External time source

External time source

In any environment you need to ensure that the time and date on your computers is set correctly. If the time drifts too far from the correct time, this can cause problems logging in to the network and cause time sensitive authentication systems to fail. This video looks at keeping computers in your domain up to date and configuring your computers to use a reliable external time source.

All computers have a battery on the motherboard that is responsible for ensuring the internal clock inside the computer does not lose power even when the computer is not plugged in. The internal clock can lose or gain time as time passes. If the clocks get out of sync with the correct time, this can affect authentication systems. Authentication systems that use tickets generate the tickets using the time and date. Big differences in these times will mean that new tickets that were just created will be invalid and can’t be used.

Time Hierarchy
When you have computers in a domain, Windows will use a hierarchy approach to ensure that all the times for the computers in the domain are up to date. The root of the hierarchy is the domain controller that is holding the PDC operational master role. This domain controller should have a reliable clock installed in it and/or synced off an external time source. This will ensure that all computers that sync their time from the PDC emulator will have the correct time. If the time is set incorrectly on the PDC emulator, all of the internal clocks of the computers in the domain eventually will be synced to this incorrect time. For this reason it is important to ensure that the domain controller with the PDC emulator role always has the correct time.

Below the PDC emulator in the time hierarchy are all the domain controllers. The domain controllers are responsible for making sure all other computers on the network have the correct time. This includes clients and other servers in the domain known as member servers.

Multiple domains
If you have a network with multiple domains, the child domains should sync their time from the parent domain. The domain controller holding the PDC emulator operational master role in each child domain should be configured to sync their time from the closest domain controller in the parent domain. The PDC emulator in the child domain does not need to sync its time from the PDC emulator in the parent domain; however, it can do so if required.

Syncing the time from an external time source
In order to keep the time current on the PDC emulator or a stand alone server, an external time source can be used. These external time sources are grouped together to form a hierarchy. Each level of the hierarchy is called a stratum. At the top of the hierarchy is stratum 0 which is a very accurate physical time clock. These include atomic, GPS, and radio clocks. In order to access the time from these hardware clocks, these clocks are directly connected to stratum 1 clocks. Stratum 1 clocks may be configured for private access only to decrease the load on them. At the next level is stratum 2. These clocks sync their time directly from stratum 1 and are generally publicly accessible. It is generally considered better to sync from these time clocks rather than stratum 1 as there are more stratum 2 external time clocks, which helps to reduce the load on stratum 1 time clocks. Regardless of which stratum you choose, you should try to choose an external time server that is close to your server. Refer to http://support.microsoft.com/kb/262680 for information on how to find an external time source close to you.

Command line
To configure an external time source run the following command.
w32tm /config /ManualPeerList:(TimeServer) /SyncFromFlags:manual /Reliable:yes /Update