Windows 2000 Utilities: Taming the Time Service
One of the things I found irksome about previous versions of Windows was that I could never get the time right unless I used a third party product. Although Windows NT 4.0 did have a time service included in its Resource Kit, it had to be installed on all the machines in the network. This made it an administrative burden. Who wants to go to all 650 machines, and install and configure the time service? A scripted solution might have worked, but there always seemed to be something better to do at the "time".One of the things I found irksome about previous versions of Windows was that I could never get the time right unless I used a third party product. Although Windows NT 4.0 did have a time service included in its Resource Kit, it had to be installed on all the machines in the network. This made it an administrative burden. Who wants to go to all 650 machines, and install and configure the time service? A scripted solution might have worked, but there always seemed to be something better to do at the 'time'.
Windows 2000 solves some of these issues with the Windows 2000 Time Service. Since time synchronization is vitally important for the Kerberos security protocol to work correctly, all machines in a Windows 2000 forest need to agree on the correct time. The old approach of setting the time correctly when the machine was installed, and hoping it would stay set correct, does not work. Time always slips away from those machines.
The Win2k Time Service is managed by the W32Time.dll library. You'll actually manage the time service using the net time command. The goal of the time service is to make sure that all machines on the network are no more than 2 seconds apart on their machine clocks. Depending on how disparate the machine clocks are, the time may be changed immediately, or the machine will slow its clock over 20 minutes to match the time server's time.
One of the really cool things here is that you can configure the time service on a single computer in the forest, and all Windows 2000 computers in the forest will be able to get the right time!
The Time Hierarchy
Here's how it works:
1. All Windows 2000 Professional and Member Servers will make the domain controller that authenticated them their official time server
2. All Domain Controllers in the domain will make the PDC Emulator for the domain their time server
3. All PDC Emulators in a forest will query the domain controller one level up from it in the forest for the time.
4. The top level PDC emulators in each tree of the forest will query the Forest Root domain for the time.
Moreover, all this happens automatically, except on the Forest Root machines. At the forest root machine, you must configure the Time Service to query a reliable time server outside of the domain. The US Navy Observatory has a few atomic clocks you can tap into to help you accomplish accurate time keeping for your organization.
The syntax for the command is simple:
net time /setsntp:<serverlist>
After successfully completing the command, the machine will reply the command was successful. You only need to do this on the time server itself; the Foot Root PDC Emulator.
Tweaking the Time Server
The time server syncs its clock once a day with the atomic clock, by default. You can change the frequency of time synchronization by editing the registry:
- Period : REG_DWORD or REG_SZ
Used to control how often the time service synchronizes. If a string value is
specified, it must be one of special ones listed below.
0 = once a day
65535, "BiDaily" = once every 2 days
65534, "Tridaily" = once every 3 days
65533, "Weekly" = once every week (7 days)
65532, "SpecialSkew" = once every 45 minutes until 3 good synchronizations
occur, then once every 8 hours (3 per day) [default]
65531, "DailySpecialSkew" = once every 45 minutes until 1 good synchronization
occurs, then once every day
<freq> = <freq> times per day
If you don't want your machines to synchronize with a machine at a different site, the registry parameters are:
- AvoidTimeSyncOnWan : REG_DWORD (optional)
Prevents the computer from synchronizing with a computer that is in another
0 = the site of the time source is ignored [default]
1 = the computer does not synchronize with a time source that is in a
Special Thanks To
For finding an error in the syntax included in the first version of this article. Also, he provided the cool link to time servers, which you'll find below
For More Information
For more information on the Windows 2000 Time Server, check out PSS Article ID Q216734.
For more information on the registry changes you can use to customize the time server, check out PPS Article ID Q223184
For more information on how to synchronize the time on a Windows 2000 computer in a Windows NT 4.0 domain, check out PSS Article ID Q258059
For more information on time servers that you can use to synchronize with, check out http://tycho.usno.navy.mil/ntp.html