right-click MaxNegPhaseCorrection, and then click Modify.
f. In Edit DWORD Value, click to select Decimal in the Base box.
g. In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.
Note TimeInSeconds is a placeholder for a reasonable value, such as 1 hour (3600) or 30 minutes (1800). The value that you select will depend upon the poll interval, network condition, and external time source.
7. Quit Registry Editor.
8. At the command prompt, type the following command to restart the Windows Time service, and then press ENTER:
net stop w32time && net start w32time
Troubleshooting
For the Windows Time service to function correctly, the networking infrastructure must function correctly. The most common problems that affect the Windows Time service include the following:
There is a problem with TCP/IP connectivity, such as a dead gateway.
The Name Resolution service is not working correctly.
The network is experiencing high volume delays, especially when synchronization occurs over high-latency wide area network (WAN) links.
The Windows Time service is trying to synchronize with inaccurate time sources.
We recommend that you use the Netdiag.exe utility to troubleshoot network-related issues. Netdiag.exe is part of the Windows Server 2003 Support Tools package. See Tools Help for a complete list of command-line parameters that you can use with Netdiag.exe. If your problem is still not solved, you can turn on the Windows Time service debug log. Because the debug log can contain very detailed information, we recommend that you contact Microsoft Product Support Services when you turn on the Windows Time service debug log.
Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.
NTP supports several different packet types. Typically, NTP clients and Simple N...
NTP supports several different packet types. Typically, NTP clients and Simple Network Time Protocol (SNTP) clients send client mode request packets to an NTP server. The NTP server responds with a server mode packet. To configure the W32time service to send symmetric active mode packets instead of client mode packets to an NTP server, type the following command at a command prompt:
w32tm /config /manualpeerlist:
Note Use the 0x8 flag to force W32time to send normal client requests instead of symmetric active mode packets. The NTP server replies to these normal client requests as usual.
Reliable time source configuration
A computer that is configured to be a reliable time source is identified as the root of the Windows Time service. The root of the Windows Time service is the authoritative server for the domain and typically is configured to retrieve time from an external NTP server or hardware device. A time server can be configured as a reliable time source to optimize how time is transferred throughout the domain hierarchy. If a domain controller is configured to be a reliable time source, the Net Logon service announces that domain controller as a reliable time source when it logs on to the network. When other domain controllers look for a time source to synchronize with, they select a reliable source first, if one is available.
Manually-specified synchronization
With manually-specified synchronization, you can designate a single peer or list of peers that a computer obtains time from. If the computer is not a member of a domain, it must be manually configured to synchronize with a specified time source. By default, a computer that is a member of a domain is configured to synchronize from the domain hierarchy. Manually-specified synchronization is most useful for the forest root of the domain or for computers that are not joined to a domain. When you manually specify an external NTP server to synchronize with the authoritative computer for your domain, you provide reliable time. However, to provide high accuracy and security to your domain, we recommend that you configure the authoritative computer for your domain to synchronize with a hardware clock.
Without a hardware time source, W32time is configured as a NTP type. You must reconfigure the MaxPosPhaseCorrection and MaxNegPhaseCorrection registry entries. The recommended value should be 15 minutes or even lower, depending on time source, network condition, and security requirement. This requirement also applies to any reliable time source that is configured as the forest root time source in the time sync subnet. For more information about these registry entries, see the "Windows Time service registry entries" section in this article.
Comments