Windows Time Services: A Refresher
Time services play a pivotal role in the Kerberos authentication process, so ensuring that they are set up properly is important. With the exception of a few deprecated time-related command switches, not a lot has changed with regard to time in Server 2008/ Windows 7. Having just upgraded a 2008 domain to 2008 R2 with new domain controllers I wanted to share the process of setting up time services for the domain.
By default the DC that holds the PDC Emulator role is the time keeper for the domain. Also in its default state the PDCe assumes that it is itself the stratum 1 time provider, as reflected in the registry key value \HKLM\System\CurrentControlSet\services\W32Time\Parameters: Type NT5DS. This value controls the synchronization type which specifies if time is to be received from the domain hierarchy (NT5DS) or from an external provider (NTP). The default is fine if you’re alright with the server using its own CMOS clock to provide time for the domain. In this case all you need to do is configure the Announce Flags (see KB). To force the DC to use an external time provider, on the DC that holds the PDCe role, change this value to “NTP”. Per RFC 1305 (via MS KB816042), the PDCe must not be configured to sync time with itself.
NTP.org maintains the lists for publicly accessible time servers. Pool servers, stratum 1 (primary) and stratum 2 (secondary) servers are documented here. You can configure your PDCe to point directly to several stratum 1 servers, or you could just point to the pool addresses which employs DNS round robin to ensure you always have a reliable stratum 2 time source. In this scenario I will be pointing to the US pool servers: us.pool.ntp.org.
Net Time is still alive in Server 2008 but /querysntp and /setsntp have been deprecated. Configuration must be performed via W32tm.exe. Since we now have our PDCe set to sync to an external time source, we need to configure its peer list which can be FQDNs or IPs. This is done via: w32tm /config /manualpeerlist:"0.us.pool.ntp.org 1.us.pool.ntp.org 2.us.pool.ntp.org 3.us.pool.ntp.org"
Run a quick update with w32tm /resync /rediscover then verify the configuration is working by running w32tm /query /peers /verbose
C:\Windows\system32>w32tm /query /peers /verbose
#Peers: 4
Peer: 1.us.pool.ntp.org
State: Active
Time Remaining: 37.7327154s
Mode: 1 (Symmetric Active)
Stratum: 2 (secondary reference - syncd by (S)NTP)
PeerPoll Interval: 8 (256s)
HostPoll Interval: 8 (256s)
Last Successful Sync Time: 9/1/2009 3:32:37 PM
LastSyncError: 0x00000000 (Succeeded)
LastSyncErrorMsgId: 0x00000000 (Succeeded)
AuthTypeMsgId: 0x0000005A (NoAuth )
Resolve Attempts: 0
ValidDataCounter: 8
Reachability: 255
Peer: 0.us.pool.ntp.org
State: Active
Time Remaining: 37.6859151s
Mode: 1 (Symmetric Active)
Stratum: 3 (secondary reference - syncd by (S)NTP)
PeerPoll Interval: 8 (256s)
HostPoll Interval: 8 (256s)
Last Successful Sync Time: 9/1/2009 3:32:37 PM
LastSyncError: 0x00000000 (Succeeded)
LastSyncErrorMsgId: 0x00000000 (Succeeded)
AuthTypeMsgId: 0x0000005A (NoAuth )
Resolve Attempts: 0
ValidDataCounter: 8
Reachability: 255
Peer: 2.us.pool.ntp.org
State: Active
Time Remaining: 37.6859151s
Mode: 1 (Symmetric Active)
Stratum: 2 (secondary reference - syncd by (S)NTP)
PeerPoll Interval: 8 (256s)
HostPoll Interval: 8 (256s)
Last Successful Sync Time: 9/1/2009 3:32:37 PM
LastSyncError: 0x00000000 (Succeeded)
LastSyncErrorMsgId: 0x00000000 (Succeeded)
AuthTypeMsgId: 0x0000005A (NoAuth )
Resolve Attempts: 0
ValidDataCounter: 8
Reachability: 255
Peer: 3.us.pool.ntp.org
State: Active
Time Remaining: 37.7015152s
Mode: 1 (Symmetric Active)
Stratum: 2 (secondary reference - syncd by (S)NTP)
PeerPoll Interval: 8 (256s)
HostPoll Interval: 8 (256s)
Last Successful Sync Time: 9/1/2009 3:32:37 PM
LastSyncError: 0x00000000 (Succeeded)
LastSyncErrorMsgId: 0x00000000 (Succeeded)
AuthTypeMsgId: 0x0000005A (NoAuth )
Resolve Attempts: 0
ValidDataCounter: 8
Reachability: 255
The other DCs will look to the PDCe as their time source and domain clients will look to their authenticating DC. If you need to get more granular with time services there are a few GPO settings capable of some good granularity. “Computer Configuration\ Administrative Templates\ System\ Windows Time Service” contains policy items to configure polling intervals, phase corrections, or to disable the client altogether, which is useful if you need to implement a 3rd-party NTP solution in your organization. If any other domain clients or servers need to be updated immediately, simply run w32tm /resync /rediscover.
References:
How to configure an authoritative time server in Windows Server
No comments: