Tag Archives: domain time

Configuring an authoritative time source for your Windows domain

7 Mar 2013 Update: If you read this article, you’ll note that there is no mention of Group Policy.  Some of you have asked why that is (especially since I’m such a big fan of management via GPOs).  It’s because the time policies are only useful if you’re doing some type of non-standard configuration.  The only real configuration you need for a ‘typical’ time sync setup is for the DC with the PDC emulator role.  As such, there really is no reason to set Group Policy (well, you could for the PDC DC, but I think it’s kinda ridiculous to set up a complex GP for only one machine).  Besides, performing the settings in the registry ensures that the settings will persist, even if GPs fail to apply for some reason.  – Ed.

This is an article that I’ve been meaning to write for some time now, but always forgot. Well, this morning, we had a problem with one of our time servers which reminded me about this topic. I will show you how to properly configure time services for your Windows domain. While all of this information is already out on the Internet, it is located in many disparate sources; so this is my effort to give you a one-stop shop by providing comments where I thought the Microsoft article was lacking…

First, I have to go over a few caveats:

  • A typical domain uses the Windows Time Service (w32tm) to manage time synchronization within the domain. This service works fine for Kerberos (which is the primary reason we like to keep clients in sync). It is interesting to note that Windows doesn’t really care if the time on the domain is CORRECT, just IN SYNC (within a very generous tolerance). Although a properly configured time service will be very accurate, the precision of the time on clients can vary. So, you don’t want to use this method to sync the clock on stock trading workstations, for example. They need something more sophisticated, like dedicated NTP clients that sync to the time server directly.
  • Second, I am assuming that you want to sync to an external source (i.e. an Internet NTP server or your own hardware time server) so that your time reflects real-world time.

Step 1 – Configure your domain’s authoritative time server. For a domain, this will be the Domain Controller that holds the PDC emulator role. To find out which DC has this role, run netdom query fsmo at the command prompt.

The DC with ‘PDC’ is the one we’re interested in. We will now configure this DC as an NTP CLIENT. (Comment: There is some confusion of the meanings of NTP server versus client. In this case, you are configuring your Domain Controller (which happens to be a server), to use NTP as a client (we are consuming this service from an NTP SERVER). So, try not to get the terms mixed up! Just follow my directions, and you’ll be fine). Reference: Microsoft KB 816042:

