You are on page 1of 6

How to configure an authoritative time server in Windows Server 2003

Page 1

Search

How to configure an authoritative time server in Windows Server 2003


Important This article contains information about how to modify the registry. Make sure to back
up the registry before you modify it. Make sure that you know how to restore the registry if a
problem occurs. For more information about how to back up, restore, and modify the registry,
click the following article number to view the article in the Microsoft Knowledge Base:

Article ID
: 816042
Last Review : May 15, 2007
Revision
: 7.1

256986 (http://support.microsoft.com/kb/256986/) Description of the Microsoft Windows registry

On This Page
INTRODUCTION
Configuring the Windows Time service to use an internal hardware clock
Configuring the Windows Time service to use an external time source
Troubleshooting
MORE INFORMATION
Reliable time source configuration
Manually-specified synchronization
All available synchronization mechanisms
Windows Time service registry entries
REFERENCES

INTRODUCTION
Windows includes W32Time, the Time Service tool that is required by the Kerberos authentication protocol. The purpose of the
Windows Time service is to make sure that all computers that are running Microsoft Windows 2000 or later versions in an
organization use a common time.
To guarantee appropriate common time usage, the Windows Time service uses a hierarchical relationship that controls authority,
and the Windows Time service does not permit loops. By default, Windows-based computers use the following hierarchy:

All client desktop computers nominate the authenticating domain controller as their in-bound time partner.
All member servers follow the same process that client desktop computers follow.
All domain controllers in a domain nominate the primary domain controller (PDC) operations master as their in-bound time
partner.

All PDC operations masters follow the hierarchy of domains in the selection of their in-bound time partner.
In this hierarchy, the PDC operations master at the root of the forest becomes authoritative for the organization. We highly
recommend that you configure the authoritative time server to gather the time from a hardware source. When you configure the
authoritative time server to sync with an Internet time source, there is no authentication. We also recommend that you reduce your
time correction settings for your servers and stand-alone clients. These recommendations provide more accuracy and security to
your domain.

Configuring the Windows Time service to use an internal hardware clock


Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method.
These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be
solved. Modify the registry at your own risk.
To configure the PDC master without using an external time source, change the announce flag on the PDC master. The PDC master
is the server that holds the forest root PDC master role for the domain. This configuration forces the PDC master to announce itself
as a reliable time source and uses the built-in complementary metal oxide semiconductor (CMOS) clock. To configure the PDC
master by using an internal hardware clock, follow these steps:
1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags
3. In the right pane, right-click AnnounceFlags, and then click Modify.
4. In Edit DWORD Value, type A in the Value data box, and then click OK.
5. Quit Registry Editor.
6. At the command prompt, type the following command to restart the Windows Time service, and then press ENTER:

http://support.microsoft.com/kb/816042

02/26/2008 01:49:10 PM

How to configure an authoritative time server in Windows Server 2003

Page 2

net stop w32time && net start w32time


Note The PDC master must not be configured to synchronize with itself. For more information about why the PDC master must not
be configured to synchronize with itself, visit the following Web site to view Request For Comment (RFC) 1305:
http://www.rfc-editor.org/ (http://www.rfc-editor.org/)
If the PDC master is configured to synchronize with itself, the following events are logged in the System log:
Event Type: Information
Event Source: W32Time
Event Category: None
Event ID: 38
Computer: ComputerName
Description: The time provider NtpClient cannot reach or is currently receiving invalid time data from NTP_server_IP_Address. For
more information, see Help and Support Center at http://support.microsoft.com.
Event Type: Warning
Event Source: W32Time
Event Category: None
Event ID: 47
Computer: ComputerName
Description: Time Provider NtpClient: No valid response has been received from manually configured peer NTP_server_IP_Address
after 8 attempts to contact it. This peer will be discarded as a time source and NtpClient will attempt to discover a new peer with
this DNS name. For more information, see Help and Support Center at http://support.microsoft.com.
Event Type: Error
Event Source: W32Time
Event Category: None
Event ID: 29
Computer: ComputerName
Description: The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources
are currently accessible. No attempt to contact a source will be made for 15 minutes. NtpClient has no source of accurate time. For
more information, see Help and Support Center at http://support.microsoft.com.
When the PDC master runs without using an external time source, the following event is logged in the Application log:
Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the PDC
emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source.
It is recommended that you either configure a reliable time service in the root domain, or manually configure the PDC to synchronize
with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an
external time source is not configured or used for this computer, you may choose to disable the NtpClient.
This text is a reminder to use an external time source, and it can be ignored.

Configuring the Windows Time service to use an external time source


To configure an internal time server to synchronize with an external time source, follow these steps:
1
.

Change the server type to NTP. To do this, follow these steps:


a. Click Start, click Run, type regedit, and then click OK.
b. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type
c.

In the right pane, right-click Type, and then click Modify.

d. In Edit Value, type NTP in the Value data box, and then click OK.
2
.

Set AnnounceFlags to 5. To do this, follow these steps:


a. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags
b. In the right pane, right-click AnnounceFlags, and then click Modify.
c.

3
.

In Edit DWORD Value, type 5 in the Value data box, and then click OK.

Enable NTPServer. To do this, follow these steps:


a. Locate and then click the following registry subkey:

http://support.microsoft.com/kb/816042

02/26/2008 01:49:10 PM

How to configure an authoritative time server in Windows Server 2003

Page 3

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer
b. In the right pane, right-click Enabled, and then click Modify.
c.
4
.

In Edit DWORD Value, type 1 in the Value data box, and then click OK.

Specify the time sources. To do this, follow these steps:


a. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer
b. In the right pane, right-click NtpServer, and then click Modify.
c.

In Edit Value, type Peers in the Value data box, and then click OK.
Note Peers is a placeholder for a space-delimited list of peers from which your computer obtains time stamps. Each
DNS name that is listed must be unique. You must append ,0x1 to the end of each DNS name. If you do not
append ,0x1 to the end of each DNS name, the changes made in step 5 will not take effect.

5
.

Select the poll interval. To do this, follow these steps:


a Locate and then click the following registry subkey:
.
HKEY_LOCAL_
MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollInte
rval
b
.

In the right pane, right-click SpecialPollInterval, and then click Modify.

c.

In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.
Note TimeInSeconds is a placeholder for the number of seconds that you want between each poll. A recommended
value is 900 Decimal. This value configures the Time Server to poll every 15 minutes.

6
.

Configure the time correction settings. To do this, follow these steps:


a. Locate and then click the following registry subkey:
HKEY_LOCAL_
MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxPosPhaseCorrection
b. In the right pane, right-click MaxPosPhaseCorrection, and then click Modify.
c.

In Edit DWORD Value, click to select Decimal in the Base box.

d. In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.
Note TimeInSeconds is a placeholder for a reasonable value, such as 1 hour (3600) or 30 minutes (1800). The value
that you select will depend upon the poll interval, network condition, and external time source.
e. Locate and then click the following registry subkey: HKEY_LOCAL_
MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxNegPhaseCorrection
f.

In the right pane, right-click MaxNegPhaseCorrection, and then click Modify.

g. In Edit DWORD Value, click to select Decimal in the Base box.


h. In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.
Note TimeInSeconds is a placeholder for a reasonable value, such as 1 hour (3600) or 30 minutes (1800). The value
that you select will depend upon the poll interval, network condition, and external time source.
7
.

Quit Registry Editor.

8
.

At the command prompt, type the following command to restart the Windows Time service, and then press ENTER:
net stop w32time && net start w32time

Troubleshooting
For the Windows Time service to function correctly, the networking infrastructure must function correctly. The most common
problems that affect the Windows Time service include the following:

There is a problem with TCP/IP connectivity, such as a dead gateway.

http://support.microsoft.com/kb/816042

02/26/2008 01:49:10 PM

How to configure an authoritative time server in Windows Server 2003

Page 4

The Name Resolution service is not working correctly.


The network is experiencing high volume delays, especially when synchronization occurs over high-latency wide area network
(WAN) links.

The Windows Time service is trying to synchronize with inaccurate time sources.
We recommend that you use the Netdiag.exe utility to troubleshoot network-related issues. Netdiag.exe is part of the Windows
Server 2003 Support Tools package. See Tools Help for a complete list of command-line parameters that you can use with
Netdiag.exe. If your problem is still not solved, you can turn on the Windows Time service debug log. Because the debug log can
contain very detailed information, we recommend that you contact Microsoft Product Support Services when you turn on the
Windows Time service debug log.
For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following
Microsoft Web site:
http://support.microsoft.com/default.aspx?scid=fh;[LN];CNTACTMS (http://support.microsoft.com/default.aspx?scid=fh;%5Bln%
5D;cntactms)

Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional
determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and
issues that do not qualify for the specific update in question.

MORE INFORMATION
NTP supports several different packet types. Typically, NTP clients and Simple Network Time Protocol (SNTP) clients send client
mode request packets to an NTP server. The NTP server responds with a server mode packet. To configure the W32time service to
send symmetric active mode packets instead of client mode packets to an NTP server, type the following command at a command
prompt:
w32tm /config /manualpeerlist:<server>,0x4 /syncfromflags:MANUAL
Note Use the 0x8 flag to force W32time to send normal client requests instead of symmetric active mode packets. The NTP servier
replies to these normal client requests as usual.

Reliable time source configuration


A computer that is configured to be a reliable time source is identified as the root of the Windows Time service. The root of the
Windows Time service is the authoritative server for the domain and typically is configured to retrieve time from an external NTP
server or hardware device. A time server can be configured as a reliable time source to optimize how time is transferred throughout
the domain hierarchy. If a domain controller is configured to be a reliable time source, the Net Logon service announces that domain
controller as a reliable time source when it logs on to the network. When other domain controllers look for a time source to
synchronize with, they select a reliable source first, if one is available.

Manually-specified synchronization
With manually-specified synchronization, you can designate a single peer or list of peers that a computer obtains time from. If the
computer is not a member of a domain, it must be manually configured to synchronize with a specified time source. By default, a
computer that is a member of a domain is configured to synchronize from the domain hierarchy. Manually-specified synchronization
is most useful for the forest root of the domain or for computers that are not joined to a domain. When you manually specify an
external NTP server to synchronize with the authoritative computer for your domain, you provide reliable time. However, to provide
high accuracy and security to your domain, we recommend that you configure the authoritative computer for your domain to
synchronize with a hardware clock.
Without a hardware time source, W32time is configured as a NTP type. You must reconfigure the MaxPosPhaseCorrection and
MaxNegPhaseCorrection registry entries. The recommended value should be 15 minutes or even lower, depending on time source,
network condition, and security requirement. This requirement also applies to any reliable time source that is configured as the
forest root time source in the time sync subnet. For more information about these registry entries, see the "Windows Time service
registry entries" section in this article.
Note Manually-specified time sources are not authenticated unless a specific time provider is written for them, and these time
sources are therefore vulnerable to attacks. Also, if a computer synchronizes with a manually-specified source instead of its
authenticating domain controller, the two computers might be out of synchronization. This scenario causes Kerberos authentication
to fail and could also cause other actions that require network authentication to fail, such as printing or file sharing. If only the forest
root is configured to synchronize with an external source, all other computers within the forest remain synchronized with each other.
This configuration makes replay attacks difficult.

All available synchronization mechanisms


The "all available synchronization mechanisms" option is the most valuable synchronization method for users on a network. This
method enables synchronization with the domain hierarchy and may also provide an alternative time source if the domain hierarchy
becomes unavailable, depending on the configuration. If the client cannot synchronize time with the domain hierarchy, the time
source automatically falls back to the time source that is specified by the NtpServer setting. This method of synchronization is most

http://support.microsoft.com/kb/816042

02/26/2008 01:49:10 PM

How to configure an authoritative time server in Windows Server 2003

Page 5

likely to provide accurate time to clients.

Windows Time service registry entries


The following registry entries are located under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\:
Registry
Entry

MaxPosPhaseCorrection

Path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config

Notes

This entry specifies the largest positive time correction in seconds that the service makes. If the service determines
that a change that is larger than this is required, the service logs an event. (0xFFFFFFFF is a special case that means
always make a time correction.) The default value for domain members is 0xFFFFFFFF. The default value for standalone clients and servers is 54,000 or 15 hours.

Registry
Entry

MaxNegPhaseCorrection

Path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config

Notes

This entry specifies the largest negative time correction in seconds that the service makes. If the service determines
that a change that is larger than this is required, the service logs an event instead. (-1 is a special case that means
always make a time correction.) The default value for domain members is 0xFFFFFFFF. The default value for standalone clients and servers is 54,000 or 15 hours.

Registry
Entry

MaxPollInterval

Path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config

Note

This entry specifies the largest interval, in log seconds, that is allowed for the system polling interval. While a system
must poll according to the scheduled interval, a provider can refuse to produce samples when requested. The default
value for domain members is 10. The default value for stand-alone clients and servers is 15.

Registry
Entry

SpecialPollInterval

Path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient

Note

This entry specifies the special poll interval in seconds for manual peers. When the SpecialInterval 0x1 flag is enabled,
W32Time uses this poll interval instead of a poll interval that is determined by the operating system. The default value
on domain members is 3,600. The default value on stand-alone clients and servers is 604,800.

Registry
Entry

MaxAllowedPhaseOffset

Path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config

Note

This entry specifies the maximum offset, in seconds, for which W32Time tries to adjust the computer clock by using
the clock rate. When the offset is greater than this rate, W32Time sets the computer clock directly. The default value
for domain members is 300. The default value for stand-alone clients and servers is 1.

REFERENCES
For more information about Windows Time service, click the following article numbers to view the articles in the Microsoft
Knowledge Base:
816043 (http://support.microsoft.com/kb/816043/) How to turn on debug logging in the Windows Time service
884776 (http://support.microsoft.com/kb/884776/) Configuring the Windows Time service against a large time offset
321708 (http://support.microsoft.com/kb/321708/) How to use the Network Diagnostics Tool (Netdiag.exe) in Windows 2000
314054 (http://support.microsoft.com/kb/314054/) How to configure an authoritative time server in Windows XP
216734 (http://support.microsoft.com/kb/216734/) How to configure an authoritative time server in Windows 2000

http://support.microsoft.com/kb/816042

02/26/2008 01:49:10 PM

How to configure an authoritative time server in Windows Server 2003

Page 6

For more information about the Windows Time service in a Windows Server 2003-based forest, visit the following Microsoft Web
site:
http://technet2.microsoft.com/windowsserver/en/library/A0FCD250-E5F7-41B3-B0E8-240F8236E2101033.mspx

APPLIES TO
Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
Microsoft Windows Server 2003, Standard Edition (32-bit x86)
Microsoft Windows Server 2003, Web Edition
Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
Keywords: kbsecurity kbhowto KB816042
2008 Microsoft Corporation. All rights reserved.

http://support.microsoft.com/kb/816042

02/26/2008 01:49:10 PM