Share this page : facebooktwitterlinkedinmailfacebooktwitterlinkedinmail

Having the correct time within networks is important. Correct time stamps are required to accurately track network events such as security violations. Additionally, clock synchronization is critical for the correct interpretation of events within syslog data files as well as for digital certificates.

Network Time Protocol (NTP) is a protocol that is used to synchronize the clocks of computer systems over packet-switched, variable-latency data networks. NTP allows network devices to synchronize their time settings with an NTP server. A group of NTP clients that obtain time and date information from a single source will have more consistent time settings.

A secure method of providing clocking for the network is for network administrators to implement their own private network master clocks, synchronized to UTC, using satellite or radio. However, if network administrators do not wish to implement their own master clocks because of cost or other reasons, other clock sources are available on the Internet. NTP can get the correct time from an internal or external time source including the following:

  • Local master clock
  • Master clock on the Internet
  • GPS or atomic clock

A network device can be configured as either an NTP server or an NTP client.

  • On the client side, use the ntp server ip-address command in global configuration mode.
  • On the server side, use the ntp master [stratum] command in global configuration mode. The stratum value is a number from 1 to 15 and indicates the NTP stratum number that the system will claim. If the system is configured as an NTP master and no stratum number is specified, it will default to stratum 8. If the NTP master cannot reach any clock with a lower stratum number, the system will claim to be synchronized at the configured stratum number, and other systems will be willing to synchronize to it using NTP.

To display the status of NTP associations, use the show ntp associations command in privileged EXEC mode. This command will indicate the IP address of any peer devices that are synchronized to this peer, statically configured peers, and stratum number. The show ntp status user EXEC command can be used to display such information as the NTP synchronization status, the peer that the device is synchronized to, and in which NTP strata the device is functioning.

 

NTP server in Windows Domain\

 

In a windows Domain, the Domain controller is acting as a ntp server, all the host machines are syncing time from the DC.

To guarantee all the hosts is running on time, you first need to make sure the DC is accurate and sync with an external NTP server regularly.

 

Manually configure the Windows Time service

To configure an internal time server to synchronize with an external time source, follow these steps:

  1. Change the server type to NTP. To do this, follow these steps:
    1. Select Start > Run, type regedit, and then select OK.
    2. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type
    3. In the pane on the right, right-click Type, and then select Modify.
    4. In Edit Value, type NTP in the Value data box, and then select OK.
  2. Set AnnounceFlags to 5. To do this, follow these steps:
    1. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags
    2. In the pane on the right, right-click AnnounceFlags, and then select Modify.
    3. In Edit DWORD Value, type 5 in the Value data box, and then select OK.
      Information icon

       Notes

      • If an authoritative time server that is configured to use an AnnounceFlag value of 0x5 does not synchronize with an upstream time server, a client server may not correctly synchronize with the authoritative time server when the time synchronization between the authoritative time server and the upstream time server resumes. Therefore, if you have a poor network connection or other concerns that may cause time synchronization failure of the authoritative server to an upstream server, set the AnnounceFlag value to 0xA instead of to 0x5.
      • If an authoritative time server that is configured to use an AnnounceFlag value of 0x5 and to synchronize with an upstream time server at a fixed interval that is specified in SpecialPollInterval, a client server may not correctly synchronize with the authoritative time server after the authoritative time server restarts. Therefore, if you configure your authoritative time server to synchronize with an upstream NTP server at a fixed interval that is specified in SpecialPollInterval, set the AnnounceFlag value to 0xA instead of 0x5.
  3. Enable NTPServer. To do this, follow these steps:
    1. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer
    2. In the pane on the right, right-click Enabled, and then select Modify.
    3. In Edit DWORD Value, type 1 in the Value data box, and then select OK.
  4. Specify the time sources. To do this, follow these steps:
    1. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
    2. In the pane on the right, right-click NtpServer, and then select Modify.
    3. In Edit Value, type Peers in the Value data box, and then select OK.
      Information icon

       Note Peers is a placeholder for a space-delimited list of peers from which your computer obtains time stamps. Each DNS name that is listed must be unique. You must append ,0x1 to the end of each DNS name. If you do not append ,0x1 to the end of each DNS name, the changes that you make in step 5 will not take effect.

  5. Configure the time correction settings. To do this, follow these steps:
    1. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxPosPhaseCorrection
    2. In the pane on the right, right-click MaxPosPhaseCorrection, and then select Modify.
    3. In Edit DWORD Value, click to select Decimal in the Base box.
    4. In Edit DWORD Value, type TimeInSeconds in the Value data box, and then select OK.
      Information icon

       Note

      • TimeInSeconds is a placeholder for a reasonable value, such as 1 hour (3600) or 30 minutes (1800). The value that you select will depend on the poll interval, network condition, and external time source.
      • The default value of MaxPosPhaseCorrection is 48 hours in Windows Server 2008 R2 or later.
    5. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxNegPhaseCorrection
    6. In the pane on the right, right-click MaxNegPhaseCorrection, and then select Modify.
    7. In Edit DWORD Value, click to select Decimal in the Base box.
    8. In Edit DWORD Value, type TimeInSeconds in the Value data box, and then select OK.
      Information icon

       Note

      • TimeInSeconds is a placeholder for a reasonable value, such as 1 hour (3600) or 30 minutes (1800). The value that you select will depend on the poll interval, network condition, and external time source.
      • The default value of MaxNegPhaseCorrection is 48 hours in Windows Server 2008 R2 or later.
  6. Close Registry Editor.
  7. At the command prompt, type the following command to restart the Windows Time service, and then press Enter:
    net stop w32time && net start w32time

SpecialPollInterval

The last line in the screen shot shows the SpecialPollInterval.

Note the 0x1 after each server entry in the manual peer list. This SpecialInterval tells Windows Time to check the time every SpecialPollInterval seconds. If your SpecialPollInterval is already 3600 (1 hour) as shown above, that should be fine for a physical server. If your server is virtualized and thus subject to more clock skew, you may want to reduce that, e.g. to 900 (15 minutes). There is no command to do that; you must edit this registry value:

HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollInterval

The meanings of the registry values are documented on TechNet (Server 2003/2008/2008R2).

 

MaxPosPhaseCorrection and MaxNegPhaseCorrection limit the allowable offset taken from a time sample. When any instance of w32time polls another machine for the time, it will determine the offset between the time source and itself. This value is known as the “Sample Offset”. Before the samples is used by the time service, it will be compared to the phase correction limits. If the sample offset is greater than the phase correction limit, then sample will be thrown out and a “TOO BIG” event will be generated. The event contains all of the information about the time sample, including who sent it. The purpose of doing this is to isolate domain controllers in the network who get into a bad time state. In this way, the other DCs will log and error about the time samples being too big rather than blindly accepting it.

 

Knowing your limits

 

The next question is: What is an acceptable limit of phase correction? After much analysis and debate, we are advising a value of 48 hours. If a domain controller receives a sample that says it is more than 48 hours off, either in the future or in the past, the domain controller will throw it out. However, every customer should evaluate their own situation to be sure.

This is advised for both limits, both forward and backwards.

 

A packaged solution

 

Here is an example of a registry entry that you can merge on-demand to apply a 48 hour limit to the phase correction:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config] “MaxNegPhaseCorrection”=dword:0002a300
“MaxPosPhaseCorrection”=dword:0002a300

 

Then end computer can use command below to sync with DC:

net time \\domain /set /y