Docstoc

How To Set Up An Authoritative Time Server In A Windows 2003 Server based Active Directory Network

Document Sample
How To Set Up An Authoritative Time Server In A Windows 2003 Server based Active Directory Network Powered By Docstoc
					The Windows Time service (W32Time) is designed to allow all Windows 2000 or
later machines in an organisation to utilise a synchronised time. The service is used to
ensure the security of the Windows Kerberos authentication protocol. This article
describes the procedure to set up an Authoritative Time Server for a Windows 2003
Server based Active Directory Network. It also describes the hierarchical relationship
of the time synchronisation authority. The article also presents some time
synchronisation hints, tips and troubleshooting.

The 'Windows Time' Hierarchy.

The Windows Time Service uses a hierarchical synchronisation structure. By default,
Windows computers utilise the following hierarchy:

- All time client workstations nominate their domain controller as their time
synchronisation source.

- All member servers also nominate their domain controller as their time
synchronisation source.

- All domain controllers in a domain nominate the primary domain controller (PDC)
as their time synchronisation source.

- All Primary Domain controllers follow the hierarchy of domains in the selection of
their time synchronisation source.

In the hierarchy the PDC emulator in the forest root domain is the primary time
reference for the organisation. The PDC in the forest root domain can have its internal
reference clock controlled in a number of ways:

- By utilising it's own internal system clock. However, unsynchronised system clocks
will drift significantly over time.

- By synchronising to an Internet based NTP time server. An accurate time can be
obtained from an Internet NTP server, however, this raises security issues since
accuracy cannot be guaranteed. Also, the NTP port in the firewall must be left open
for synchronisation. Additionally, Internet based NTP servers cannot provide
authentication, so the source of time cannot be guaranteed.

- By synchronising with a local intranet based NTP time server. A local NTP server
has the advantage of providing a traceable time reference and also secure
authentication.

- By utilising a hardware reference clock such as a GPS or time and frequency radio
based time transmission. A GPS or radio based hardware reference clock provides a
secure traceable time reference.

Windows Time Service Configuration.

Configuration of the Windows Time Service is carried out by editing registry entries.
It is highly recommended that the registry be backed up before conducting any
modifications. This allows the registry to be restored in the event of erroneous
modification.

To configure the PDC master to utilise its internal system clock requires only that the
W32Time                                   registry                               entry
'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Confi
g\AnnounceFlags' is set to 'A'. This makes the PDC announce itself as a reliable time
source. However, the system clock can drift over time and is not referenced to an
accurate time source. Additionally, Windows Time will periodically generate system
event log warnings indicating that the PDC should be configured to synchronise to an
external time source. This warning can be ignored.

To configure the PDC to to synchronise to an external time reference, the following
registry entries must be modified:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Param
eters\Type

This registry entry specifies the types of peers that the Windows Time Service will
synchronise to. Change the registry entry to 'NTP' to synchronise to an external NTP
server.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Confi
g\AnnounceFlags

The 'Announce Flags' registry entry indicates that the PDC should announce itself as a
reliable time source. Set this registry entry to the value '5'.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeP
roviders\NtpServer

The 'NtpServer' registry indicates that non-standard mode combinations are allowed
in synchronisation between peers. This entry should be set to the value 1.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Param
eters\NtpServer

The 'NtpServer' registry entry contains a space-delimited list of stratum 1 time servers
from which the PDC can obtain time. If DNS names are used rather than IP addresses,
you must append 0x1 to the end of each DNS name.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeP
roviders\NtpClient\SpecialPollInterval

The 'Special Poll Interval' registry entry indicates the period, in seconds, between
each poll of a NTP server. Microsoft recommends a value of 900 seconds which
transposes to one poll every 15 minutes.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Confi
g\MaxPosPhaseCorrection

The 'MaxPosPhaseCorrection' field indicates the maximum positive time correction in
seconds that the time service can make. If a time correction larger than the maximum
is required the time service logs an Event in the Event Log. If this field is set to
0xFFFFFFFF a time correction is always made regardless of size. A suitable value
may be 3600 seconds (1 hour).

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Confi
g\MaxNegPhaseCorrection

The 'MaxNegPhaseCorrection' field indicates the maximum negative time correction
in seconds that the time service can make. If a time correction larger than the
maximum is required the time service logs an Event in the Event Log. If this field is
set to 0xFFFFFFFF a time correction is always made regardless of size. A suitable
value may be 3600 seconds (1 hour).

After the registry entries have been correctly modified, the Windows Time service
must be stopped and restarted. At a command prompt enter 'net stop w32time & net
start w32time' to restart the service.

Hints and Tips.

The correct operation of the Windows Time service depends heavily on the correct
functioning of network devices and infrastructure. Common problems such as TCP/IP
connectivity, DNS resolution, inaccurate NTP time references and network delay can
all cause problems with the synchronisation service. Additionally, when synchronising
to an Internet NTP server, ensure that USP port 123 is open on the firewall. UDP port
123 is the port reserved for NTP communication packets.

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:7
posted:1/23/2011
language:English
pages:3