System time has an increasingly important role as the Windows operating system matures, particularly with regard to Kerberos security, which is the default Windows Server 2003 authentication mechanism. With Kerberos security, the network depends on system clocks being in close synchronization. If the clocks on different systems aren't closely synchronized, authentication tickets can become invalid before they reach a destination host.
Keeping the system in sync with the actual time isn't easy. System clocks can lose time. Users can
set the system clock to the wrong time. Other things can go wrong as well. To help resolve problems with system time and time synchronization, Windows systems can use the Windows Time service to set a consistent network time based on the time at an Internet time server. Time services allow precise synchronization with world time.
The Windows Time service used with desktop and server systems is a bit different. The sections that follow examine the Windows Time service for Windows Server 2003. For complete details on Windows Time service for Windows XP Professional, see the section of Chapter 3 in "
Microsoft Windows XP Professional Administrator's Pocket Consultant
" (Microsoft Press) entitled "Configuring Network Time."
Windows Time and Windows Server 2003
Stand-alone and member servers are configured to synchronize with a time server automatically. This time server is referred to as the
. The way Windows Time works depends on whether the system is part of a workgroup or a domain.
Here's a basic overview of how Windows Time works in workgroups:
Systems are configured to synchronize with an Internet time server automatically. This time server is referred to as the authoritative time server. The default time server is time.windows.com. You can also select other servers, such as time.nist.gov, as the authoritative time server.
The Windows Time service uses the Simple Network Time Protocol (SNTP) to poll the authoritative time server every four hours by default. The registry values MinPollInterval and MaxPollInterval under \HKEY_LOCAL_MACHINE\System\ CurrentControlSet\Services\W32Time\Config control the exact rates.
If there are differences in time between the time server and the system, the Windows Time service slowly corrects the time. The registry values UpdateInterval and FrequencyCorrectRate under \HKEY_LOCAL_MACHINE\ System\CurrentControlSet\Services\W32Time\Config control the exact correction rate.
The SNTP defaults to using User Datagram Protocol (UDP) port 123. If this port isn't
to the Internet, you can't synchronize the system with an Internet time server.
In domains, a domain controller is
automatically as the reliable time source for the domain, and other computers in the domain sync time with this server. Should this server be unavailable to provide time services, another domain controller takes over. You cannot, however, change the Windows Time configuration. If you want to better manage Windows Time in a domain, you should install the appropriate components. The two key
Windows NTP Client
Installs Windows Time and allows the system to synchronize its clock with designated time servers. The client is much more configurable than the standard time service that comes with Windows XP. You have precise control through
Policy of every feature of the time service.
Windows NTP Server
Installs Windows Time and configures the system to be a time server. Windows NTP clients, which can be Windows XP or Windows Server 2003 systems, can then synchronize time with this computer. As with NTP
, you have precise control through Group Policy of every feature of the time service.
and large organizations that need time services will find that configuring a local time server makes sense. Typically, you'll want to install a primary and an alternate at a minimum. You can configure Windows XP Professional systems and servers running Windows Server 2003 to use these local time servers.
Any Windows Server 2003 system can be a Windows NTP client or a Windows NTP server. Typically, Windows NTP servers are configured as Windows NTP clients as well. Here's how that works:
The Windows NTP server provides time synchronization services for the organization. SNTP messages are broadcast locally and don't go out to the Internet.
The Windows NTP server in
is configured as a client that synchronizes its time with a reliable time server on the Internet, such as time.windows.com.
You enable and configure Windows NTP clients and Windows NTP servers through Group Policy. The
policies are found under Computer Configuration\Administrative Templates\System\Windows Time Service.
Enabling and Disabling Windows Time on Stand-alone and Member Servers
You can enable or disable network time for stand-alone or member servers by completing the following steps:
Double-click Date And Time in the Control Panel and then select the Network Time tab.
To enable network time, select Automatically Synchronize With An Internet Time Server and then select the time server you want to use. If you want to use a local time server or a different external server, simply type the Domain Name System (DNS)
of the server in the Server text box. You should also ensure that the Windows Time service is running in the Services utility.
To disable network time, clear Automatically Synchronize With An Internet Time Server.
When you use network time, keep in mind that on large networks it's much more efficient to set up a local time server (which is the standard configuration for domains). With a local time server, SNTP messages from workstations and servers are broadcast locally and don't go out to the Internet. The messages sent between the local time server and the external time server are the only external time traffic.