Tuesday, 3 May 2011

Windows System Time

Windows includes W32Time, the Time Service tool that is required by the Kerberos authentication protocol. The purpose of the Windows Time service is to make sure that all computers that are running Microsoft Windows 2000 or later versions in an organization use a common time.

To guarantee appropriate common time usage, the Windows Time service uses a hierarchical relationship that controls authority, and the Windows Time service does not permit loops. By default, Windows-based computers use the following hierarchy:

• All client desktop computers nominate the authenticating domain controller as their in-bound time partner.
• All member servers follow the same process that client desktop computers follow.
• All domain controllers in a domain nominate the primary domain controller (PDC) operations master as their in-bound time partner.
• All PDC operations masters follow the hierarchy of domains in the selection of their in-bound time partner.

In this hierarchy, the PDC operations master at the root of the forest becomes authoritative for the organization. We highly recommend that you configure the authoritative time server to gather the time from a hardware source. When you configure the authoritative time server to sync with an Internet time source, there is no authentication. We also recommend that you reduce your time correction settings for your servers and stand-alone clients. These recommendations provide more accuracy and security to your domain.

Configure the PDCe FSMO role holder in the forest root domain to synchronize with an external time source:


1. Change the server type to NTP

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type

Default value: NT5DS (internal synchronisation using Windows hierarchy)

Set to: NTP (synchronise with an external source using NTP; effectively turns NTP server on)


2. Set AnnounceFlags to 5

This entry controls whether this computer is marked as a reliable time server. A computer is not marked as reliable unless it is also marked as a time server. Since 0x01 = Always time server and 0x04 = Always reliable time server, a setting of 5 indicates always a time server and always a reliable time server. The default value for domain members is 10. The default value for stand-alone clients and servers is 10.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags

Deafault value: 10
Set to: 5


3. Enable NTPServer

This entry indicates if the NtpServer provider is enabled in the current Time Service. The default value on domain members is 1. The default value on stand-alone clients and servers is 1.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer\Enabled

Default value: 1


4. Specify the time sources

This entry specifies a space-delimited list of peers from which a computer obtains time stamps, consisting of one or more DNS names or IP addresses per line.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer

Note Peers is a placeholder for a space-delimited list of peers from which your computer obtains time stamps. Each DNS name that is listed must be unique. You must append ,0x1 to the end of each DNS name. If you do not append ,0x1 to the end of each DNS name, the changes made in step 5 will not take effect.


5. Select the poll interval

This entry specifies the special poll interval in seconds for manual peers. When the SpecialInterval 0x1 flag is enabled, W32Time uses this poll interval instead of a poll interval determine by the operating system. The default value on domain members is 3,600. The default value on stand-alone clients and servers is 604,800.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollInterval

Default value: 3600 (seconds)
Set to: 900 (seconds)

Note TimeInSeconds is a placeholder for the number of seconds that you want between each poll. A recommended value is 900 Decimal. This value configures the Time Server to poll every 15 minutes.


6. Configure the time correction settings

This entry specifies the largest positive time correction in seconds that the service makes. If the service determines that a change larger than this is required, it logs an event instead.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxPosPhaseCorrection

Default value: 4294967295 (seconds)
Set to: 1800 (seconds)

This entry specifies the largest negative time correction in seconds that the service makes. If the service determines that a change larger than this is required, it logs an event instead.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxNegPhaseCorrection

Default value: 4294967295 (seconds)
Set to: 1800 (seconds)

Note TimeInSeconds is a placeholder for a reasonable value, such as 1 hour (3600) or 30 minutes (1800). The value that you select will depend upon the poll interval, network condition, and external time source.


7. At the command prompt, type the following command to restart the Windows Time service, and then press ENTER:

net stop w32time && net start w32time

If you need to configure some or all hosts to synchronise with a specific external or internal time source or you want to ensure that all hosts use Windows Domain hierarchy at all times or force synchronisation across sites, you can configure and enforce Windows Time Service settings through GPO.

Configuring an Authoritative Time Server with Group Policy Using WMI Filtering

High Accuracy W32time Requirements

How to configure an authoritative time server in Windows Server

How the Windows Time Service Works

NTP Pool Project

Preset values for the Windows Time service Group Policy settings are different from the corresponding Windows Time service registry entries in Windows Server 2003

Windows Time Service and Internet Communication

Windows Time Service Technical Reference

Windows Time Service Tools and Settings

No comments:

Post a Comment