- Introduction
- How Things Tick with the Windows Time Synchronization Service
- Depending on Your Grandfather's Clock
- Conclusion
Like this article? We recommend
Like this article? We recommend
Like this article? We recommend
Depending on Your Grandfather's Clock
In an Active Directory hierarchy, the primary domain controller (PDC) of the forest root domain is designated the responsibility of obtaining the correct time from an external Network Time Protocol (NTP) time server. I'll show how this works in just a bit. This time information is then propagated using the Win32Time service throughout the active directory as workstations contact their domain controllers within their own domains for time synchronization. For time synchronization information, each domain controller is allowed to contact either the PDC in its own domain, or the domain controller in its own parent domain.
For more information about this time-inheritance process, see "The Windows Time Service" (Microsoft Word format).
Time Protocols: NTP and SNTP
The Network Time Protocol (NTP) has a computer synchronize its system clock with a reference source such as a radio or satellite receiver. Because it can achieve clock synchronization accuracy to within a microsecond, NTP is considered fit for enterprises having time-sensitive needs, such as enterprises in the financial sector. As you might imagine, the hardware and infrastructure necessary to support NTP can be quite costly. Windows 2000 doesn't use NTP; instead, the Windows Time Synchronization Service uses the SNTP protocol.
The Simple Network Time Protocol (SNTP) derives from the NTP. SNTP provides less-accurate time-synchronization capability than that of NTP, but with the proper setup, SNTP can provide millisecond time accuracy.
Time Synchronization and Operating System Security
Time synchronization plays a major role in the Kerberos V5 authentication protocol. Windows 2000 takes advantage of Kerberos V5 as the protocol for authenticating users in a network domain. Time synchronization is crucial to the Windows authentication protocol. In Windows 2000, a client in a domain must have the correct time; within the Kerboros protocol, a timestamp is used to assure the authenticating server that the client being authenticated is not replaying an old authentication request. Click here to learn more about how Windows 2000 uses Kerberos authentication.
The Net Time Tool
The net time tool, located in the \system32 folder of your Windows 2000 installation, is used to configure the Win32Time service. As mentioned earlier, the Win32Time service starts automatically at system startup (see Figure 1). You can manually start and stop the Win32Time service by issuing the following commands at the command prompt:
net start w32time net stop w32time
If you make any configuration changes to the Win32Time service, for the changes to take effect you have to stop and restart the service (by using the commands just described).
)
Figure
1 The Windows Time service, shown in the Services panel.
You can perform some pretty neat things using net time. To see the syntax using the online help system of the operating system, you can use this command:
net time /?
The operating system should return the syntax of the net time command, as shown in Figure 2.
)
Figure
2 The command syntax of the net time command, as reported by the
help system of the operating system.
Let's see some of the net time commands in action. For example, the following command displays the time of the time server you have designated for your machine's domain:
net time
NOTE
If you're not part of a domain, you'll receive the message Could not locate a time-server.
If you want to see the time of a time server in some other domain (you must be able to access that domain, of course), use this command:
net time /rtsdomain:domainname
Using net time, you can also display the time on another computer:
net time \\computername_or_ip_address
To force the time synchronization of your computer with that of the domain controller in your domain, use this command:
net time /domain /set
Setting Your Grandfather's Clock
As mentioned earlier, the onus of time synchronization boils down (or rather up) to the accuracy of the primary domain controller of the forest root domain. This machine typically should synchronize its time with a trusted external time source. If a manually configured external time source is defined for your computer, you can determine its name with this command:
net time /querysntp
There are a number of SNTP time servers that you might consider using as your source for time synchronization. For example, the U.S. Naval Observatory provides SNTP time servers for free use:
tick.usno.navy.mil
tock.usno.navy.mil
To manually configure a time source, you can use this command:
net time /setsntp:ntp_server_name_or_ip_address
The command above can also be used by standalone workstations that cannot rely on a domain controller to keep their time in check.
Interestingly, Windows XP machines by default ship with non-domained, standalone setups to synchronize with the Internet-based time server of time.windows.com (see Figure 3), which in turn syncs its time with computers in the National Institute of Standards and Technology (which synchronizes with an atomic clock).
)
Figure
3 Windows XP ships with standalone workstations that sync time with
time.windows.com.