(2010-09-26) Configuring And Managing The Windows Time Service (Part 1)

One of the important configurations required in your AD forest is the configuration of the Windows Time Service. Processes within AD, such as for example ‘Kerberos authentication’ and ‘AD replication’ depend on the correct time on systems. A great explanation on how the windows time service works with an AD forest can be found at the following links ‘Keeping the Domain On Time‘, ‘Windows Time Service Technical Reference‘ and ‘How the Windows Time Service Works‘.

The time synchronization hierarchy within an AD forest is shown in the picture below.

As you can see in the picture above, all systems within an AD forest use certain logic on which other system can be contacted to synchronize the time with. There is not much reason to change this and my suggestion is not to change this. Even in a virtualized environment I still suggest the virtualized systems to synchronize their time using the default configuration and not to synchronize with the host. At the top of the picture above you can see the PDC FSMO of the forest root AD domain needs to be configured with a (trusted) external time source. For a list of time servers available on the internet please see the link ‘A list of the Simple Network Time Protocol (SNTP) time servers that are available on the Internet‘.

One of the main reasons, not to use the AD infrastructure for time synchronization and rather implement/use a custom time synchronization solution/configuration, is when you have systems or applications that require a very high accuracy in time synchronization. For more information about this see the link ‘High Accuracy W32time Requirements‘.

With regards to manually configuring DC in the forest root AD domain with the PDC FSMO role, the following commands can be used. On the DC in the forest root AD domain with the PDC FSMO role execute the following command:

W32TM /CONFIG /MANUALPEERLIST:"<NTPSRV1>,<flag> <NTPSRV2>,<flag> <NTPSRVx>,<flag>" /SYNCFROMFLAGS:MANUAL /RELIABLE:YES /UPDATE

‘<NTPSRV>’ is the actual NTP Server from which the time should be synchronized and can be noted by FQDN or IP Address.

‘<flag>’ can be any of the following values or combinations of values:

• 0x1 — use special poll interval SpecialInterval
  
• 0x2 — UseAsFallbackOnly
  
• 0x4 — send request as SymmatricActive mode (the host configured in "symmatric active mode" uses another NTP hosts to sync time, but also gives those other NTP hotes to sync time with the local host)
  
• 0x8 — send request as Client mode (the loca host configured in "client mode" uses the other remote NTP host to sync time)
  

When you seize or transfer the FSMO role to a new DC in the forest root AD domain, you have to execute the previous command on the new target DC. If you are performing a transfer, then you also have to reconfigure the old target DC to use the default windows time service configuration, i.e. the domain hierarchy. For that execute the following command on the old target DC:

W32TM /CONFIG /SYNCFROMFLAGS:DOMHIER /RELIABLE:NO /UPDATE

For more information about configuring the DC in the forest root AD domain with the PDC FSMO role see the link ‘Configure the Windows Time service on the PDC emulator in the Forest Root Domain‘ and ‘Configuring the Time Service: NtpServer and SpecialPollInterval‘.

–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————