How to synchronize Windows Server 2008 with an external time server

In this tutorial you will learn how to point the authoritative time server in your Active Directory domain at an Internet-based atomic time source.

Timothy Warner By Timothy Warner - Mon, January 9, 2012 - 8 comments

Timothy Warner is a Windows systems administrator, software developer, author, and technical trainer based in Nashville, TN.

As you probably already know, the Kerberos authentication protocol has limited tolerance for time skew between client and server. Specifically, the time difference between domain computers needs to be less than five minutes.

Some Windows administrators want to synchronize their Windows Server 2008 system clocks to an external atomic time source. How can we accomplish this goal? Well, read on!

The Windows Time Service: Basic operation

The Windows Time (W32Time) service exists in both Windows Server 2008 R2 as well as Windows 7, and is the “engine” that drives system time synchronization within an Active Directory domain.

By default, the domain controller that holds the PDC Emulator FSMO role is the authoritative time source for the domain. More broadly, the PDC Emulator in the forest root domain holds the authoritative time for the entire forest. Check out the following Visio diagram:

Windows time server - Default time sync behavior in Active Directory

Default time sync behavior in Active Directory

In the above diagram, the forest root PDC Emulator (A) serves time for the entire forest. Other domain controllers within the domain (B) synchronize their time with the PDC Emulator. In turn, domain member servers (D) and domain workstations (E) synchronize their time with any available domain controller. PDC Emulators and domain controllers from other domains (C) synchronize their clocks with either forest root domain controllers or the forest root PDC Emulator.

NOTE: You can ascertain the domain controller that holds the PDC Emulator role by opening an administrative command prompt on any domain controller and issuing the command dsquery server –hasfsmo pdc.

All of the previously described behavior happens “out of the box,” with no special configuration required on the part of the Windows systems administrator. A bit of complexity comes in when we want our authoritative server to synchronize its system clock with an external time source. Let’s do that now.

Configuring the authoritative time server for the domain

Pointing our domain authoritative time server (the PDC Emulator role holder, recall) at an external time source requires some tinkering with the Windows Registry. To this end, you might want to create a Registry backup before proceeding with this work.

All of the following value changes are stored in the following Registry root path:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time

First, we must change the server type to NTP by modifying the Type value at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type. Change the value data to NTP. This setting reflects use of the Network Time Protocol, an industry standard protocol for time synchronization and management.

Second, we need to set the proper NTP announce flag. Change the AnnounceFlags value at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags to 5.

 

Third, we will enable NTPServer. To do this we must change the value data of the Enabled value at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\
TimeProviders\NtpServer
to 1.

Fourth, we need to specify our external time sources. To do this, we modify the NtpServer value at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters.

This is where things get a little hairy. Windows expects a space-delimited list of DNS host names with the hexadecimal value 0×1 appended to each one (don’t even ask).

You can obtain a list of candidate atomic clock servers by visiting the NTP Pool Project Web site. The following screen shot shows my own value data:

Windows time server - Configuring external time sources

Configuring external time sources

Fifth, we’ll set the NTP polling interval by modifying the SpecialPollInterval value at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\
NtpClient\SpecialPollInterval
. The recommended value here (reference from Microsoft) is 900 Decimal.

Sixth and finally, we need to configure time correction settings. Start by modifying the MaxPosPhaseCorrection value at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\
Config\MaxPosPhaseCorrection;
set the value data to a “reasonable” decimal value such as 1800 or 3600 seconds.

You’ll also want to set the corresponding MaxPosPhaseCorrection value to the same value you used for positive time phase correction.

Quit the Registry Editor, open an administrative command prompt, and submit the following command in order to bounce the Windows Time service:

net stop w32time && net start w32time

Pointing domain devices to a time server

As I mentioned earlier, as long as your domain member servers and workstations are legitimate domain members and have the Windows Time service running, they will automatically synchronize their clocks with a domain controller.

You can always verify from where a particular Windows box is synchronizing its time by using the “Swiss Army Knife” w32tm command-line tool.

As you can see in the below screen shot, the statement w32tm /monitor gives you the core information at a glance:

Windows time server - Monitoring NTP in Windows 7

Monitoring NTP in Windows 7

The screenshot also references UDP port 123; this is the well-known port that belongs to the Network Time Protocol. Please be sure to allow traffic on UDP 123 in your domain so that you do not inadvertently block NTP communications between your servers and client devices.

Finally, you should now (if you don’t already) that we can fully customize the NTP client behavior by using Group Policy. From the Group Policy Editor, navigate to \Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers.

As you can see in the following screenshot, you can edit the Configure Windows NTP Client policy to tweak (and enforce) any and all NTP client settings.

Windows time server - NTP client customization via Group Policy

NTP client customization via Group Policy

Conclusion

Whew! We certainly covered a lot of ground in this tutorial. I wish that Microsoft made it easier to manage the Windows Time service, don’t you? Please feel free to leave your questions and observations in the comments portion of this post.

-1+1 - Rate this post
Loading ... Loading ...
Your question wasn't answered? Ask in the new 4sysops forum!

8 Comments- Leave a Reply

  1. El Wayno says:

    Great article. I was right about to config External NTP for my domain so can’t be better timing. But would have a question concerning the NTP external source. Why selecting a different one than the default (time.windows.com). Is it not reliable enough ?

  2. Michael says:

    Another option is to go to http://support.microsoft.com/kb/816042, scroll down a little and click on Fix It to configure external time.

  3. Allen says:

    Pretty sure this isn’t right. I’ve been doing this for enterprise customers for years. Pretty simple stuff.

    From the box holding the PDC emulator role:
    clear event logs
    net time /setsntp:timeserver
    net stop w32time
    net start w32time
    w32tm /resync

    Check your logs. Done.

  4. marc says:

    I always install NetTime (as a service) Freeware and easy to isntall

  5. Tim Warner says:

    Hi Allen,

    Can you please be more specific as to what “isn’t right” about my article? We at 4Sysops are committed to publishing 100 percent accurate information. Thanks, Tim

  6. Pete says:

    Hello,

    I thought I’d mention a “bug” of sorts I’ve found while trying to set multiple NTPservers in 2008 R2. Setting NtpServer value at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters with multiple ntp servers as you noted in this article works…at least until you right click on the clock in your tray > Internet Time > Change Settings and select a server from the server drop down list. This seems to pull data from another part of the registry (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\Servers I believe) and resets your NTPServer key w/ only 1 server instead of the multiple you’ve previously configured. I’ve seen instances where simply opening the change settings dialog will reset this key back to time.microsoft.com or one of the nist NTP servers. Either it’s buggy or I’m doinit wrong.

  7. Max says:

    Great article. My Hyper-v was out of sync and it was driving me bonkers. Hopefully this did the trick.

  8. RickkeeC says:

    Do you mean to also set “MaxNegPhaseCorrection” to the same value as “MaxPosPhaseCorrection” ?

    Quote:”Sixth and finally, we need to configure time correction settings. Start by modifying the MaxPosPhaseCorrection value at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\
    Config\MaxPosPhaseCorrection; set the value data to a “reasonable” decimal value such as 1800 or 3600 seconds.

    You’ll also want to set the corresponding MaxPosPhaseCorrection value to the same value you used for positive time phase correction.

===Leave a Comment===

Login

Lost your password?