NTP network time server synchronizes all master domain clocks

Time:2020-11-18

NTP network time server synchronizes all master domain clocks

NTP network time server synchronizes all master domain clocks

Beijing Zhun electronic technology official micro enterprise — ahjzsz

Important: This article contains information about how to modify the registry. Before modifying the registry, be sure to make a backup and know how to restore the registry in case of problems. For more information about how to back up, restore, and modify the registry, click the article number below to view the corresponding article in the Microsoft Knowledge Base:

brief introduction

Windows includes w32time, which is a time service tool required by Kerberos authentication protocol. The purpose of the windows time service is to ensure that all computers running Microsoft Windows 2000 or later in your organization use the same time.

 

To ensure the rational use of public time, windows time service uses hierarchy to control authorization and does not allow loops. By default, windows based computers use the following hierarchy: · all client desktop computers nominate an authentication domain controller as their inbound time partner.

All member servers follow the same process as client desktop computers.

All domain controllers in the domain nominate the primary domain controller (PDC) operations master as their inbound time partners.

All PDC operators follow the domain hierarchy to select their inbound time partners.

 

In this hierarchy, the PDC operation master at the root of the forest becomes the authoritative time server of the organization. We strongly recommend that you configure an authoritative time server to collect time from a hardware source. When you configure an authoritative time server to synchronize with an Internet time source, there is no authentication. We also recommend that you reduce the time calibration settings for servers and stand-alone clients. These suggestions can provide more accurate timing and higher security for your domain.

Configure the windows time service to use the internal hardware clock

Warning: you can cause serious problems if you use the registry editor or other methods to modify the registry incorrectly. These problems may need to be resolved by re installing the operating system. Microsoft can’t guarantee that you can solve these problems. Modifying the registry is at your own risk.

 

To configure the PDC host to not use an external time source, change the announcement flag on the PDC host. The PDC host is the server that holds the PDC master role of the forest root of the domain. This configuration forces the PDC host to declare itself a reliable time source, using the built-in complementary metal oxide semiconductor (CMOS) clock. To configure the PDC host to use the internal hardware clock, follow these steps: 1. Click start, click Run, type regedit, and then click OK.

2. Find and click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags

3. In the right pane, right-click announce flags, and then click Modify.

4. In the value data box of edit DWORD value, type A, and then click OK.

5. Exit the registry editor.

6. At the command prompt, type the following command to restart the windows time service, and then press enter:

net stop w32time && net start w32time

 

Note: never configure a PDC host to synchronize with itself. If the PDC host is configured to synchronize with itself, the following events are recorded in the application log:

 

The time provider NtpClient cannot access or is currently receiving invalid time data from 192.168.1.1 (NTP. M | 0x0 | 192.168.1.1:123 – > 192.168.1.1:123).

 

After eight attempts to contact it, no response was received from the manual peer 192.168.1.1. This peer will no longer be used as a time source, and NtpClient will attempt to discover a new peer to synchronize with it.

 

The time provider NtpClient is configured to obtain time from one or more time sources, none of which is currently accessible. No attempt to contact the time source will be made for 960 minutes. NtpClient does not have a time source that can provide accurate time.

If the PDC host is running without using an external time source, the following events are recorded in the application log:

 

Time provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is already a PDC emulator for the root domain of the forest, so there is no machine on it at the domain level to use as a time source. It is recommended that you configure a reliable time service on the root domain, or manually configure the PDC to synchronize with external time sources. Otherwise, the machine acts as an authoritative time source at the domain level. If you do not configure or use an external time source for this computer, you can choose to disable NtpClient.

This text is intended to remind you to use an external time source; you can ignore it.

Configure the windows time service to use an external time source

To configure the internal time server to synchronize with an external time source, follow these steps: 1. Change the server type to NTP. To do this, follow these steps: A. click start, click Run, type regedit, and then click OK.

b. Locate and click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type

c. In the right pane, right-click type, and then click Modify.

d. In edit value, type NTP in the numeric data box, and then click OK.

 

2. Set annonceflags to 5. To do this, follow these steps: A. locate and click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags

b. In the right pane, right-click announcement flags, and then click Modify.

c. In the edit DWORD value, type 5 in the numeric data box, and then click OK.

