Recently I was working with a client that had a unique view on how to configure their Windows forest for time services. If you aren’t aware, Microsoft has designed a comprehensive time distribution service called w32time in Windows 2000 and later. It is designed to keep all computers in the forest within five minutes of each other. This is to support Kerberos authentication, which requires minimal clock skew between servers.
W32time is NOT designed to be accurate to the nanosecond, and may not meet the accuracy requirements in some special environments. If your company has auditing requirements which rely on sub-second accuracy for your servers, third party solutions will be required. But for the vast majority of users, w32time is just fine.
So how does Microsoft recommend you configure w32time in a forest? Very simple. Configure your forest root PDC emulator to sync its time from a trusted source, such as a dedicated internal NTP appliance based on GPS signals. You could also sync with trusted internet based time sources if you can’t buy a dedicated appliance.
Windows will then use a defined method of syncing time, involving other PDC emulators and domain controllers. For a great article on all the gory details, see this
link on TechNet.
But I’m not here to extol the virtues of w32time. I’m here to address a few discussion points which came up with my client. I developed a FAQ for some of their questions.
1. Does a forest need accurate time, synchronized time, or both?
Answer: For Kerberos to function only synchronized time is required, not accurate time. The whole forest could be hours off of NTP time, but Kerberos would function since time sync, not time accuracy, is required. Your business may have time accuracy requirements, but Windows itself does not.
2. Do services such as Exchange 2007, OCS 2007, MOSS 2007, SQL 2005/2008, or Operations Manager 2007 require more precise time than w32time can provide?
Answer: No, these services rely on Kerberos which w32time was designed to support. No elaborate time sync configuration is required.
3. What happens if a member server is unable to contact a DC for an extended period?
Answer: All of the services above will cease to function very shortly after they lose DC connectivity. These services rely on AD for authentication and group membership and will not function without it. Time is the last thing I would be concerned about it they lost DC connectivity. A server can likely operate weeks or months without a time sync and not drift more than five minutes. Services such as Exchange won’t last a minute without a local DC.
4. Can a computer be configured to use the Windows time service and fall back to manual sources if all DCs are unavailable?
Answer: Yes. However, as mentioned above, if DCs cannot be contacted then Kerberos will not function so the time difference between the server and the unreachable DCs is irrelevant because your important service will have died. The additional manual configuration is not worth the effort, IMHO.
5. Can the w32time time service be tweaked for more accurate time?
Answer: Yes, w32time has numerous registry keys that control various parameters. See this
link for full details. Be careful when tweaking the settings, even if you think you know the consequences.
6. If my company requires strict time sync, less than 20 second skew across the forest, do I need a third party NTP client?
Answer: Yes. W32time is designed for a maximum of five minute skew, but often does much better. Typically 20 second or less skew is maintained, but not guaranteed. To guarantee accuracy a precise third-party NTP client is required for all servers.
7. How about workgroup computers?
Answer: Workgroup computer DO need to be manually configured for time sync. See the links above for manually configuring the w32time service.
8. Is the w32time service reliable?
Answer: Yes. I’ve never seen an instance where the w32time service failed when it has been properly configured and DCs are healthy. W32time is very reliable and just works; No over-engineering required. If DCs are in such an unhealthy state that time sync is broken, you have other major issues at hand that need attention. Again, servers can likely maintain a less than five minute skew for weeks or months without any time source.
9. Does Windows Server 2008 have any new w32time settings that I should be aware of?
Answer: Yes. Microsoft changed a couple of default settings for the w32time service which you can use in your 2003 forest. MaxPosPhaseCorrection and MaxNegPhaseCorrection are now set to 172,800 (48 hours). These values limit the possible wild swings in time should the external time source be compromised or a DC have its time manually reconfigured. These settings can be configured via GPO.
10. How do I reset a server which was configured for manual time sync to use the Windows domain time hierarchy?
Answer: w32tm /config /syncfromflags:domhier /reliable:no /update
11. Should I sync various parts of my forest to different time sources?
Answer: No. All parts of the forest should use a single time source since you want to guarantee time sync. Syncing servers to different time sources is asking for trouble and can lead to complications. Unless you are using a third-party NTP client, use the simple Microsoft recommended best practices of just syncing your forest root PDC emulator and leave the rest up to w32time.
For example, syncing your servers to their local router’s NTP service would not be advised, even if all routers were configured to sync from a trusted source.