Lesson 6: Time Synchronization Issues

Time synchronization is core to many of the operations within Windows 2000. If systems aren't properly synchronized, many of the network facilities will fail. In this lesson, you'll learn about the importance of keeping your network fully synchronized.

After this lesson, you will be able to

  • Understand the impact of time synchronization.
  • Know where to change the registry settings for time synchronization.
  • Understand and resolve time-related problems with client authentication.

Estimated lesson time: 25 minutes

Time Synchronization

Windows 2000 uses a time synchronization service called W32Time to synchronize the date and time on computers in a Windows 2000–based network. Fortunately, the time synchronization issue shouldn't be a problem in most cases because Windows 2000 workstations and servers will synchronize their time with their domain controllers by default.

Kerberos authentication expects the time on the client and server machines to be relatively synchronized to authenticate the user, or it won't log the client on. If the time on the client's machine isn't within five minutes of the time on the domain controller, the user won't be able to obtain a Kerberos ticket.

Time problems can have more devastating effects on servers because many of its functions will fail to work, as shown in Figure 11.15.

click to view at full size.

Figure 11.15 Time synchronization problems on a server

A Detailed Examination of the Windows Time Service

One of the startup processes for a Windows 2000 system is ensuring that it's synchronized with the rest of the forest. You should be aware of three processes: what occurs at boot time, how frequently time checks are made, and which systems are being used to obtain an accurate time. These systems are known as inbound time partners.

Client Boot

At boot time, a Windows 2000 system will contact an authenticating domain controller. Packets are exchanged to determine the latency of communication between the client computer and the domain controller. W32Time will then determine what current time should be converged to locally (the target time).

Once the target time has been decided, the Windows 2000 client will adjust the local (client) time according to the following scheme:

  • The local time will be set to the target time if the target time is ahead of local time.
  • The local time will be slowed over the next 20 minutes to align the target and local times if the target time is behind local time by up to two minutes.
  • If the local time is more than two minutes ahead of the target time, it will be immediately set to the target time.

Interval Checks

To ensure that the time is as accurate as possible, the time server client will periodically contact its inbound time partner for the time. The interval at which the time is checked can change depending on the following process:

  • The Windows 2000 system connects to the inbound time partner (authenticating domain controller) once each time period. The initial time period is set at eight hours.
  • If the system's time is different from its inbound time partner by more than two seconds, the time check interval is halved. This halving process continues at each succeeding time check until the local and target time are within two seconds of each other, or until the time check interval reaches its minimum interval value of 45 minutes.
  • If accuracy is maintained within two seconds and the time check interval is less than eight hours, the time interval is doubled, up to a maximum period of eight hours.

Time Convergence Hierarchy

When deciding which machine to synchronize their times with, Windows 2000 computers use the following hierarchy by default:

  • All Windows 2000 workstations and member servers nominate the authenticating domain controller as their inbound time partner.
  • All domain controllers in a domain nominate the domain controller holding the PDC emulator FSMO role as their inbound time partner.
  • The PDC emulators follow the hierarchy of domains in the selection of their inbound time partner.

Following this hierarchy, the PDC emulator at the root of the forest becomes authoritative for the enterprise and can be configured to gather the time from an external source.

Registry Settings for the Windows Time Service

You can configure your time service by editing the registry. The W32Time parameters are held in the registry location Hkey_Local_Machine\System\ CurrentControlSet\Services\W32Time\Parameters.

Some useful values are listed in the following sections.


AvoidTimeSyncOnWan will prevent the computer from synchronizing with a computer that's in another site. The registry listing is shown below.

 ValueName:                         AvoidTimeSyncOnWan  Data Type:                         REG_DWORD  Value:                             0 or 1 0 = the site of the time source is ignored [default];  1 = the computer does not synchronize with a time source that is in a different site 


Period is used to control how often the time service synchronizes. The registry listing is shown below.

 ValueName:                        Period  Data Type:                        REG_SZ  Value:                            The values are listed in the following table. 

