Jun 27 2010
Time configuration in a Windows Domain
In a domain one of the most important settings is the time. It has to be as close as possible for all domain machines, which is realized with the setup of the hierarchy how the domain time is prepared.
One important information to have is, that the Windows Time Service is NOT built to be a high accuracy NTP solution going down to 1-2 seconds. See High Accuracy W32time Requirements for details. If you have the need for high accurate time, you have to use a “Stratum One” device, which is capable of this. The support boundaries are listed here.
Also important to know is, that Domain Controllers use with NTP the UTC (Coordinated Universal Time), as this is the universal standard for current time. UTC is independent of time zones and enables NTP to be used anywhere in the world regardless of time zone settings. You will not realize the UTC time itself, as the time zone information which is stored in the computer’s registry, is added to the system time just before it is displayed to the user.
One Domain Controller, the DC with the PDC Emulator FSMO (Flexible Single Master Operations) role, is the time master in the domain. It uses it’s own BIOS time but should be changed to another time source like a NTP hardware device, routers, layer3 switches or external time servers, that are able to act as a time provider.
All other Domain Controllers synchronize with this machine and all domain member servers and domain workstations synchronize with one available DC. Therefore it is needed to open the UDP port 123 for NTP on all machines. In a domain, time synchronization takes place when Windows Time Service turns on during system startup and periodically while the system is running.In the default configuration, the Net Logon service looks for a Domain Controller that can authenticate and synchronize time with the client. When a Domain Controller is found, the client sends a request for time and waits for a reply from the Domain Controller. This communication is an exchange of Network Time Protocol (NTP) packets intended to calculate the time offset and round-trip delay between the two computers.
The correct time is needed from Kerberos V5 authentication to prevent “replay attacks,” Kerberos V5 uses time stamps as part of its protocol definition. For time stamps to work properly, the clocks of the client and the Domain Controller need to be in sync as much as possible. The default maximum time tolerance is 5 minutes and defined with a Group Policy setting and should not be changed.
If you have the need for changing the default tolerance, you have to choose the following GPO setting:
Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy\ “Maximum tolerance for computer clock synchronization”
So far with the basics about the domain time.
Let’s go on with some configurations on Windows Server 2003 or higher OS:
– to configure the Domain Controller with the PDC Emulator FSMO to another time source, run:
w32tm /config /manualpeerlist:PEERS /syncfromflags:manual /reliable:yes /update
Please set for PEERS the time source as listed above, either with it’s ip address or DNS name. If more then one is needed separate them with a space in between and don’t forget the quotes: “time.domain.com time1.domain.com”
Internet Time servers you can find here: http://www.pool.ntp.org/
——————————————————————–
– to configure a domain computer for automatic domain time synchronization, run:
w32tm /config /syncfromflags:domhier /update
After that you have to run:
net stop w32time
net start w32time
——————————————————————–
– to reconfigure the previous PDC Emulator, in case of transferring/seizing the FSMO to another Domain Controller, run:
w32tm /config /syncfromflags:domhier /reliable:no /update
After that you have to run:
net stop w32time
net start w32time
——————————————————————–
If you have to reconfigure a Windows 2000 Server Domain Controller, the steps are different after transferring/seizing the PDC Emulator role to another Domain Controller:
– you have to modify the “Type” value to “Nt5Ds” without the quotes under this registry key:
HKLM\ SYSTEM\ CurrentControlSet\ Services\ W32Time\ Parameters\
——————————————————————–
If you have problems with the time service configuration, because too many changes where done in the registry or you like start fresh on a computer, then you can reset the time service to a default state the following way. Make sure to use an elevated command prompt, to have full administrative permissions. Then type in the following commands:
net stop w32time
w32tm /unregister
w32tm /register
net start w32time
——————————————————————–
To prevent large time jumps on DCs because of hardware errors or broken CMOS battery to the past or the future m0re then 48 hours you should implement some registry changes on Windows Server 2003 and Windows Server 2008 DCs. MaxPosPhaseCorrection and MaxNegPhaseCorrection with values of that become important here. On newer OS versions this is already implemented. More details about the chosen 48 hours and how to configure it correct can be read in this article.
If you really still run Window 2000 Server SP4 Domain Controllers, hopefully not, then the following registry change should be made to avoid the time jump. Here the MaxAllowedClockErrInSecs has to be set in HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters as described in this article.
Thanks to Christoffer Anderssen pointing me to this important values.
——————————————————————–
For more detailed other configuration settings you have to use the registry, which isn’t recommended by Microsoft without special needs, you should always test it before applying. See “Windows Time Service Registry Entries” in this article.
In any case of time problems you can configure debug logging for the Windows Time Service according to How to turn on debug logging in the Windows Time Service, don’t forget to turn off after using, to avoid unnecessary logging and processor work.
Related articles:
Windows Time Service Technical Reference includes OS version up to Windows Server 2008 R2 and Windows 7
Configuring the Time Service: NtpServer and SpecialPollInterval from the Official Windows Time Service blog
How to configure an authoritative time server in Windows Server (this article contains two Microsoft FIX ITs, to make configuration easy for you)
This was an excellent explanation of how to configure and re-configure time settings for a domain. Thank you!
Nice…. i was searching for this for a long time. thank you for your help!
Thank you for this terrific article. Contained all of the info I needed and more.
Great buddy…..That really helped me a lot…Thanx a lot……
danke!! ihr seit die “besten”..
Very useful. Thanks!
This was a GREAT tutorial!
You’re a Zimmerman to any Trayvon!!
Can anyone tell me how to configure a DC to use the MD5 keys to send time to network devices?
Some more great info.
http://msmvps.com/blogs/acefekay/archive/2009/09/18/configuring-the-windows-time-service-for-windows-server.aspx
If you use Hyper-V set the physical host as reliable or disable the Hyper-V Time Syncronisation Service on the virtual servers.
Great explanation, I had Never thought about moving the Time Source role to the new DC. thanks…