  1. Change the server type to NTP. To do this, follow these steps:
    1. Click Start, click Run, type regedit, and then click OK.
    2. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type
    3. In the right pane, right-click Type, and then click Modify.
    4. In Edit Value, type NTP in the Value data box, and then click OK.
  2. Set AnnounceFlags to 0xA (EDIT: There is some confusion about this setting.  Technet tells you to set this to 0x5, I recommend this be set to 0xA instead, see below). To do this, follow these steps:
    1. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags
    2. In the right pane, right-click AnnounceFlags, and then click Modify.
    3. In Edit DWORD Value, type A in the Value data box, and then click OK.
      Notes
      – If an authoritative time server that is configured to use an AnnounceFlag value of 0x5 does not synchronize with an upstream time server, a client server may not correctly synchronize with the authoritative time server when the time synchronization between the authoritative time server and the upstream time server resumes. Therefore, if you have a poor network connection or other concerns that may cause time synchronization failure of the authoritative server to an upstream server, set the AnnounceFlag value to 0xA instead of to 0x5.
      – If an authoritative time server that is configured to use an AnnounceFlag value of 0x5 and to synchronize with an upstream time server at a fixed interval that is specified in SpecialPollInterval, a client server may not correctly synchronize with the authoritative time server after the authoritative time server restarts. Therefore, if you configure your authoritative time server to synchronize with an upstream NTP server at a fixed interval that is specified in SpecialPollInterval, set the AnnounceFlag value to 0xA instead of 0x5 (Comment: AnnounceFlag settings are described in http://technet.microsoft.com/en-us/library/cc773263(WS.10).aspx#w2k3tr_times_tools_uhlp. Multiple flags are set by adding the hex values together. Based on the configuration example, I recommend setting this to 0xA)This is because you want to ensure that your domain always stays in sync, even if the NTP source(s) go offline.  By using 0xA, which is a combination of 0x08 and 0x02, you ensure that even if NTP is unavailable, the server still self-elects that it is the authoritative time source for the forest and will keep the domain in-sync with itself.)
  3. Enable NTPServer. To do this, follow these steps:
    1. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\W32Time\Providers\NtpServer
    2. In the right pane, right-click Enabled, and then click Modify.
    3. In Edit DWORD Value, type 1 in the Value data box, and then click OK.
  4. Specify the time sources. To do this, follow these steps:
    1. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
    2. In the right pane, right-click NtpServer, and then click Modify.
    3. In Edit Value, type Peers (Comment: This is where you will enter the names of the time servers you will sync with. The best option is to have your own NTP server. Understanding that many don’t have the need (or money) to do this, connecting to an Internet NTP is your alternative. Whatever you do, DO NOT use time.windows.com. Think about it, Windows dominates the PC market, and all of these clients are configured, by default, to get their time from this site. Pick some other time servers (at least two): http://support.microsoft.com/default.aspx?scid=kb;EN-US;262680). in the Value data box, and then click OK.
      Note Peers is a placeholder for a space-delimited list of peers from which your computer obtains time stamps. Each DNS name that is listed must be unique. You must append ,0x1 to the end of each DNS name. If you do not append ,0x1 to the end of each DNS name, the changes made in step 5 will not take effect (Comment: Technet tells you to set the value to 0x1. But it’s more complicated than that. The value of the flag is dependent on how you want the server to be used. See the NtpServer registry value settings in http://technet.microsoft.com/en-us/library/cc773263(WS.10).aspx#w2k3tr_times_tools_uhlp. My recommendation is to set TWO servers, with your primary as 0x9 and your secondary as 0xA. A good article that describes setting up alternate time sources is located at: http://blogs.technet.com/b/askds/archive/2007/11/01/configuring-your-pdce-with-alternate-time-sources.aspx).
  5. Select the poll interval. To do this, follow these steps:
    1. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\W32Time\Providers\NtpClient\SpecialPollInterval
    2. In the right pane, right-click SpecialPollInterval, and then click Modify.
    3. In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.
      Note TimeInSeconds is a placeholder for the number of seconds that you want between each poll. A recommended value is 900 Decimal. This value configures the Time Server to poll every 15 minutes (Comment: If you’re using someone else’s NTP server, you might want to set this to >= 14400. Many public NTP servers will blacklist you if you try to sync too frequently, and word on the street is that the magic number is 4 hours between syncs…).
  6. Configure the time correction settings. To do this, follow these steps:
    1. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxPosPhaseCorrection
    2. In the right pane, right-click MaxPosPhaseCorrection, and then click Modify.
    3. In Edit DWORD Value, click to select Decimal in the Base box.
    4. In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.
      Note TimeInSeconds is a placeholder for a reasonable value, such as 1 hour (3600) or 30 minutes (1800). The value that you select will depend upon the poll interval, network condition, and external time source (Comment: What they’re trying to tell you, is that the better the connection, the smaller you can set this value. If your local time exceeds this value, the time will not automatically set, but you will get an error in the event log. You will then need to manually set the time so that it is close to the time on the NTP server. The default is 54000 (15 hours).
    5. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxNegPhaseCorrection
    6. In the right pane, right-click MaxNegPhaseCorrection, and then click Modify.
    7. In Edit DWORD Value, click to select Decimal in the Base box.
    8. In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.
      Note TimeInSeconds is a placeholder for a reasonable value, such as 1 hour (3600) or 30 minutes (1800). The value that you select will depend upon the poll interval, network condition, and external time source (Comment: This is the same as the prior setting, except going into the past).
  7. Quit Registry Editor.
  8. At the command prompt, type the following command to restart the Windows Time service, and then press ENTER:
    net stop w32time && net start w32time

Step 2 – Configure your domain clients to use domain time. To do this, join your computers to the domain. That’s right, you don’t do any configuration on your clients; they will, by default, connect to the PDC DC to get their time synchronized. I know it’s funny that I list this as a step, but surprisingly, a lot of people get hung up on this. Remember, only the PDC DC is an NTP client. Everyone else uses windows time…

Advertisements