Time synchronization is core to many of the operations within Windows 2000. If systems aren't properly synchronized, many of the network facilities will fail. In this lesson, you'll learn about the importance of keeping your network fully synchronized.
After this lesson, you will be able to
Estimated lesson time: 25 minutes
Windows 2000 uses a time synchronization service called W32Time to synchronize the date and time on computers in a Windows 2000–based network. Fortunately, the time synchronization issue shouldn't be a problem in most cases because Windows 2000 workstations and servers will synchronize their time with their domain controllers by default.
Kerberos authentication expects the time on the client and server machines to be relatively synchronized to authenticate the user, or it won't log the client on. If the time on the client's machine isn't within five minutes of the time on the domain controller, the user won't be able to obtain a Kerberos ticket.
Time problems can have more devastating effects on servers because many of its functions will fail to work, as shown in Figure 11.15.
Figure 11.15 Time synchronization problems on a server
One of the startup processes for a Windows 2000 system is ensuring that it's synchronized with the rest of the forest. You should be aware of three processes: what occurs at boot time, how frequently time checks are made, and which systems are being used to obtain an accurate time. These systems are known as inbound time partners.
At boot time, a Windows 2000 system will contact an authenticating domain controller. Packets are exchanged to determine the latency of communication between the client computer and the domain controller. W32Time will then determine what current time should be converged to locally (the target time).
Once the target time has been decided, the Windows 2000 client will adjust the local (client) time according to the following scheme:
To ensure that the time is as accurate as possible, the time server client will periodically contact its inbound time partner for the time. The interval at which the time is checked can change depending on the following process:
When deciding which machine to synchronize their times with, Windows 2000 computers use the following hierarchy by default:
Following this hierarchy, the PDC emulator at the root of the forest becomes authoritative for the enterprise and can be configured to gather the time from an external source.
You can configure your time service by editing the registry. The W32Time parameters are held in the registry location Hkey_Local_Machine\System\ CurrentControlSet\Services\W32Time\Parameters.
Some useful values are listed in the following sections.
AvoidTimeSyncOnWan will prevent the computer from synchronizing with a computer that's in another site. The registry listing is shown below.
ValueName: AvoidTimeSyncOnWan Data Type: REG_DWORD Value: 0 or 1 0 = the site of the time source is ignored [default]; 1 = the computer does not synchronize with a time source that is in a different site
Period is used to control how often the time service synchronizes. The registry listing is shown below.
ValueName: Period Data Type: REG_SZ Value: The values are listed in the following table.
|0||once a day|
|65535, "BiDaily"||once every two days|
|65534, "Tridaily"||once every three days|
|65533, "Weekly"||once every week (seven days)|
|65532, "SpecialSkew"||once every 45 minutes until three good synchronizations occur, then once every eight hours (three per day) [default]|
|65531, "DailySpecialSkew"||once every 45 minutes until one good synchronization occurs, then once every day|
|<freq>||<freq> times per day|
ReliableTimeSource is used to indicate that this computer has a reliable time. The setting is useful only on a domain controller and is generally used if the domain controller has been synchronized with an external source. The registry listing is shown below.
ValueName ReliableTimeSource Data Type: REG_DWORD Value: 0 or 1 0 = do not mark this computer as having reliable time [default] 1 = mark this computer as having reliable time
Type is used to control how a computer synchronizes. The registry listing is shown below.
Value Name: Type Data Type: REG_SZ Value: Nt5DS or NTP or NoSync Nt5DS = synchronize to a domain hierarchy or manually configured source [default] NTP = synchronize to manually configured source NoSync = do not synchronize time at all
NtPServer is used to manually configure the time source. Set this to the DNS name or IP address of the Network Time Protocol (NTP) server to synchronize from. Specify only one DNS name or IP address. You can modify this from the command line by using the Net command (for example, Net Time \\computername /setsntp:name of NTP server). The registry listing is shown below.
Value Name: NtpServer Data Type: REG_SZ Value: Enter DNS name or IP address of NTP Server
You can see that time synchronization is a critical issue with Windows 2000. When migrating from Windows NT, you will have Windows NT and Windows 2000 servers and workstations running in mixed mode. If you have Windows 2000 clients running in a pure Windows NT 4.0 domain, the Windows 2000 workstations won't have any system with which to synchronize. If you're using the TimeServ utility from the Microsoft Windows NT Server Resource Kit or any third-party time synchronization utility in Windows NT 4.0, you'll need to look at ways of syn-chronizing your Windows 2000 workstations with your Windows NT 4.0 domain controllers.
Your Windows NT 4.0 domain controllers also don't understand the Windows 2000 Windows Time Service and there might be critical network replication operations such as file and folder replication and Microsoft Exchange Server 2000 server replication that depend on having an accurate time before updating the system. There are several articles in the Microsoft Knowledge Base at www.microsoft.com/technet that can help you with these concerns.
In situations in which a server or client is out of date with the server for whatever reason, an administrator can run the net time command to correct the aberration. The following scenario examines a time-related problem in which a client is unable to log on to the domain because the system clock is out of sync with the domain.
You should see screens of information telling you how to use the time synchronization command.
The Net command will ask whether you want to synchronize the time.
The Date/Time Properties utility should appear.
If you were MIG1, what would you need to do to troubleshoot this problem?
This will cause the time service to synchronize MIGKIT1 with the PDC emulator on TRAINKIT1.
In this lesson, you learned how the time synchronization service works by contacting an inbound time partner at system startup. You saw how this partner was chosen and how you can adjust the registry to edit the time synchronization periods. Finally, you saw how Windows 2000 and your systems could experience major network problems if the domain is not fully synchronized.