Configuring a Domain Controller to Use an External Time Source






Configuring a Domain Controller to Use an External Time Source

Problem

You want to set the reliable time source for a domain controller.

Solution

Using a command-line interface

Run the following commands from the command line on the domain controller that is serving as the PDC Emulator in your forest root domain:

	> w32tm /config /syncfromflags:manual /manualpeerlist:<PeerList>
	> w32tm /config /update

To then configure time synchronization for the other DCs in your environment, run the following command:

	> w32tm /resync

Using the Registry

To configure your Windows Server 2003 PDC Emulator to sync to an external time provider, set the following Registry keys:

	[HKLM\System\CurrentControlSet\Services\W32Time\Parameters\]
	Type: REG_SZ  "NTP"

	[HKLM\System\CurrentControlSet\Services\W32Time\Config\]
	AnnounceFlags: REG_DWORD  5

	[HKLM\System\CurrentControlSet\Services\W32Time\TimeProviders\]
	NTPServer: REG_DWORD  1

	[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\]
	NTPServer: REG_SZ -<Peer1>,0x1,<Peer2>,0x1,<Peer3>,0x1

<Peers> in this case refers to a comma-separated list of FQDNs of external time servers. Each DNS name must be followed by ",0x1" for the rest of these settings to take effect.


	[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\
	NtpClient\]
	SpecialPollInterval: REG_DWORD -<TimeBetweenPollsInSeconds>

	[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\]
	MaxPosPhaseCorrection: REG_DWORD -<MaximumForwardOffsetInSeconds>

	[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\]
	MaxNegPhaseCorrection: REG_DWORD -<MaximumBackwardOffsetInSeconds>

Once you have made these changes to the Registry, stop and restart the W32time service by issuing the following commands:

	> net stop w32time
	> net start w32time

Using VBScript
	' This codes configures a reliable  
time source on a  
domain controller
	' ------ SCRIPT CONFIGURATION ------
	strPDC = "<DomainControllerName>       ' e.g. dc01.rallencorp.com
	strTimeServer = "<TimeServerNameOrIP>" ' e.g. ntp01.rallencorp.com
	' ------ END CONFIGURATION --------

	strTimeServerReg = "SYSTEM\CurrentControlSet\Services\W32Time\Parameters"
	const HKLM = &H80000002
	set objReg = GetObject("winmgmts:\\" & strPDC & "\root\default:StdRegProv")
	objReg.GetStringValue HKLM, strTimeServerReg, "ntpserver", strCurrentServer
	WScript.Echo "Current Value: " & strCurrentServer
	objReg.SetStringValue HKLM, strTimeServerReg, "ntpserver", strTimeServer
	objReg.SetStringValue HKLM, strTimeServerReg, "type", "NTP"
	strCurrentServer = ""
	objReg.GetStringValue HKLM, strTimeServerReg, "ntpserver", strCurrentServer
	WScript.Echo "New Value: " & strCurrentServer

	' Restart Time Service
	set objService = GetObject("winmgmts://" & strPDC & _
	                           "/root/cimv2:Win32_Service='W32Time'")
	WScript.Echo "Stopping " & objService.Name
	objService.StopService()

	Wscript.Sleep 2000 ' Sleep for 2 seconds to give service time to stop

	WScript.Echo "Starting " & objService.Name
	objService.StartService()

Discussion

You need to set a reliable time source on the PDC Emulator FSMO for only the forest root domain. All other domain controllers sync their time either from that server or from a PDC (or designated time server) within their own domain. The list of external time servers is stored in the registry under the W32Time Service registry key: HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\ntpserver.

If you want a domain controller such as the PDC to use an external time source, you have to set the ntpserver registry value along with the type value. The default value for type on a domain controller is Nt5DS, which means that the domain controller will use the Active Directory domain hierarchy to find a time source. You can override this behavior and have a domain controller contact a non-DC time source by setting type to NTP. In the CLI example, the /setsntp switch automatically sets the type value to NTP. In the VBScript solution, we had to set it in the code.

After setting the time server, the W32Time service should be restarted for the change to take effect. You can check that the server was set properly by running the following command:

	> net time /querysntp

Since the PDC Emulator is the time source for the other domain controllers, you should also make sure that it is advertising the time service, which you can do with the following command:

	> nltest /server:<DomainControllerName> /dsgetdc:<DomainDNSName> /TIMESERV

To configure the PDC Emulator to use its own internal clock as a time source instead of relying on an external clock, modify the HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags DWORD value to contain a value of A.


See Also

MS KB 216734 (How to Configure an Authoritative Time Server in Windows 2000), MS KB 223184 (Registry Entries for the W32Time Service), MS KB 224799 (Basic Operation of the Windows Time Service), MS KB 816042 (How to Configure An Authoritative Time Server In Windows Server 2003), and MSDN: StdRegProv, and MSDN: Win32_Service



 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows