Windows - Morgan's Blog

11.03.2010

Configuring a Windows Domain Controller to synchronize its clock with an external time source

Kerberos authentication requires correct time on all clients participating in authentication. If the clocks on two machines trying to authenticate to each other are too far apart, Kerberos authentication will fail. Since Kerberos is used extensively in Windows a mechanism to ensure correct clocks throughout the forest was also implemented. This is the Windows Time Service (w32time), a service which runs on all Windows machines since Windows 2000. The protocol used for synchronizing clocks is the Network Time Protocol (NTP). Every member computer, be it server or workstation, synchronize their clocks with the Domain Controller holding the PDC emulator FSMO role for its domain. The PDC emulator for a domain, in turn, synchronizes with the PDC emulator DC in the forest root domain. The PDC emulator in the root domain, therefore, is authoritative for the time throughout the forest, since all machines will inherit its clock. For this reason the PDC emulator DC in the forest root domain should be configured to obtain exact time from a dependable time server on the Internet. Microsoft has published information about doing this in KB816042. I have created a VBScript which implements the registry changes specified in that article:

   1: ' Configures the PDC Emulator in the root of a forest to be an authoritative time server   2: ' and sync time from several NTP time servers on the Internet   3: ' Info gathered from KB816042 How to configure an authoritative time server in   4: ' Windows Server 2003 (http://support.microsoft.com/kb/816042)   5: '   6: ' On a PDC Emulator the settings changed from the default settings are:   7: ' Type (From NT5DS to NTP)   8: ' AnnounceFlags (From 10 to 5)   9: ' NTPServer (From time.windows.com,0x1 to contents of strTimeServers)  10: ' SpecialPollInterval (From 3600 to 900)  11: ' MaxPosPhaseCorrection (From 4294967295 to 1800)  12: ' MaxNegPhaseCorrection (From 4294967295 to 1800)  13: '  14: ' A useful command line command is:  15: ' w32tm /config /manualpeerlist:"time-a.nist.gov time-b.nist.gov time.nist.gov time-nw.nist.gov" /syncfromflags:manual /reliable:yes /update  16: ' This command sets AnnounceFlags to 5, NTPServer to the server list and Type to NTP  17: ' Command found here:  18: ' http://technet2.microsoft.com/windowsserver/en/library/ce8890cf-ef46-4931-8e4a-2fc5b4ddb0471033.mspx?mfr=true  19: '  20: ' A list of the NIST time server can be found here:  21: ' http://tf.nist.gov/service/time-servers.html  22: '  23: ' Microsoft's list of (S)NTP servers is here:  24: ' http://support.microsoft.com/kb/262680/en-us   25:    26: const HKEY_CURRENT_USER = &H80000001  27: const HKEY_LOCAL_MACHINE = &H80000002  28: strKeyPath = "SYSTEM\CurrentControlSet\Services\W32Time"   29:    30: strTimeServers = "time-a.nist.gov,0x1 time-b.nist.gov,0x1 time-a.timefreq.bldrdoc.gov,0x1 time-b.timefreq.bldrdoc.gov,0x1 time-c.timefreq.bldrdoc.gov,0x1 utcnist.colorado.edu,0x1 time.nist.gov,0x1 time-nw.nist.gov,0x1 nist1.dc.certifiedtime.com,0x1 nist1.datum.com,0x1 nist1.nyc.certifiedtime.com,0x1 nist1.sjc.certifiedtime.com,0x1"  31: strComputer = "."  32: Set objReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")   33:    34: 'Change the server type to NTP (KB Step 1)  35: objReg.SetStringValue HKEY_LOCAL_MACHINE,strKeyPath & "\Parameters","Type","NTP"  36: 'Set AnnounceFlags to 5 (KB Step 2)  37: objReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath & "\Config","AnnounceFlags",5  38: 'Enable NTPServer (KB Step 3)  39: objReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath & "\TimeProviders\NtpServer","Enabled",1  40: 'Specify the time sources (KB Step 4)  41: objReg.SetStringValue HKEY_LOCAL_MACHINE,strKeyPath & "\Parameters","NtpServer",strTimeServers  42: 'Select the poll interval (KB Step 5)  43: objReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath & "\TimeProviders\NtpClient","SpecialPollInterval",900  44: 'Configure the time correction settings (KB Step 6)  45: objReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath & "\Config","MaxPosPhaseCorrection",1800  46: objReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath & "\Config","MaxNegPhaseCorrection",1800   47:    48: Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")  49: Set colListOfServices = objWMIService.ExecQuery ("Select * from Win32_Service Where Name ='W32Time'")  50: For Each objService in colListOfServices  51:     retVal = objService.StopService()  52:     If retVal = 0 Then  53:         'WScript.Echo "Service stopped"  54:     Else  55:         WScript.Echo "Service stop failed (" & retVal & ")"  56:     End If  57:     WScript.Sleep 5000  58:     retVal = objService.StartService()  59:     If retVal = 0 Then  60:         'WScript.Echo "Service started"  61:     Else  62:         WScript.Echo "Service start failed (" & retVal & ")"  63:     End If  64: Next   65:    66: WScript.Echo "Done!" 

Below is a comparison of the changes in the registry before and after the changes:

Before

   1: PS C:\Users\administrator> w32tm /query /configuration   2: [Configuration]   3:     4: EventLogFlags: 2 (Local)   5: AnnounceFlags: 10 (Local)   6: TimeJumpAuditOffset: 28800 (Local)   7: MinPollInterval: 6 (Local)   8: MaxPollInterval: 10 (Local)   9: MaxNegPhaseCorrection: 172800 (Local)  10: MaxPosPhaseCorrection: 172800 (Local)  11: MaxAllowedPhaseOffset: 300 (Local)  12:    13: FrequencyCorrectRate: 4 (Local)  14: PollAdjustFactor: 5 (Local)  15: LargePhaseOffset: 50000000 (Local)  16: SpikeWatchPeriod: 900 (Local)  17: LocalClockDispersion: 10 (Local)  18: HoldPeriod: 5 (Local)  19: PhaseCorrectRate: 7 (Local)  20: UpdateInterval: 100 (Local)  21:    22:    23: [TimeProviders]  24:    25: NtpClient (Local)  26: DllName: C:\Windows\system32\w32time.dll (Local)  27: Enabled: 1 (Local)  28: InputProvider: 1 (Local)  29: CrossSiteSyncFlags: 2 (Local)  30: AllowNonstandardModeCombinations: 1 (Local)  31: ResolvePeerBackoffMinutes: 15 (Local)  32: ResolvePeerBackoffMaxTimes: 7 (Local)  33: CompatibilityFlags: 2147483648 (Local)  34: EventLogFlags: 1 (Local)  35: LargeSampleSkew: 3 (Local)  36: SpecialPollInterval: 3600 (Local)  37:    38:    39:    40:    41: Type: NT5DS (Local)  42:    43: NtpServer (Local)  44: DllName: C:\Windows\system32\w32time.dll (Local)  45: Enabled: 1 (Local)  46: InputProvider: 0 (Local)  47: AllowNonstandardModeCombinations: 1 (Local)  48:    49: VMICTimeProvider (Local)  50: DllName: C:\Windows\System32\vmictimeprovider.dll (Local)  51: Enabled: 1 (Local)  52: InputProvider: 1 (Local)  53:  

After

   1: PS C:\Users\administrator> w32tm /query /configuration   2: [Configuration]   3:     4: EventLogFlags: 2 (Local)   5: AnnounceFlags: 5 (Local)   6: TimeJumpAuditOffset: 28800 (Local)   7: MinPollInterval: 6 (Local)   8: MaxPollInterval: 10 (Local)   9: MaxNegPhaseCorrection: 1800 (Local)  10: MaxPosPhaseCorrection: 1800 (Local)  11: MaxAllowedPhaseOffset: 300 (Local)  12:    13: FrequencyCorrectRate: 4 (Local)  14: PollAdjustFactor: 5 (Local)  15: LargePhaseOffset: 50000000 (Local)  16: SpikeWatchPeriod: 900 (Local)  17: LocalClockDispersion: 10 (Local)  18: HoldPeriod: 5 (Local)  19: PhaseCorrectRate: 7 (Local)  20: UpdateInterval: 100 (Local)  21:    22:    23: [TimeProviders]  24:    25: NtpClient (Local)  26: DllName: C:\Windows\system32\w32time.dll (Local)  27: Enabled: 1 (Local)  28: InputProvider: 1 (Local)  29:    30: AllowNonstandardModeCombinations: 1 (Local)  31: ResolvePeerBackoffMinutes: 15 (Local)  32: ResolvePeerBackoffMaxTimes: 7 (Local)  33: CompatibilityFlags: 2147483648 (Local)  34: EventLogFlags: 1 (Local)  35: LargeSampleSkew: 3 (Local)  36: SpecialPollInterval: 900 (Local)  37: Type: NTP (Local)  38: NtpServer: time-a.nist.gov,0x1 time-b.nist.gov,0x1 time-a.timefreq.bldrdoc.gov,0x1 time-b.timefreq.bldrdoc.gov,0x1 time-  39: c.timefreq.bldrdoc.gov,0x1 utcnist.colorado.edu,0x1 time.nist.gov,0x1 time-nw.nist.gov,0x1 nist1.dc.certifiedtime.com,0x  40: 1 nist1.datum.com,0x1 nist1.nyc.certifiedtime.com,0x1 nist1.sjc.certifiedtime.com,0x1 (Local)  41:    42:    43: NtpServer (Local)  44: DllName: C:\Windows\system32\w32time.dll (Local)  45: Enabled: 1 (Local)  46: InputProvider: 0 (Local)  47: AllowNonstandardModeCombinations: 1 (Local)  48:    49: VMICTimeProvider (Local)  50: DllName: C:\Windows\System32\vmictimeprovider.dll (Local)  51: Enabled: 1 (Local)  52: InputProvider: 1 (Local)

The most notable change is the Type value for the NTP client, which changes from NT5DS to NTP. The Type value is documented here.

Using w32tm.exe

The Windows Time Service can be configured using a complimentary utility called w32tm.exe. The following sets AnnounceFlags to 5, NTPServer to the server list and Type to NTP:

w32tm.exe /config /manualpeerlist:"time-a.nist.gov time-b.nist.gov time.nist.gov time-nw.nist.gov" /syncfromflags:manual /reliable:yes /update

Note that the settings for poll interval (SpecialPollInterval) and time correction (MaxPosPhaseCorrection/MaxNegPhaseCorrection) must be set in the registry.

Although the script uses the NIST time servers, I would recommend looking at the NTP Pool Project as well.

Also, to clear up a common misunderstanding, Windows does not need any third party software to synchronize its clock with an external time source, as long as the protocol used is NTP. This, of course, does not apply if you are using a special piece of hardware, such as a hardware clock, to keep correct time on your forest root PDC emulator DC. Furthermore, it is absolutely not necessary to include net time /sync or the like in logon scripts for clients to ensure they have the correct time, the Windows Time Service handles this.

If the DC holding the PDC Emulator FSMO role in the forest root domain is not set to sync its time from a reliable or external time source, the Windows Time service will log a warning in the System log with event ID 12:

Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.

Resetting configuration

In some cases you need to reset the configuration of the Windows Time Service. The easiest way I have found is to unregister and the register the service. Do this:

Stop the Windows Time Service
net stop w32time
Unregister the service:
w32tm /unregister
Register the service:
w32tm /register
Start the Windows Time Service
net start w32time

These steps will reset the service back to the defaults, usually to sync from the Domain Hierachy for a domain joined machine.

Posted at 16:19 by Morgan Simonsen | Category: Windows | Permalink | Email this Post | Comments (0)

14.10.2009

Not something you generally want to see…

“General failure”, that’s helpful. My on-board Atheros L1 Gigabit NIC sucks. There is really no other way to put it. Every Atheros chip, be it wireless or cable, I have had the misfortune to come across has been worthless. You should think that Ethernet and Wi-Fi should be pretty well understood concepts by now. Not so for the driver developers of Atheros. In this case the driver has “lost” (for wont of a better word) the NICs MAC address. So ipconfig.exe displays the hardware address 00-00-00-00-00-00. Needless to say, using that address on the Ethernet is not going to work. The first time this happened I had to open up the computer case and read the MAC address from the motherboard. After that I could use the driver properties to enter it manually. After that connections was restored.

However, Atheros still had some surprises! Whenever I chanced an upgrade of the driver, I would loose network connectivity again! Even if the MAC address was correctly entered into the device properties. To fix this I had to remove it, close the device properties dialogue, open it again and re-enter it. User-friendly, don’t you think?

So stay away from anything using one of Atheros chips.

Posted at 10:00 by Morgan Simonsen | Category: Windows | Permalink | Email this Post | Comments (0)