 

3. Enable ntpserver. To do this, follow these steps: A. locate and click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer

b. In the right pane, right-click enabled, and then click Modify.

c. In the edit DWORD value, type 1 in the numeric data box, and then click OK.

 

 

 

4. Specify the time source. To do this, follow these steps: A. locate and click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer

b. In the right pane, right-click ntpserver, and then click Modify.

c. In edit value, in the numeric data box, type peers, and then click OK.

 

Note: peers is a placeholder and should be replaced by a space separated list of peers from which your computer gets the timestamp. Each DNS name listed must be unique. Must be appended to each DNS name, 0x1. If you do not append, 0x1, to each DNS name, the changes you made in step 5 will not take effect.

 

5. Select polling interval. To do this, follow these steps: A. locate and click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollInterval

b. In the right pane, right-click specialpollinterval, and then click Modify.

c. In the value data box of edit DWORD value, type timeinseconds, and then click OK.

 

Note: timeinseconds is a placeholder and should be replaced by the number of seconds you want between polling. The recommended value is 900 (decimal). This value configures the time server to poll every 15 minutes.

 

6. Configure time calibration settings. To do this, follow these steps: A. locate and click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxPosPhaseCorrection

b. In the right pane, right-click maxposphasecorrection, and then click Modify.

c. Click in the cardinality box of edit DWORD value to select decimal.

d. Type the value of indeconds in the data box, and then click OK.

 

Note: timeinseconds is a placeholder and should be replaced with an appropriate value, such as 1 hour (3600) or 30 minutes (1800). The value you choose will vary depending on the polling interval, network conditions, and external time sources.

e. Locate and click the following registry subkey: HKEY_ LOCAL_ MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxNegPhaseCorrection

f. In the right pane, right-click maxnegphasecorrection, and then click Modify.

g. Click in the cardinality box of edit DWORD value to select decimal.

h. In the value data box of edit DWORD value, type timeinseconds, and then click OK.

 

Note: timeinseconds is a placeholder and should be replaced with an appropriate value, such as 1 hour (3600) or 30 minutes (1800). The value you choose will vary depending on the polling interval, network conditions, and external time sources.

 

7. Exit the registry editor.

8. At the command prompt, type the following command to restart the windows time service, and then press enter:

net stop w32time && net start w32time

Troubleshooting

For windows time service to work properly, the network infrastructure must be running properly. The most common problems affecting windows time service include the following: · problems with TCP / IP connections, such as dead gateways.

The name resolution service is not running properly.

· high latency in the network, especially when synchronizing over high latency WAN links.

The windows time service tried to synchronize with an inaccurate time source.

 

It is recommended that you use Netdiag.exe Utility to solve network related problems. Netdiag.exe Is part of the Windows Server 2003 support kit. See help for tools that you can contact with Netdiag.exe A complete list of command line arguments to use with. If the problem is not resolved, you can open the windows time service debug log. Since the debug log may contain very detailed information, it is recommended that you contact Microsoft product support services after opening the windows time service debug log.

 

For a complete list of Microsoft product support service phone numbers and support fee information, visit the following Microsoft website:

http://support.microsoft.com/default.aspx?scid=fh;[LN];CNTACTMS

Note: under special circumstances, if Microsoft support professionals determine that a specific update can solve your problem, the telephone support service fee normally charged will be exempted. Support fees will be charged as usual for other support issues and issues that cannot be resolved by a specific update.

More information

NTP supports multiple different packet types. Usually, NTP clients and simple network time protocol (SNTP) clients send client mode request packets to NTP servers. The NTP server responds with server mode packets. To configure the w32time service to send symmetric active mode packets (not client mode packets) to the NTP server, type the following command at the command prompt:

w32tm /config /manualpeerlist:,0x4 /syncfromflags:MANUAL

Note: use the 0x8 flag to force w32time to send normal client requests instead of symmetric mode active packets. The NTP server will reply to these normal client requests as usual.

