Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2010-09-26) Configuring And Managing The Windows Time Service (Part 1)

Posted by Jorge on 2010-09-26


One of the important configurations required in your AD forest is the configuration of the Windows Time Service. Processes within AD, such as for example ‘Kerberos authentication’ and ‘AD replication’ depend on the correct time on systems. A great explanation on how the windows time service works with an AD forest can be found at the following links ‘Keeping the Domain On Time‘, ‘Windows Time Service Technical Reference‘ and ‘How the Windows Time Service Works‘.

The time synchronization hierarchy within an AD forest is shown in the picture below.

image

As you can see in the picture above, all systems within an AD forest use certain logic on which other system can be contacted to synchronize the time with. There is not much reason to change this and my suggestion is not to change this. Even in a virtualized environment I still suggest the virtualized systems to synchronize their time using the default configuration and not to synchronize with the host. At the top of the picture above you can see the PDC FSMO of the forest root AD domain needs to be configured with a (trusted) external time source. For a list of time servers available on the internet please see the link ‘A list of the Simple Network Time Protocol (SNTP) time servers that are available on the Internet‘.

One of the main reasons, not to use the AD infrastructure for time synchronization and rather implement/use a custom time synchronization solution/configuration, is when you have systems or applications that require a very high accuracy in time synchronization. For more information about this see the link ‘High Accuracy W32time Requirements‘.

With regards to manually configuring DC in the forest root AD domain with the PDC FSMO role, the following commands can be used. On the DC in the forest root AD domain with the PDC FSMO role execute the following command:

W32TM /CONFIG /MANUALPEERLIST:"<NTPSRV1>,<flag> <NTPSRV2>,<flag> <NTPSRVx>,<flag>" /SYNCFROMFLAGS:MANUAL /RELIABLE:YES /UPDATE

‘<NTPSRV>’ is the actual NTP Server from which the time should be synchronized and can be noted by FQDN or IP Address.

‘<flag>’ can be any of the following values or combinations of values:

  • 0x1 — use special poll interval SpecialInterval
  • 0x2 — UseAsFallbackOnly
  • 0x4 — send request as SymmatricActive mode (the host configured in "symmatric active mode" uses another NTP hosts to sync time, but also gives those other NTP hotes to sync time with the local host)
  • 0x8 — send request as Client mode (the loca host configured in "client mode" uses the other remote NTP host to sync time)

When you seize or transfer the FSMO role to a new DC in the forest root AD domain, you have to execute the previous command on the new target DC. If you are performing a transfer, then you also have to reconfigure the old target DC to use the default windows time service configuration, i.e. the domain hierarchy. For that execute the following command on the old target DC:

W32TM /CONFIG /SYNCFROMFLAGS:DOMHIER /RELIABLE:NO /UPDATE

For more information about configuring the DC in the forest root AD domain with the PDC FSMO role see the link ‘Configure the Windows Time service on the PDC emulator in the Forest Root Domain‘ and ‘Configuring the Time Service: NtpServer and SpecialPollInterval‘.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

7 Responses to “(2010-09-26) Configuring And Managing The Windows Time Service (Part 1)”

  1. […] the previous post (part 1) I discussed how to configure the DC in the forest root AD domain with PDC FSMO role manually. The […]

  2. […] DCs so that these do not accept and therefore do not time jumps that are too large. Also taking the first post (part 1) and the second post (part 2) into account, it is now interesting to know how you can see what the […]

  3. […] AD forest (this only applies to the PDC FSMO in the forest root AD domain). For this also see "Configuring And Managing The Windows Time Service (Part 1)", "Configuring And Managing The Windows Time Service (Part 2)", "Configuring […]

  4. […] (2010-09-26) Configuring And Managing The Windows Time Service (Part 1) […]

  5. […] candidate DC to host the PDC FSMO role through WMI filtering. You can read more about that in “(2010-09-26) Configuring And Managing The Windows Time Service (Part 1)”, “(2010-09-26) Configuring And Managing The Windows Time Service (Part 2)”, “(2010-09-26) […]

  6. […] (2010-09-26) Configuring And Managing The Windows Time Service (Part 1) […]

  7. […] Industry Blog: Configuring And Managing The Windows Time Service (Part 1) […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: