W32Time Keeps on Ticking, Ticking into the Future….

OK, lame title but for some reason that song keeps going through my head when I think about the W32Time service. We have seen an uptick (pun intended) in support issues regarding time and domain controllers. So I thought I would spend a few minutes and discuss the Windows Time service as it relates to Active Directory domains.

Generally speaking once a client joins a domain, time is pulled from the domain controller that authenticated the computer. Usually there is no configuration needed to keep time happy. There is an exception (there is always an exception) and that is with the PDC emulator in the forest root domain. The PDCE needs to point to an outside time service.

So the flow for information is

  • Client gets time from a DC
  • The DC gets time from its domain’s PDC Emulator
  • That domains PDC Emulator gets it from the PDC emulator in the forest root
  • The PDC emulator in the forest root pulls it from an authoritative time server on the internet (NIST.gov or whichever one you choose), or other device like a router etc.

Generally you wouldn’t want to set a group policy to have every DC, member server or client poll the outside time server.  That’s simply too inefficient.

That said, if you’re “that guy” and went this direction because it’s what you thought needed to happen to keep time synced, here are the commands to correctly configure the time service.

  1. On the PDC in the forest root
    1. Run “w32tm /config /manualpeerlist: peers /syncfromflags:manual /reliable:yes /update
    2. Net stop w32time
    3. Net start w32time
  2. On the DC’s that had been manually configured
    1. Run “w32tm /config /syncfromflags:domhier /reliable:no /update
    2. Net stop w32time
    3. Net start w32time
  3. If you have modified group policy to control time of member servers or client machines then here is a KB on settings
    http://technet.microsoft.com/en-us/library/cc773263(v=WS.10).aspx#w2k3tr_times_tools_vwtt

Time is important for many reasons, generally speaking time should be within 5 minutes throughout the domain for Kerberos authentication, accuracy of logs and some application databases in particular are not happy if time skews too much. That stated – Microsoft words it best as:

The W32Time service is not a full-featured NTP solution that meets time-sensitive application needs and is not supported by Microsoft as such. For more information, see Microsoft Knowledge Base article 939322, Support boundary to configure the Windows Time service for high-accuracy environments (http://go.microsoft.com/fwlink/?LinkID=179459).

Well until next time, right now I am out of time…..

References:

 

Advertisements
Tagged with: , , , ,
Posted in Active Directory, Design, Windows Time

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: