Be a master of time in your Active Directory forest

All servers within an Active Directory automatically synchronize their time, but it is up to you to synchronize "network" time with "real" time.

A service within Windows 2000 called Windows Time keeps all windows workstations and servers in acceptable time synch. The degree of precision with which they synch may not be good enough to coordinate scientific experiments across the planet, but they are well within the tolerance required for such network operations as controller replication.

Windows Time works by establishing a hierarchy within your network. At the top of the hierarchy sits the first domain controller created within the first domain created within your network forest. Microsoft calls this the PDC (Primary Domain Controller) FSMO (Flexible Single Master Operation) of the forest root -- I'll just call it the Big Guy. Every subsequently added domain controller gets its time either directly from Big Guy, or from some other DC that got the time from Big Guy. Every workstation gets its time from some DC that got its time from Big Guy. Small errors creep in each time a lower level gets time-synched from a higher level, but for all practical purposes the entire network automatically more or less agrees to use Big Guy's time. As far as network operation goes this situation is sufficient, but it might cause application problems. If a server's clock is 10 minutes fast, no network function is going to break as long as every other server's clock is 10 minutes

Requires Free Membership to View

fast, but some applications might need to know what time it is out in the world of carbon-based life forms. What if a skew in time meant all union time-card punches got shifted 10 minutes from straight time to overtime?

Luckily, making the time clocks throughout your network agree with the real world really comes down to making sure Big Guy's time clock agrees with the real world. Here's how:


    Find a clock in the real world that will talk to Big Guy

      Most DNS servers at big ISP's are carefully synched to atomic time, and there's an Internet Standard for sending time information called Simple Network Time Protocol (SNTP). You need to find an SNTP time source.

      Go to http://www.bytefusion.com/ntpquery.html and download the free NTPQuery application. It lets you test possible SNTP sources and see which ones respond.

      Enter into NTPQuery the domain name or IP address of DNS servers of ISPs available from your network and see which ones return a time code. They are SNTP servers. Don't worry about interpreting what you get back, if you got something back you're set.

    Tell Windows 2K to synch to the clock

      Log onto Big Guy and issue the following command:

        net time /setsntp:SNTPServer

        (where SNTPServer can be a domain name or IP address)

      With that, Big Guy will go attempt to synch to the time server. It will continue to attempt the connection every 45 minutes until it succeeds three times in a row, then it drops back to one time synch every 8 hours.

To dig deeper:
How to Configure an Authoritative Time Server in Windows 2000 http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q216734
How Machines Determine the Time Source Server Using NET TIME http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q156460.

Kevin Sharp is a registered professional engineer, writer, and yoga teacher living in Tucson, Arizona, and gains his expertise from a variety of professional activities.

This was first published in March 2002

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.