Pages

12/04/2002

How to Configure an Authoritative Time Server in Windows 2000


Windows includes the W32Time Time service tool that is required by the Kerberos authentication protocol. The purpose of the Time service is to ensure that all computers that are running Windows 2000 or later in an organization use a common time. The Time service uses a hierarchical relationship that controls authority and does not permit loops to ensure appropriate common time usage.

Windows-based computers use the following hierarchy by default:
All client desktop computers nominate the authenticating domain controller as their in-bound time partner.
All member servers follow the same process as client desktop computers.
Domain controllers may nominate the primary domain controller (PDC) operations master as their in-bound time partner but may use a parent domain controller based on stratum numbering.
All PDC operations masters follow the hierarchy of domains in the selection of their in-bound time partner.
Following this hierarchy, the PDC operations master at the root of the forest becomes authoritative for the organization, and you should configure the PDC operations master to gather the time from an external source. This is logged in the System event log on the computer as event ID 62. Administrators can configure the Time service on the PDC operations master at the root of the forest to recognize an external Simple Network Time Protocol (SNTP) time server as authoritative by using the following net time command, where server_list is the server list:

net time /setsntp:server_list

There are several SNTP time servers run by the U.S. Naval Observatory that are satisfactory for this function, for example:
ntp2.usno.navy.mil at 192.5.41.209
tock.usno.navy.mil at 192.5.41.41
After you set the SNTP time server as authoritative, run the following command on a computer other than the domain controller to reset the local computer's time against the authoritative time server:

net time /set

More information about the net time command is available at a command prompt if you type the following command:

net time /?

SNTP defaults to using User Datagram Protocol (UDP) port 123. If this port is not open to the Internet, you cannot synchronize your server to Internet SNTP servers.

From: Microsoft KB http://support.microsoft.com/default.aspx?scid=kb;EN-US;216734
Time Services White Paper: http://www.microsoft.com/windows2000/docs/wintimeserv.doc
at 16:53

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)