Like This Blog 1

Added by Mike Danseglio October 24, 2014

“Lost time is never found again.” – Benjamin Franklin

You probably already know that having accurate time set on all clients and servers is important. Very bad things happen when computer clocks disagree. Things like:

• Users cannot logon to a domain
• Applications overwrite new data with older versions
• Servers fail to synchronize data between each other, causing version conflicts
• Financial transactions become subject to dispute
• Regulatory requirements are not met

Luckily Windows has taken this into account. The Network Time Protocol (NTP) service has been built into Windows since Windows XP and Windows Server 2003, and most Unix and Linux implementations have supported NTP since they were first built.

Windows Client and Server Time Synchronization

Unfortunately most Windows implementations do not use NTP as it is not enabled in many situations, especially when older servers are upgraded. The thinking was that they don’t need to. All domain-joined computers synchronize their time with the domain controller by default. This synchronization uses a Microsoft-specific protocol instead of NTP for backwards compatibility.

Also, by default, domain controllers synchronize their time with the Primary Domain Controller. So in most cases, enabling NTP on the PDC and configuring it to synchronize with an authoritative time source is all that you need to do.

Enabling NTP in Windows

In most domain scenarios you only need to worry about synchronizing the PDC with an authoritative time source. That’s pretty easy and it is the same on Windows clients as well as non-joined computers. So you can use these steps on Windows 7, Windows Server 2008, Windows 8, etc.

1. Logon to the Primary Domain Controller as a local administrator.
2. Open the Services MMC snap-in for the local computer.
3. Scroll down to Windows Time. Configure it for a Startup Type of Automatic, and then right-click and select Start. (Note: skip this step if the service is already running)
4. Close the Services MMC snap-in.
5. Open a command prompt.
6. Type w32tm /config /syncfromflags:manual /manualpeerlist:0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org and press Enter. This configures Windows to use the highly-available clusters provided by ntp.org as its authoritative time source.
7. Type w32tm /resync and press Enter.

Close the command prompt.

NTP does not always immediately change the clock. It is designed to slowly converge the local time to the authoritative source. This is done to avoid large rapid time changes that can cause applications and transactions to fail. So you may not see an instantly accurate clock, but NTP is now on the job and will ensure that the clock becomes, and remains, synchronized.

Once the PDC clock is accurate, all domain-joined computers will continue to synchronize their clocks. Over a bit of time – perhaps a day or two – your systems will have accurate time.

Stay safe!

Mike Danseglio -CISSP / CEH
Interface Technical Training – Technical Director and Instructor