How to configure an authoritative time server in Windows XP (314054)

INTRODUCTION

This step-by-step article describes how to configure the Windows Time service in Windows XP to use an internal hardware clock and an external time source.

We highly recommend that you configure the authoritative Time Server to gather the time from a hardware source. When you configure the authoritative Time Server to sync with an Internet time source, there is no authentication. We also recommend that you lower your time correction settings for your servers and for your stand-alone clients. These recommendations provide more accuracy and security to your domain.

This article contains troubleshooting tips for the most common problems and discusses reliable time source configuration, manually-specified synchronization, all available synchronization, and the MaxNegPhaseCorrection and MaxPosPhaseCorrection registry entries.

back to the top

Configuring Windows Time service to use an internal hardware clock

To configure the Windows Time service to use an internal hardware clock, you can change the announce flag on the authoritative time server. Changing the announce flag forces the computer to announce itself as a reliable time source and to use the built-in complementary metal oxide semiconductor (CMOS) clock. To configure the Windows Time service to use an internal hardware clock, follow these steps.

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following registry entry:

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\

3. In the right pane, right-click AnnounceFlags, and then click Modify.
4. In the Edit DWORD Value dialog box, under Value data, type 5, and then click OK.
5. Enable NTPServer.
   1. Locate and then click the following registry subkey:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer\

   2. In the right pane, right-click Enabled, and then click Modify.
   3. In the Edit DWORD Value dialog box, type 1 under Value data, and then click OK.
6. Exit Registry Editor.
7. At the command prompt, type the following command to restart the Windows Time service, and then press ENTER:

   net stop w32time && net start w32time

8. To reset the local computers' time against the time server, run the following command on all the computers except the time server:

   w32tm /resync /rediscover

Note You must not configure the time server to synchronize with itself. If you configure the time server to synchronize with itself, the following events are logged in the Application log:The time provider NtpClient cannot reach or is currently receiving invalid time data from 192.168.1.1 (ntp.m|0x0|192.168.1.1:123->192.168.1.1:123).No response has been received from Manual peer 192.168.1.1 after 8 attempts to contact it. This peer will be discarded as a time source and NtpClient will attempt to discover a new peer from which to synchronize.The time provider NtpClient is configured to acquire time from one or more time sources. However, none of the sources are currently accessible. No attempt to contact a source will be made for 960 minutes. NtpClient has no source of accurate time.When the time server runs by using an internal time source, the following event is logged in the Application log:Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. We recommend that you either configure a reliable time service in the root domain, or that you manually configure the PDC to synchronize with an external time source. Otherwise, this computer will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.This text notifies you that the time server is configured not to use an external time source and that the time server can be ignored.

For more information about the w32tm command, type the following command at a command prompt:
back to the top

Configuring the Windows Time service to use an external time source

To configure the Windows Time service to synchronize with an external time source, follow these steps:

1. Change the server type to NTP. To do this, follow these steps:
   1. Click Start, click Run, type regedit, and then click OK.
   2. Locate and then click the following registry subkey:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\

   3. In the right pane, right-click Type, and then click Modify.
   4. In the Edit Value dialog box, under Value data, type NTP, and then click OK.
2. Set AnnounceFlags to 5. To do this, follow these steps:
   1. Locate and then click the following registry subkey:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\

   2. In the right pane, right-click AnnounceFlags, and then click Modify.
   3. In the Edit DWORD Value dialog box, under Value data, type 5, and then click OK.
3. Select the poll interval. To do this, follow these steps:
   1. Locate and then click the following registry subkey:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\

   2. In the right pane, right-click SpecialPollInterval, and then click Modify.
   3. In the Edit DWORD Value dialog box, under Value data, type TimeInSeconds, and then click OK.
      
      Note TimeInSeconds is a placeholder for the number of seconds that you want between each poll. A recommended value is 900 Decimal. This value configures the time server to poll every 15 minutes.
4. Enable NTPServer. To do this, follow these steps:
   1. Locate and then click the following registry subkey:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer\

   2. In the right pane, right-click Enabled, and then click Modify.
   3. In the Edit DWORD Value dialog box, under Value data, type 1, and then click OK.
5. Specify the time sources. To do this, follow these steps:
   1. Locate and then click the following registry subkey:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer

   2. In the right pane, right-click NtpServer, and then click Modify.
   3. In Edit Value, in the Value data box, type Peers, and then click OK.
6. Configure the time correction settings. To do this, follow these steps:
   1. Locate and then click the following registry subkey:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\

   2. In the right pane, right-click MaxPosPhaseCorrection, and then click Modify.
   3. In the Edit DWORD Value dialog box, under Base, click Decimal.
   4. In the Edit DWORD Value dialog box, under Value data, type TimeInSeconds, and then click OK.
      
      Note TimeInSeconds is a placeholder for a reasonable value such as one hour (3600) or 30 minutes (1800). The value that you choose will depend on the poll interval, the network condition, and the external time source.
   5. Locate and then click the following registry subkey:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\

   6. In the right pane, right-click MaxNegPhaseCorrection, and then click Modify.
   7. In the Edit DWORD Value dialog box, under Base, click Decimal.
   8. In the Edit DWORD Value dialog box, under Value data, type TimeInSeconds, and then click OK.
      
      Note TimeInSeconds is a placeholder for a reasonable value such as one hour (3600) or 30 minutes (1800). The value that you choose will depend on the poll interval, the network condition, and the external time source.
7. Exit Registry Editor.
8. At the command prompt, type the following command to restart the Windows Time service, and then press ENTER:

   net stop w32time && net start w32time

9. Run the following command on computers other than the domain controller to reset each computer's time against the time server:

   w32tm /resync /rediscover

For more information about the w32tm command, type the following command at a command prompt:

Note SNTP uses User Datagram Protocol (UDP) port 123. If this port is not open to the Internet, you cannot synchronize your server to Internet SNTP servers.

MORE INFORMATION

Reliable time source configuration

A computer that is configured to be a reliable time source is identified as the root of the time service. The root of the time service is the authoritative server for the domain. Typically, the authoritative server is configured to retrieve time from an external NTP server or from a hardware device. A time server can be configured as a reliable time source to optimize how time is transferred throughout the domain hierarchy. If a domain controller is configured to be a reliable time source, Net Logon service announces that domain controller as a reliable time source when it logs on to the network. When other domain controllers look for a time source to synchronize with, they choose a reliable source first if one is available.

back to the top

Manually-specified synchronization

With manually-specified synchronization, you can designate a single peer or a list of peers that a computer obtains time from. If the computer is not a member of a domain, that computer must be manually configured to synchronize with a specified time source. By default, a computer that is a member of a domain is configured to synchronize from the domain hierarchy. Manually-specified synchronization is most useful for the forest root of the domain or for computers that are not joined to a domain. Manually specifying an external NTP server to synchronize with the authoritative computer for your domain provides reliable time. However, configuring the authoritative computer for your domain to synchronize with a hardware clock is actually a better solution for providing high accuracy and security to your domain.

Without a hardware time source, W32time is configured as an NTP type. You must reconfigure the MaxPosPhaseCorrection and the MaxNegPhaseCorrection registry entries. The recommended value should be 15 minutes or even less, depending on the time source, the network condition, and the security requirement. This is also true for any reliable time source that is configured as the forest root time source in the time sync subnet. More information about these registry entries may be found in the "Windows Time service registry entries" section later in this article.

Note Manually-specified time sources are not authenticated unless a specific time provider is written for them, and they are therefore vulnerable to attacks. Also, if a computer synchronizes with a manually-specified source instead of its authenticating domain controller, the two computers might be out of synchronization, and Kerberos authentication would therefore fail. Other actions that require network authentication, such as printing or file sharing, could also fail. If only the forest root is configured to synchronize with an external source, all other computers within the forest remain synchronized with each other, making replay attacks difficult.

back to the top

All available synchronization mechanisms

The "all available synchronization mechanisms" option is the most valuable synchronization method for users who are on a network. This method enables synchronization with the domain hierarchy and may also provide an alternative time source if the domain hierarchy becomes unavailable, depending on the configuration. If the client cannot synchronize time with the domain hierarchy, the time source automatically falls back to the time source that is specified by the NtpServer setting. This method of synchronization is most likely to provide accurate time to clients.

back to the top

Windows Time service registry entries

The following registry entries are located under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\

Registry Entry	MaxPosPhaseCorrection
Path	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
Notes	This entry specifies the largest positive time correction in seconds that the service makes. If the service determines that a change larger than this is required, it logs an event. Special case: 0xFFFFFFFF means always make time correction. The default value for domain members is 0xFFFFFFFF. The default value for stand-alone clients and servers is 54,000 (15 hours).

Registry Entry	MaxNegPhaseCorrection
Path	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
Notes	This entry specifies the largest negative time correction in seconds that the service makes. If the service determines that a change larger than this is required, it logs an event instead. Special case: -1 means always make time correction, The default value for domain members is 0xFFFFFFFF. The default value for stand-alone clients and servers is 54,000 (15 hours).

Registry Entry	MaxPollInterval
Path	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
Notes	This entry specifies the largest interval, in log seconds, allowed for the system polling interval. Note that while a system must poll according to the scheduled interval, a provider can refuse to produce samples when requested. The default value for domain members is 10. The default value for stand-alone clients and servers is 15.

Registry Entry	SpecialPollInterval
Path	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient
Notes	This entry specifies the special poll interval in seconds for manual peers. When the SpecialInterval 0x1 flag is enabled, W32Time uses this poll interval instead of a poll interval determine by the operating system. The default value on domain members is 3,600. The default value on stand-alone clients and servers is 604,800.

Registry Entry	MaxAllowedPhaseOffset
Path	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
Notes	This entry specifies the maximum offset, in seconds, for which W32Time attempts to adjust the computer clock by using the clock rate. When the offset exceeds this rate, W32Time sets the computer clock directly. The default value for domain members is 300. The default value for stand-alone clients and servers is 1.

back to the top