Time Synchronization

Time Synchronization

11, May Klaas

In this article I talk a little bit about Time Protocols.
A DBA too might ran into trouble because of failing time synchronization. So this is what I learned a while ago about setting the protocol right.

Time Synchronization on Windows

Time Configuration in Active Directory on TechNet.

Yes, it's important

It's indispensable, because Kerberos will refuse a ticket when the time difference is more than 5 minutes. That disallows AD replication between domain controllers, and you will have no DNS or WINS, no access to file shares and so much more misery.

How to configure

NTP ( the Network Time Protocol ) sends packets with a 50 byte size over UDP port 123.
Some configuration can be done by GPO ( Group Policy Objects):

Computer Configuration > Windows Settings > System Services > Windows Time

Computer Configuration > Administrative Templates > System > Windows Time Service

Now how do you configure domain controllers for time synchonization?

Following a default Domain Controller installation, every setting should actually be well set.
However, if you need to configure manually, look at these keys:

  • Registry key \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters:
    • NTPserver 192.168.123.123 If you supply server name, add ,0x1 . Example: 0.europe.pool.ntp.org,0x1
    • Type NT5DS
  • Registry key \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config:
    • AnnounceFlags 10
    • MaxPosPhaseCorrection 900
    • MaxNegPhaseCorrection 900
    • MaxPollInterval 10

Top down

Domain controllers should agree amongst themselves which one is the most reliable to sync with. That will usually be the one with the PDC Emulator role in the forest root domain.
On this particular computer, the protocol type should be NTP instead of NT5DS.
It's Microsofts advice to sync with a hardware clock instead of with the internet.

Time synchronization happens in layers:

  1. stratum 1 : internet or hardware clock
  2. stratum 2 : PDC-emulator
  3. stratum 3 : Domain Controllers
  4. stratum 4 : member servers and workstations

Most time servers on the internet operate in pools, however. As a consequence, it is possible the public server you sync with is at stratum 2 or even 3 itself.
All layers in your domain shift accordingly.
You should check there are no reciprocal loops in your system!

In a console you can check your time servers with: 

w32tm /monitor

net time

To be continued

Sorry, this is a copy from an old post on my previous blog.
I must find the time to get some real PowerShell actions in here.

Previous Post Next Post

[email protected]