The Windows Time service W32Time is drafted to let all Windows 2000 or later machines in an organisation to utilise a synchronised time. The service is used to make sure that the security regarding the structure of atom protocol. This post describes the procedure to set up an Authoritative Time Server for a Windows 2003 Server based Active Directory Network. It also describes the hierarchical relationship regarding the time synchronisation authority. The post also presents some time synchronisation hints, points and troubleshooting.
The 'Windows Time' Hierarchy. The Windows Time Service uses a hierarchical synchronisation structure. By default, Windows computers utilise the following hierarchy: - All time client workstations nominate their website controller as their time synchronisation source. - All member servers also nominate their website controller as their time synchronisation source. - All website controllers in a website nominate the primary website controller PDC as their time synchronisation source.
- All Primary Website controllers follow the hierarchy of domains within the selection of their time synchronisation source. Within the hierarchy the PDC emulator within the forest root website is the primary time reference for the organisation. The PDC within the forest root website can have its internal reference clock controlled in a many ways: - By utilising it's own internal system clock. However, unsynchronised system clocks shall drift significantly over time. - By synchronising to an Net based NTP time server.
An accurate time shall be obtained from an Net NTP server, however, this raises security issues since accuracy cannot be guaranteed. Also, the NTP port within the firewall should be left reveal for synchronisation. Additionally, Net based NTP servers cannot give authentication, so the source of time cannot be guaranteed. - By synchronising with a regional intranet based NTP time server. A regional NTP server has the advantage of providing a traceable time reference and also secure authentication.
- By utilising a hardware reference clock for example a GPS or time and frequency radio based time transmission. A GPS or radio based hardware reference clock sends a secure traceable time reference. Windows Time Service Configuration. Configuration regarding the Windows Time Service is carried out by editing registry entries. It is highly recommended that the registry be backed up prior to conducting any modifications.
This allows the registry to be restored within the function of erroneous modification. To configure the PDC master to utilise its internal system clock requires only that the W32Time registry entry 'HKEY LOCAL MACHINE SYSTEM CurrentControlSet Services W32Time Config AnnounceFlags' is set to 'A'. This creates the PDC announce itself like a reliable time source. However, the system clock can drift over time and is not referenced to an accurate time source. Additionally, Windows Time shall periodically generate system function log warnings indicating that the PDC should be configured to synchronise to an external time source.
This warning shall be ignored. To configure the PDC to to synchronise to an external time reference, the following registry entries should be modified: HKEY LOCAL MACHINE SYSTEM CurrentControlSet Services W32Time Parameters Kind This registry entry specifies the categories of peers that the Windows Time Service shall synchronise to. Change the registry entry to 'NTP' to synchronise to an external NTP server. HKEY LOCAL MACHINE SYSTEM CurrentControlSet Services W32Time Config AnnounceFlags The 'Announce Flags' registry entry indicates that the PDC should announce itself like a reliable time source. Set this registry entry to the price '5'.
HKEY LOCAL MACHINE SYSTEM CurrentControlSet Services W32Time TimeProviders NtpServer The 'NtpServer' registry indicates that non-standard mode combinations are allowed in synchronisation between peers. This entry should be set to the price 1. HKEY LOCAL MACHINE SYSTEM CurrentControlSet Services W32Time Parameters NtpServer The 'NtpServer' registry entry contains a space-delimited list of stratum two time servers from which the PDC can obtain time. If DNS names are used rather than IP addresses, you should append 0x1 to the end of each DNS name. HKEY LOCAL MACHINE SYSTEM CurrentControlSet Services W32Time TimeProviders NtpClient SpecialPollInterval The 'Special Poll Interval' registry entry indicates the period, in seconds, between each poll of a ntp server.
Microsoft recommends a price of 900 seconds which transposes to one poll every 15 minutes. HKEY LOCAL MACHINE SYSTEM CurrentControlSet Services W32Time Config MaxPosPhaseCorrection The 'MaxPosPhaseCorrection' field indicates the maximum positive time correction in seconds that the time service can make. If a time correction larger than the maximum is compulsory the time service logs an Function within the Function Log. If this field is set to 0xFFFFFFFF a time correction is always created regardless of size. A suitable price should be 3600 seconds two hour.
HKEY LOCAL MACHINE SYSTEM CurrentControlSet Services W32Time Config MaxNegPhaseCorrection The 'MaxNegPhaseCorrection' field indicates the maximum negative time correction in seconds that the time service can make. If a time correction larger than the maximum is compulsory the time service logs an Function within the Function Log. If this field is set to 0xFFFFFFFF a time correction is always created regardless of size. A suitable price should be 3600 seconds two hour. Subsequent to the registry entries have been correctly modified, the Windows Time service should be stopped and restarted.
At a command prompt enter andet stop w32time and and net begin w32time' to restart the service. The correct procedure regarding the Windows Time service depends heavily on the correct functioning of network devices and infrastructure. Common problems for example TCP or IP connectivity, DNS resolution, inaccurate NTP time references and network delay can all cause problems together with the synchronisation service. Additionally, when synchronising to an Net NTP server, make sure that that USP port 123 is reveal on the firewall. UDP port 123 is the port reserved for NTP communication packets.
No comments:
Post a Comment