The Windows 2000 Server operating system includes a time synchronisation service called w32time or Windows Time. The service is installed by default and runs continuously in the service list. The time service is required by the Kerberos authentication protocol to ensure all computers running in a Windows 2000 environment utilise a common shared time. This article describes how to set up and configure an Authoritative Time Server in a Windows 2000 Server environment. It also discusses the hierarchical relationship at the heart of the service and provides some configuration hints and tips.
The Windows Time Synchronisation Hierarchy The Windows 2000 time service utilises a hierarchical synchronisation structure: Desktop workstations and Member Servers nominate their domain controller as the source of time; Domain controllers nominate the PDC as their source of time synchronisation, but may also utilise a parent domain controller; PDC's follow the hierarchy of domains in the selection of their time synchronisation source.
In the hierarchy the PDC emulator in the forest root domain is the primary time reference for the organisation. The PDC in the forest root domain can have its internal reference clock controlled in a number of ways:
- By utilising it's own internal hardware system clock
- By synchronising to an Internet based NTP time server.
- By synchronising with a local intranet based NTP time server or hardware reference clock.
- By utilising a hardware reference clock.
Each of these methods of synchronisation described above raises a number of issues.
A PDC utilising it's own internal unsynchronised hardware system clock will drift significantly over time, transactions cannot be referenced to a traceable source of time.
A PDC synchronising to an Internet based NTP time server can obtain accurate time. However, this raises security issues since the NTP port in the firewall must be left open for synchronisation. Also, Internet based NTP servers cannot provide authentication, so the source of time cannot be guaranteed.
Many of the above issues can be solved yy synchronising a PDC with a local intranet based NTP time server or hardware clock. A local NTP server or hardware clock has the advantage of providing a traceable time reference and also secure authentication.
The Windows 2000 Time Service Configuration.
Configuration of the Windows 2000 Time Service is carried out by editing registry entries. It is highly recommended that the registry be backed up before conducting any modifications. This allows the registry to be restored in the event of erroneous modification.
To configure the PDC master to utilise its internal system clock requires only that the W32Time registry entry HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeConfigAnnounceFlags is set to "A". This makes the PDC announce itself as a reliable time source. However, the system clock can drift over time and is not referenced to an accurate time source. Additionally, Windows Time will periodically generate system event log warnings indicating that the PDC should be configured to synchronise to an external time source. This warning can be ignored.
Page 1 of 2 :: First | Last ::  Prev | 1 2 | Next 
|
