Time Source Peer

Applies To: Windows Server 2008

A time source peer is a server from which time samples are acquired. The time source for this varies, depending on whether the computer is joined to a domain in Active Directory Domain Services (AD DS) (domain heirarchy peers) or to a workgroup (manually configured peers).

Aspects

The following is a list of all aspects that are part of this managed entity:

Name Description

Domain Hierarchy Time Source Acquisition

An Active Directory forest has a predetermined time synchronization hierarchy. The Windows Time service (W32time) synchronizes time between computers within the hierarchy, with the most accurate reference clocks at the top. If more than one time source is configured on a computer, the Windows Time service uses Network Time Protocol (NTP) algorithms to select the best time source from the configured sources, based on the computer’s ability to synchronize with that time source. Currently, the Windows Time service is synchronizing time with a time source peer from the domain heirarchy.

Domain Trust Relationship Implementation

The Windows Time service establishes a trust relationship with the domain. When a time server returns an authenticated Network Time Protocol (NTP) packet to a client that requests the time, the packet is signed by means of a Kerberos session key that is defined by an interdomain trust account. The interdomain trust account is created when a new Active Directory domain joins a forest, and the NetLogon service manages the session key. In this way, the domain controller that is configured as reliable in the forest root domain becomes the authenticated time source for all the domain controllers in both the parent and child domains - and indirectly for all computers in the domain tree.

Manual Time Source Acquisition

An Active Directory forest has a predetermined time synchronization hierarchy. The Windows Time service (W32time) synchronizes time between computers within the hierarchy, with the most accurate reference clocks at the top. If more than one time source is configured on a computer, Windows Time uses Network Time Protocol (NTP) algorithms to select the best time source from the configured sources, based on the computer’s ability to synchronize with that time source. The Windows Time service acquires a time source peer from the domain heirarchy. By default, computers running the Windows Time service attempt to synchronize time only with a domain controller or a manually configured time source. Currently, the Windows Time service is synchronizing with a manually configured time source peer (as opposed to a time source peer from the domain hierarchy).

Symmetric Time Source Peer Synchronization

The Windows Time service (W32time) is synchronizing with a validated, symmetric time source peer. When a time client and time server are functioning in a symmetric time synchronization mode, they maintain a small amount of status information. This is in contrast to unsymmetric mode, in which no status information is maintained. You can determine the mode of communication by reviewing the communication packets that are exchanged. If the client and server are exchanging network communication packets using the destination Network Time Protocol (NTP) service port number 123, the time synchronization mode is symmetric. If the destination and source ports are different in the network communication packets, the communication mode is unsymmetric.

Time Source Client Authentication

The Windows Time source authenticates with a time source client. In an Active Directory forest, the Windows Time service (W32time) relies on standard domain security features to enforce the authentication of time data. The security of Network Time Protocol (NTP) packets that are sent between a domain member and a local domain controller that is acting as a time server is based on shared key authentication. The Windows Time service uses the local computer's Kerberos session key to create authenticated signatures on NTP packets that are sent across the network. When a computer requests the time from a domain controller in the domain hierarchy, the Windows Time service requires that the time be authenticated. The domain controller then returns the required information in the form of a 64-bit value that has been authenticated with the session key from the NetLogon service. If the returned NTP packet is not signed with the computer’s session key or if it is not signed correctly, the time is rejected. In this way, the Windows Time service provides security for NTP data in an Active Directory forest.

Time Source Peer Authentication

Within an Active Directory forest, the Windows Time service (W32time) relies on standard domain security features to enforce the authentication of time data. The security of Network Time Protocol (NTP) packets that are sent between a domain member and a local domain controller that is acting as a time server is based on shared key authentication. The Windows Time service uses the local computer's Kerberos session key to create authenticated signatures on NTP packets that are sent across the network. When a computer requests the time from a domain controller in the domain hierarchy, the Windows Time service requires that the time be authenticated. The domain controller then returns the required information in the form of a 64-bit value that has been authenticated with the session key from the NetLogon service. If the returned NTP packet is not signed with the computer’s session key or if it is not signed correctly, the time is rejected. In this way, the Windows Time service provides security for NTP data in an Active Directory forest.

 

Active Directory