Microsoft KB Archive/216734

= How to configure an authoritative time server in Windows 2000 =

Article ID: 216734

Article Last Modified on 10/26/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Datacenter Server

-



This article was previously published under Q216734



Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry



For a Microsoft Windows XP version of this article, see 314054.



SUMMARY
This article describes how to configure the Windows Time service in Microsoft Windows Server 2000. The Windows Time service can be configured to use an internal hardware clock or an external time source. We recommend that you use an internal hardware clock.



Introduction
Windows includes W32Time, the Time service tool that is required by the Kerberos authentication protocol. The purpose of the Windows Time service is to make sure that all computers that are running Windows 2000 or later versions in an organization use a common time. To guarantee appropriate common time usage, the Windows Time service uses a hierarchical relationship that controls authority and does not permit loops.

By default, Windows-based computers use the following hierarchy:
 * All client desktop computers nominate the authenticating domain controller as their in-bound time partner.
 * All member servers follow the same process as client desktop computers.
 * Domain controllers may nominate the primary domain controller (PDC) operations master as their in-bound time partner but may use a parent domain controller based on stratum numbering.
 * All PDC operations masters follow the hierarchy of domains in the selection of their in-bound time partner.

Following this hierarchy, the PDC operations master at the root of the forest becomes authoritative for the organization. We highly recommend that you configure the authoritative Time Server to gather the time from a hardware source. When you configure the authoritative Time Server to sync with an Internet time source, there is no authentication. We also recommend that you reduce your time correction settings for your servers and stand-alone clients. These recommendations provide more accuracy and security to your domain.



Configuring the Windows Time service to use an internal hardware clock
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

We highly recommend that you configure the authoritative time server to gather the time from a hardware source. When you configure the authoritative Time Server to sync with an Internet time source, there is no authentication. To configure Windows Time service to use an internal hardware clock, follow these steps:  Click Start, click Run, type regedit, and then click OK. Locate and then click the following registry subkey:

HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

 In the right pane, right-click ReliableTimeSource, and then click Modify. In Edit DWORD Value, type 1 in the Value data box, and then click OK. Locate and then click the following registry subkey:

HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

</li> In the right pane, right-click LocalNTP, and then click Modify.</li> In Edit DWORD Value, type 1 in the Value data box, and then click OK.</li> Quit Registry Editor.</li> At the command prompt, type the following command to restart the Windows Time service, and then press ENTER:

net stop w32time && net start w32time

</li> Run the following command on all the computers other than the Time Server to reset the local computer's time against the Time Server:

w32tm -s

</li></ol>

Note You must not configure the Time Server to synchronize with itself. If you configure the Time Server to synchronize with itself, the following events are logged in the Application log:

The time provider NtpClient cannot reach or is currently receiving invalid time data from 192.168.1.1 (ntp.m|0x0|192.168.1.1:123->192.168.1.1:123).

No response has been received from Manual peer 192.168.1.1 after 8 attempts to contact it. This peer will be discarded as a time source and NtpClient will attempt to discover a new peer from which to synchronize.

The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 960 minutes. NtpClient has no source of accurate time.

For more information about the w32tm command, type the following command at a command prompt:

w32tm /?

Configuring Windows Time service to use an external time source
Administrators can configure the Windows Time service on the PDC operations master at the root of the forest to recognize an external Simple Network Time Protocol (SNTP) time server as authoritative. For example, you can use the Microsoft time server (time.windows.com) as the external SNTP time server. To configure Windows Time service to use an external SNTP time server, follow these steps: <ol> Click Start, click Run, type regedit, and then click OK.</li> Follow these steps to change the server type to NTP: <ol style="list-style-type: lower-alpha;"> Locate and then click the following registry subkey:

HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

</li> In the right pane, right-click TYPE, and then click Modify.</li> In Edit Value, type NTP in the Value data box, and then click OK.</li></ol> </li> Follow these steps to configure the server as a reliable time source: <ol style="list-style-type: lower-alpha;"> In the right pane, right-click ReliableTimeSource, and then click Modify.</li> In Edit DWORD Value, type 1 in the Value data box, and then click OK.</li></ol> </li> Follow these steps to configure the server LocalNTP to 1: <ol style="list-style-type: lower-alpha;"> In the right pane, right-click LocalNTP, and then click Modify.</li> In Edit DWORD Value, type 1 in the Value data box, and then click OK.</li></ol> </li> <li>Follow these steps to specify the time sources: <ol style="list-style-type: lower-alpha;"> <li>In the right pane, right-click NtpServer, and then click Modify.</li> <li>In Edit Value, type in the Value data box, and then click OK.

Note is a placeholder for a space-delimited list of peers from which your computer obtains time stamps. Each DNS name that is listed must be unique.</li></ol> </li> <li>For Windows 2000 Service Pack 4 only, set the time correction setting. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

</li> <li>In the right pane, right-click MaxAllowedClockErrInSecs, and then click Modify.</li> <li>In Edit DWORD Value, type  in the Value data box, and then click OK.

Note  is a placeholder for the max number of seconds difference between the local clock and the time received from the NTP server in order to be considered a valid new time.</li></ol> </li> <li>Follow these steps to set the poll interval: <ol style="list-style-type: lower-alpha;"> <li>Locate and then click the following registry subkey:

HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

</li> <li>In the right pane, right-click Period, and then click Modify.</li> <li>In Edit DWORD Value, type 24 in the Value data box, and then click OK.</li></ol> </li> <li>On the File menu, click Exit to exit Registry Editor.</li> <li>At the command prompt, type the following command to restart the Windows Time service, and then press ENTER:

net stop w32time && net start w32time

</li> <li>Run the following command on all the computers other than the Time Server to reset the local computer's time against the Time Server:

w32tm -s

</li></ol>

By default, SNTP uses User Datagram Protocol (UDP) port 123. If this port is not open to the Internet, you cannot synchronize your server to Internet SNTP servers. A computer that is configured to be a reliable time source is identified as the root of the Windows Time service. The root of the Time service is the authoritative server for the domain and typically is configured to retrieve time from an external NTP server or a hardware device. A time server can be configured as a reliable time source to optimize how time is transferred throughout the domain hierarchy. If a domain controller is configured to be a reliable time source, the Net Logon service announces that domain controller as a reliable time source when it logs on to the network. When other domain controllers look for a time source to synchronize with, they choose a reliable source first if one is available.

The  registry key controls how frequently the Windows Time service synchronizes. If a value is specified, it must be one of the special values in the following list:
 * 65531, "DailySpecialSkew" - Sets synchronization to one time every 45 minutes until successful one time, then one time every day.
 * 65532, "SpecialSkew" - Sets synchronization to one time every 45 minutes until successful three times, then one time every eight hours. This is the default setting.
 * 65533, "Weekly" - Sets synchronization to one time every seven days.
 * 65534, "Tridaily" - Sets synchronization to one time every three days.
 * 65535, "BiDaily" - Sets synchronization to one time every two days.
 * 0 - For NT5DS, the synchronization is one time every 45 minutes until successful three times, then one time every eight hours. For NTP, the synchronization is one time every 8 hours.
 * -  stands for the number of times per day you want Windows Time service to synchronize. If want to use a value other than any one of those specified earlier, you must use this option.

<div class="references_section">