0once a day
65535, "BiDaily"once every two days
65534, "Tridaily"once every three days
65533, "Weekly"once every week (seven days)
65532, "SpecialSkew"once every 45 minutes until three good synchronizations occur, then once every eight hours (three per day) [default]
65531, "DailySpecialSkew"once every 45 minutes until one good synchronization occurs, then once every day
<freq><freq> times per day


ReliableTimeSource is used to indicate that this computer has a reliable time. The setting is useful only on a domain controller and is generally used if the domain controller has been synchronized with an external source. The registry listing is shown below.

 ValueName                          ReliableTimeSource  Data Type:                         REG_DWORD  Value:                             0 or 1 0 =  do not mark this computer as having reliable time [default]  1 =  mark this computer as having reliable time 


Type is used to control how a computer synchronizes. The registry listing is shown below.

 Value Name:                          Type  Data Type:                           REG_SZ  Value:                               Nt5DS or NTP or NoSync Nt5DS = synchronize to a domain hierarchy or manually configured source [default]  NTP = synchronize to manually configured source  NoSync = do not synchronize time at all 


NtPServer is used to manually configure the time source. Set this to the DNS name or IP address of the Network Time Protocol (NTP) server to synchronize from. Specify only one DNS name or IP address. You can modify this from the command line by using the Net command (for example, Net Time \\computername /setsntp:name of NTP server). The registry listing is shown below.

 Value Name:                          NtpServer  Data Type:                           REG_SZ  Value:                               Enter DNS name or IP address of NTP Server 

Migration Problems

You can see that time synchronization is a critical issue with Windows 2000. When migrating from Windows NT, you will have Windows NT and Windows 2000 servers and workstations running in mixed mode. If you have Windows 2000 clients running in a pure Windows NT 4.0 domain, the Windows 2000 workstations won't have any system with which to synchronize. If you're using the TimeServ utility from the Microsoft Windows NT Server Resource Kit or any third-party time synchronization utility in Windows NT 4.0, you'll need to look at ways of syn-chronizing your Windows 2000 workstations with your Windows NT 4.0 domain controllers.

Your Windows NT 4.0 domain controllers also don't understand the Windows 2000 Windows Time Service and there might be critical network replication operations such as file and folder replication and Microsoft Exchange Server 2000 server replication that depend on having an accurate time before updating the system. There are several articles in the Microsoft Knowledge Base at www.microsoft.com/technet that can help you with these concerns.

Practice: Troubleshooting a Time Synchronization Problem

In situations in which a server or client is out of date with the server for whatever reason, an administrator can run the net time command to correct the aberration. The following scenario examines a time-related problem in which a client is unable to log on to the domain because the system clock is out of sync with the domain.

  1. Log on to MIGKIT1 as Administrator with the password secret.
  2. Open a command prompt and type w32tm /? | more.

    You should see screens of information telling you how to use the time synchronization command.

  3. Be sure MIGKIT1 is time-synchronized by typing: w32tm.
  4. You could also use the Net command for time synchronization. You can do that by typing net time \\trainkit1 /set.

    The Net command will ask whether you want to synchronize the time.

  5. Type Y and press Enter.
  6. Double-click the time in the system tray in the bottom right-hand corner of your display.

    The Date/Time Properties utility should appear.

  7. Change the time so that it's one hour ahead and the date so that it's one month ahead.
  8. Log off and attempt to log on again, using MIG1 and a password of secret. What happens?

    If you were MIG1, what would you need to do to troubleshoot this problem?

  9. Instead of waiting for the time and date to be fixed incrementally by W32Time, shut down and restart MIGKIT1.

    This will cause the time service to synchronize MIGKIT1 with the PDC emulator on TRAINKIT1.

  10. Check that you can log on as MIG1 and verify that the time and date have been reset.


Lesson Summary

In this lesson, you learned how the time synchronization service works by contacting an inbound time partner at system startup. You saw how this partner was chosen and how you can adjust the registry to edit the time synchronization periods. Finally, you saw how Windows 2000 and your systems could experience major network problems if the domain is not fully synchronized.

MCSE Training Kit (Exam 70-222. Migrating from Microsoft Windows NT 4. 0 to Microsoft Windows 2000)
MCSE Training Kit (Exam 70-222): Migrating from Microsoft Windows NT 4.0 to Microsoft Windows 2000 (MCSE Training Kits)
ISBN: 0735612390
EAN: 2147483647
Year: 2001
Pages: 126

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net