Time synchronization is an integral function in the Kerberos V5 authentication protocol. Windows 2000/XP/2003 uses Kerberos V5 as the protocol for authenticating users in an Active Directory domain.
Time synchronization is crucial to the Windows authentication protocol. In an Active Directory domain, the client PC must have the correct time. Kerboros uses a timestamp ensure the authenticating server that the client being authenticated is not replaying an old authentication request. There is some play allowed, but if your clients get more than a few minutes out of sync they may not be able to login.
Windows clients automatically look to the PDC Master FSMO role holder to sync time, member servers and other DC's will also query the PDC Master.
Graphic courtesy of Microsoft Corporation © April 2001 So how do you set the PDC Master to sync with an external source to ensure the domain time is correct? This is how! From a command prompt:
C:\>net time /querysntp
This computer is not currently configured to use a specific SNTP server.
The command completed successfully.
/querysntp is the switch to display the current time server. On your domain clients, you will see this output even though they will sync with the PDC Master. Now lets set a NTP server, we will use NASA's public NTP server located at ntp.nasa.gov but you can get a fill list of public NTP servers at the end of this article.
C:\>net time /setsntp:ntp.nasa.gov
The command completed successfully.
Now we can use /quesrysntp again to verify that it worked.
C:\>net time /querysntp
The current SNTP value is: ntp.nasa.gov
The command completed successfully.
The final step is to restart the w32time service. If you are still at a command prompt you can use the net stop command, or you can restart the service from teh Services applet under Administrative Tools or from Services.msc.
C:\>net stop w32time
The Windows Time service is stopping.
The Windows Time service was stopped successfully.
C:\>net start w32time
The Windows Time service is starting.
The Windows Time service was started successfully.
That is all you need to do in order to select an outside source to synchronize time with on the PDC Master at the forest root. If you are using a firewall, and don't we all, you will also need to open UDP Port 123 to allow the NTP traffic to pass.
For more information see:
