University of Chicago Active Directory
Synchronize an Internal Time Source with an External Time Source
Network Time Protocol (NTP) Configuration
The Windows Server 2003 W32Time service provides time synchronization for Windows Server 2003 and Microsoft Windows XP-based computers running in an Active Directory domain. It synchronizes the client clocks of Windows Server 2003-based computers with the domain controllers in a domain. This is necessary for the Kerberos v5 authentication protocol to work properly, as well as NTLMv2.
To function correctly, a number of Windows Server family components rely on accurate and synchronized time. If the clocks are not synchronized on the clients, the Kerberos v5 authentication protocol might falsely interpret login requests as intrusion attempts and deny access to users. Another important benefit of time synchronization is event correlation on all of the clients in your enterprise. Synchronized clocks on the clients in your environment ensure that you can correctly analyze events that take place in uniform sequence on the clients for success or failure across the enterprise.
Kerberos is a network authentication protocol developed by Massachusetts Institute of Technology (MIT). The protocol authenticates the identity of users attempting to log on to a network and encrypts their communications through secret key cryptography.
The W32Time service synchronizes clocks using the Network Time Protocol (NTP). In a Windows Server 2003 forest, time synchronization operates in the following manner:
- The Primary Domain Controller (PDC) emulator operations master in the forest root domain is the authoritative time source for the organization.
- All PDC operation masters in other domains in the forest follow the hierarchy of domains when selecting a PDC emulator to synchronize their time.
- All domain controllers in a domain synchronize their time with the PDC emulator operations master in their domain as their inbound time partner.
- All member servers and client desktop computers use the authenticating domain controller as their inbound time partner.
To synchronize an internal time source with an external time source
The campus time servers are: ntp-0.uchicago.edu, ntp-1.uchicago.edu, ntp-2.uchicago.edu.
- Open a Command Prompt.
- Type "w32tm /config /syncfromflags:manual /manualpeerlist:PeerList" where "PeerList" is a comma separated list of DNS names or Internet protocol (IP) addresses for the desired time sources.
- To update, type "w32tm /config /update".
- Check the Event Log. If the computer cannot reach the servers, the procedure fails and an entry is written to the Event Log.
To view the full configuration for setting up an external time source, see How to configure an authoritative time server in Windows Server 2003 on Microsoft's website.
Return to Support for System Administrators
Last updated: 6/6/07