The Windows Time service (W32Time) is designed to allow all Windows 2000 or later machines in an organisation to utilise a synchronised time. The service is used to ensure the security of the Windows Kerberos authentication protocol. This article describes the procedure to set up an Authoritative Time Server for a Windows 2003 Server based Active Directory Network. It also describes the hierarchical relationship of the time synchronisation authority. The article also presents some time synchronisation hints, tips and troubleshooting.



The 'Windows Time' Hierarchy.

The Windows Time Service uses a hierarchical synchronisation structure. By default, Windows computers utilise the following hierarchy:

- All time client workstations nominate their domain controller as their time synchronisation source.

- All member servers also nominate their domain controller as their time synchronisation source.

- All domain controllers in a domain nominate the primary domain controller (PDC) as their time synchronisation source.

- All Primary Domain controllers follow the hierarchy of domains in the selection of their time synchronisation source.

In the hierarchy the PDC emulator in the forest root domain is the primary time reference for the organisation. The PDC in the forest root domain can have its internal reference clock controlled in a number of ways:

- By utilising it's own internal system clock. However, unsynchronised system clocks will drift significantly over time.

- By synchronising to an Internet based NTP time server. An accurate time can be obtained from an Internet NTP server, however, this raises security issues since accuracy cannot be guaranteed. Also, the NTP port in the firewall must be left open for synchronisation. Additionally, Internet based NTP servers cannot provide authentication, so the source of time cannot be guaranteed.

- By synchronising with a local intranet based NTP time server. A local NTP server has the advantage of providing a traceable time reference and also secure authentication.

- By utilising a hardware reference clock such as a GPS or time and frequency radio based time transmission. A GPS or radio based hardware reference clock provides a secure traceable time reference.

Windows Time Service Configuration.

Configuration of the Windows Time Service is carried out by editing registry entries. It is highly recommended that the registry be backed up before conducting any modifications. This allows the registry to be restored in the event of erroneous modification.

To configure the PDC master to utilise its internal system clock requires only that the W32Time registry entry 'HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeConfigAnnounceFlags' is set to 'A'. This makes the PDC announce itself as a reliable time source. However, the system clock can drift over time and is not referenced to an accurate time source. Additionally, Windows Time will periodically generate system event log warnings indicating that the PDC should be configured to synchronise to an external time source. This warning can be ignored.

To configure the PDC to to synchronise to an external time reference, the following registry entries must be modified:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeParametersType

This registry entry specifies the types of peers that the Windows Time Service will synchronise to. Change the registry entry to 'NTP' to synchronise to an external NTP server.

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeConfigAnnounceFlags

The 'Announce Flags' registry entry indicates that the PDC should announce itself as a reliable time source. Set this registry entry to the value '5'.

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeTimeProvidersNtpServer

The 'NtpServer' registry indicates that non-standard mode combinations are allowed in synchronisation between peers. This entry should be set to the value 1.

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeParametersNtpServer

The 'NtpServer' registry entry contains a space-delimited list of stratum 1 time servers from which the PDC can obtain time. If DNS names are used rather than IP addresses, you must append 0x1 to the end of each DNS name.

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeTimeProvidersNtpClientSpecialPollInterval

The 'Special Poll Interval' registry entry indicates the period, in seconds, between each poll of a NTP server. Microsoft recommends a value of 900 seconds which transposes to one poll every 15 minutes.

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeConfigMaxPosPhaseCorrection

The 'MaxPosPhaseCorrection' field indicates the maximum positive time correction in seconds that the time service can make. If a time correction larger than the maximum is required the time service logs an Event in the Event Log. If this field is set to 0xFFFFFFFF a time correction is always made regardless of size. A suitable value may be 3600 seconds (1 hour).

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeConfigMaxNegPhaseCorrection

The 'MaxNegPhaseCorrection' field indicates the maximum negative time correction in seconds that the time service can make. If a time correction larger than the maximum is required the time service logs an Event in the Event Log. If this field is set to 0xFFFFFFFF a time correction is always made regardless of size. A suitable value may be 3600 seconds (1 hour).

After the registry entries have been correctly modified, the Windows Time service must be stopped and restarted. At a command prompt enter 'net stop w32time && net start w32time' to restart the service.

Hints and Tips.

The correct operation of the Windows Time service depends heavily on the correct functioning of network devices and infrastructure. Common problems such as TCP/IP connectivity, DNS resolution, inaccurate NTP time references and network delay can all cause problems with the synchronisation service. Additionally, when synchronising to an Internet NTP server, ensure that USP port 123 is open on the firewall. UDP port 123 is the port reserved for NTP communication packets.