The Windows 2000 Server operating system includes a time synchronisation service called w32time or Windows Time. The service is installed by default and runs continuously in the service list. The time service is required by the Kerberos authentication protocol to ensure all computers running in a Windows 2000 environment utilise a common shared time. This article describes how to set up and configure an Authoritative Time Server in a Windows 2000 Server environment. It also discusses the hierarchical relationship at the heart of the service and provides some configuration hints and tips.
The Windows Time Synchronisation Hierarchy The Windows 2000 time service utilises a hierarchical synchronisation structure: Desktop workstations and Member Servers nominate their domain controller as the source of time; Domain controllers nominate the PDC as their source of time synchronisation, but may also utilise a parent domain controller; PDCs follow the hierarchy of domains in the selection of their time synchronisation source.
In the hierarchy the PDC emulator in the forest root domain is the primary time reference for the organisation. The PDC in the forest root domain can have its internal reference clock controlled in a number of ways:
- By utilising its own internal hardware system clock
- By synchronising to an Internet based NTP time server.
- By synchronising with a local intranet based NTP time server or hardware reference clock.
- By utilising a hardware reference clock.
Each of these methods of synchronisation described above raises a number of issues.
A PDC utilising its own internal unsynchronised hardware system clock will drift significantly over time, transactions cannot be referenced to a traceable source of time.
A PDC synchronising to an Internet based NTP time server can obtain accurate time. However, this raises security issues since the NTP port in the firewall must be left open for synchronisation. Also, Internet based NTP servers cannot provide authentication, so the source of time cannot be guaranteed.
Many of the above issues can be solved yy synchronising a PDC with a local intranet based NTP time server or hardware clock. A local NTP server or hardware clock has the advantage of providing a traceable time reference and also secure authentication.
The Windows 2000 Time Service Configuration.
Configuration of the Windows 2000 Time Service is carried out by editing registry entries. It is highly recommended that the registry be backed up before conducting any modifications. This allows the registry to be restored in the event of erroneous modification.
To configure the PDC master to utilise its internal system clock requires only that the W32Time registry entry HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeConfigAnnounceFlags is set to A. This makes the PDC announce itself as a reliable time source. However, the system clock can drift over time and is not referenced to an accurate time source. Additionally, Windows Time will periodically generate system event log warnings indicating that the PDC should be configured to synchronise to an external time source. This warning can be ignored.
To configure the PDC to to synchronise to an external time reference, a number of registry entries must be modified. The windows time service registry settings are stored in the registry at HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeParameters.
The Type, Reliable Time Source and Local NTP parameters must be set to the value 1. The NTP Server parameter must be set to a list of space delimited NTP server peers that the computer is to synchronise to. The MaxAllowedClockErrInSecs indicates the maximum number of seconds between the system time and received times that the received time is to be considered a valid new time. The Period parameter indicates the frequency with which the time service is to synchronise.
After the registry entries have been correctly modified, the Windows Time service must be stopped and restarted. At a command prompt enter net stop w32time && net start w32time to restart the service.
Hints and Tips.
The correct operation of the Windows Time service depends heavily on the correct functioning of network devices and infrastructure. Common problems such as TCP/IP connectivity, DNS resolution, inaccurate NTP time references and network delay can all cause problems with the synchronisation service. Additionally, when synchronising to an Internet NTP server, ensure that USP port 123 is open on the firewall. UDP port 123 is the port reserved for NTP communication packets.