Reliable time source configuration

Computers configured as reliable time sources are identified as the root of the windows time service. The root of the windows time service is the authoritative server of the domain, which is usually configured to retrieve time from an external NTP server or hardware device. You can configure a time server as a reliable time source to optimize how time is transferred across the domain level. If a domain controller is configured as a reliable time source, the net logon service will declare the domain controller as a reliable time source when it logs on to the network. When other domain controllers look for a time source to synchronize with, they will first select a reliable time source, if any.

Manually specified synchronization

When using manually specified synchronization, you can specify a single peer or a list of peers from which the computer gets the time. If the computer is not a member of a domain, it must be manually configured to synchronize with the specified time source. By default, computers that are members of a domain are configured to synchronize from the domain level. Manually specified synchronization is useful for forest roots of a domain or computers that are not joined to a domain. When you manually specify that the external NTP server synchronizes with the authoritative computer of the domain, you provide reliable time. However, in order to provide high accuracy and security to the domain, it is recommended that you configure the authoritative computer of the domain to synchronize with the hardware clock.

 

If there is no hardware time source, w32time is configured as NTP type. You must reconfigure the maxposphasecorrection and maxnegphasecorrection registry keys. Depending on the time source, network condition, and security requirements, it is recommended to set this value to 15 minutes or less. This requirement also applies to any reliable time source configured as a forest root time source in a time synchronization subnet. For more information about these two registry keys, see the section “windows time service registry keys” in this article.

 

Note: unless you write specific time providers for manually specified time sources, they are not authenticated, so they are vulnerable. In addition, if the computer is synchronized with a manually specified source, rather than with its authentication domain controller, the two computers may not be synchronized. This can cause Kerberos authentication to fail, as well as other operations that require network authentication, such as printing or file sharing. As long as the forest root is configured to synchronize with an external source, all other computers in the forest synchronize with each other. This configuration makes replay attacks difficult.

All available synchronization mechanisms

The “all available synchronization mechanisms” option is the most suitable synchronization method for network users. This method can synchronize with the domain level, and according to the specific configuration, it can also provide backup time source when the domain level is not available. If the client cannot synchronize the time with the domain level, the time source will automatically switch to the time source specified by the “ntpserver” setting. This synchronization method is most likely to provide accurate time for the client.

Windows time service registry key

The following registry keys are located in HKEY_ LOCAL_ Under machine / system / currentcontrolset services / w32time, the registry key maxposphasecorrection

Path HKEY_ LOCAL_ MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config

Note: This specifies the maximum amount of positive time calibration (in seconds) that the service can perform. If the service determines that a change is greater than needed, it logs an event. (0xFFFFFFFF is a special case, which means always calibrate time.) The default value for domain members is 0xFFFFFFFF. The default value for stand-alone clients and servers is 54000, or 15 hours.

Registry key maxnegphasecorrection

Path HKEY_ LOCAL_ MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config

Note: This specifies the maximum amount of negative time calibration (in seconds) that the service can perform. If the service determines that a change is greater than needed, it logs an event instead. (- 1 is a special case, which means always calibrate the time.) The default value for domain members is 0xFFFFFFFF. The default value for stand-alone clients and servers is 54000, or 15 hours.

Registry key maxpollinterval

Path HKEY_ LOCAL_ MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config

Note: this item specifies the maximum interval allowed for the system polling interval (in seconds in logarithms). Although the system must poll at predetermined intervals, the provider can refuse to generate samples on request. The default value for domain members is 10. The default value for stand-alone clients and servers is 15.

Registry key specialpollinterval

Path HKEY_ LOCAL_ MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient

Note: This specifies the special polling interval (in seconds) for the manual peer. When the specialinterval 0x1 flag is enabled, w32time uses this polling interval instead of the polling interval determined by the operating system. The default value for domain members is 3600. The default value for stand-alone clients and servers is 604800.

Registry key maxallowedphaseoffset

Path HKEY_ LOCAL_ MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config

Note: This specifies the maximum offset (in seconds) that w32time attempts to adjust the computer clock using the clock rate. When the offset is greater than this rate, w32time will directly set the computer clock. The default value of the member field is 300. The default value for stand-alone clients and servers is 1.