Configure the Windows Time Service
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
When deploying the forest root domain, it is important to correctly configure the Windows Time Service to meet your organization’s needs. The Windows Time Service provides time synchronization to peers and clients, ensuring consistent time throughout an enterprise.
By default, the first domain controller deployed holds the primary domain controller (PDC) emulator operations master role. Set the PDC emulator to synchronize from a valid Network Time Protocol (NTP) source. If no source is configured, the service will log a message to the event log, and use the local clock when providing time to clients.
Follow these best practices for configuring the time source on the forest-root PDC emulator, in this order of preference:
Install a hardware clock, such as a radio or GPS device, as the source for the PDC. There are many consumer and enterprise devices that use the Network Time Protocol (NTP), allowing you to install the device on an internal network for usage with the PDC.
Configure the Windows Time service to synchronize with an external time server. External time servers allow users to synchronize computer clocks by means of dial-up, network, and radio links.
The Microsoft time server (time.windows.com) uses NIST, the National Institute of Standards and Technology, located in Boulder, Colorado, as its external time provider. NIST provides the Automated Computer Time Service (ACTS), which can set a computer clock with an uncertainty of less than 10 milliseconds. The U.S. Naval Observatory (USNO) Time Service Department in Washington D.C. is another source for accurate time synchronization in the United States. Many other sites exist throughout the world that can be used for time synchronization. To find them, search for "time synchronization" on the Internet.
|Because synchronization with an external time source is not authenticated, it is less secure.|
Repeat this operation if you transfer or seize the PDC emulator operations master role to another domain controller in the forest root domain.
To configure the Windows Time Service on first forest root domain controller
Log on to the domain controller.
Type the following command to display the time difference between the local computer and a target computer, and then press ENTER:
w32tm /stripchart /computer:target/samples:1/dataonly
Where target specifies the DNS name or IP address of the NTP server that you are comparing the local computer's time against, such as time.windows.com and 1 specifies the number of time samples that will be returned from the target computer. In this example, only one sample will be returned to test basic NTP communication.
Open UDP port 123 for outgoing traffic if needed.
Open UDP port 123 (or a different port you have selected) for incoming NTP traffic.
Type the following command to configure the PDC emulator and then press ENTER:
w32tm /config /manualpeerlist:peers /syncfromflags:manual /reliable:yes /update
Peers specifies the list of DNS names and/or IP addresses of the NTP time source that the PDC emulator synchronizes from. For example, you can specify time.windows.com. When specifying multiple peers, use a space as the delimiter and enclose them in quotation marks. For example, if you wanted to configure time synchronization with a server named Ntp in the contoso.com domain and a server named Time in the fabrikam.com domain, you would enter the following command: w32tm /config /update /manualpeerlist:"Ntp.contoso.com Time.fabrikam.com time.windows.com" /syncfromflags:manual /update.
When specifying a manual peer, do not use the DNS name or IP address of a computer that uses the forest root domain controller as its source for time, such as another domain controller in the forest. The time service will not operate correctly if there are cycles in the time source configuration.
For more information about configuring and deploying the Windows Time Service, see the Windows Security Collection of the Windows Server 2003 Technical Reference (or see the Windows Security Collection on the Web at http://www.microsoft.com/reskit).