2. Tech
  3. How to configure an authority time server in Windows Server 2003

How to configure an authority time server in Windows Server 2003

xiaoxiao2021-03-06  42

How to configure an authority time server in Windows Server 2003

Article ID: 816042 Last Update Date: December 20, 2004 Version: 3.0

Important: This article contains information about modifying the registry. Before modifying the registry, you must first go back up, and be sure to know how to restore the registry when there is a problem. For information on how to back up, restore, and edit the registry, click the article number below to view the article in the Microsoft Knowledge Base:

256986 Microsoft Windows Registry Description

This task content

• Introduction • Configure Windows Time Services to use internal hardware clock • Configure Windows Time Services to use external time sources • Troubleshooting more information

• Reliable time source configuration • Manually specify synchronization • All available synchronization mechanisms • Windows Time Services Registration Number • Reference

This page

Profile More Information Reference

Introduction

Windows contains W32Time, which is the time service tool required for the Kerberos authentication protocol. The purpose of Windows Time Services is to ensure that all computers running Microsoft Windows 2000 or later in your organization uses the same time.

To ensure reasonable use of public time, the Windows Time Services uses hierarchical relationships to control authorization and do not allow loops. By default, Windows-based computers use the following level:

• All client desktop computers nominate authentication domain controllers as its inbound time partner. • All member servers follow the same process as the client desktop computer. • All domain controllers in the domain nominate the main domain controller (PDC) operating host as its inbound time partner. • All PDC operating hosts follow the domain levels to select their inbound time partners. In this level, the PDC operating host located in Lingen has become an authoritative time server of the organization. We have greatly suggested that you configure the authoritative time server to collect time from the hardware source. When you configure the authoritative time server to synchronize with the Internet time source, there will be no authentication. We also recommend that you reduce the time calibration settings for the server and independent client. These recommendations can provide more accurate time and higher security for your domain.

Back to top

Configure Windows Time Services to use internal hardware clocks

WARNING: If you use improper use of the Registry Editor, you may need to reinstall the operating system. Microsoft does not guarantee that you can solve problems caused by improper use of registry editors. Use Registry Editor at your own risk.

To configure the PDC host to not use an external time source, change the announcement flag on the PDC host. The PDC host is a server that stores Lingen PDC host role in the domain. This configuration enforces the PDC host to declare itself as a reliable time source, thereby using a built-in complementary metal oxide semiconductor (CMOS) clock. To configure the PDC host to use the internal hardware clock, follow these steps:

1. Click Start, click Run, type regedit, and then click OK. 2. Find and click the registry subkey below:

HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / W32TIME / Config / AnnounceFlags

3. In the right pane, right-click "AnnounceFlags" and click Modify. 4. Type A in the "Numeric Data" box of Edit Dword Value, and then click OK. 5. Exit the Registry Editor. 6. At the command prompt, type the following command to restart the Windows time service, then press ENTER:

Net Stop W32Time && Net Start W32Time

Note: Never configure the PDC host to synchronize with it. If the PDC host is configured to synchronize itself, the following events will be recorded in the application log:

Time provider NTPCLIENT cannot be accessed, or currently from 192.168.1.1 (NTP.M | 0x0 | 192.168.1.1: 123-> 192.168.1.1:123) is currently received. Time data. After trying to contact it 8 times, no response from manual peer 192.168.1.1 is received. This peer will no longer be used as a time source, and NTPClient will attempt to discover a new peer to synchronize with it.

The time provider NTPClient is configured to obtain time from one or more time sources, but the current source is not accessible. In 960 minutes, there is no attempt to contact the time source. NTPClient does not have a time source that provides accurate time.

If the PDC host runs without using an external time source, the following events are logged in the application log:

Time Provider NTPClient: This machine is configured to determine its time source with the domain level, but it is already the PDC simulator of the root directory of the forest, so there is no machine on it to use as a time source in the domain hierarchy. It is recommended that you configure a reliable time service on the root domain, or manually configure the PDC to synchronize with external time sources. Otherwise, this machine will be used as the authority time source in the domain layer. If you do not configure or use an external time source for this, you can choose to disable NTPClient.

This text is to remind you to use external time sources; you can ignore it.

Back to top

Configure Windows Time Services to use external time sources to configure the internal time server to synchronize with external time source, follow these steps:

1. Change the server type to NTP. To do this, follow these steps:

a. Click Start, click Run, type regedit, and then click OK. b. Find and click the registry subkey below:

HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / W32TIME / Parameters / Type

c. In the right pane, right-click "TYPE" and click Modify. d. Type NTP in the "Numerical Data" box of Edit Value, and then click OK. 2. Set AnnounceFlags to 5. To do this, follow these steps:

a. Find and click the registry subkey below:

HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / W32TIME / Config / AnnounceFlags

b. In the right pane, right-click "AnnounceFlags" and click Modify. c. Type 5 in the "Numerical Data" box of Edit Dword Value, and then click OK. 3. Enable NTPServer. To do this, follow these steps:

a. Find and click the registry subkey below:

HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / W32TIME / TIMEPROVIDERS / NTPSERVER / ENABED

b. In the right pane, right-click "Enabled" and click Modify. c. Type 1 in the "Numerical Data" box of Edit Dword Value, and then click OK. 4. Specify the time source. To do this, follow these steps:

a. Find and click the registry subkey below:

HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / W32TIME / Parameters / NTPServer

b. In the right pane, right-click "NTPSERVER" and click Modify. c. Type PEERS in the "Numeric Data" box of Edit Value, and then click OK. Note: Peers is a placeholder that is replaced with your computer to get a timestamp's peer list (separated by space). Each DNS name listed must be unique. It must be attached to each DNS name, 0x1. If it is not attached to each DNS name, 0x1, the changes made in step 5 will not take effect. 5. Select the polling interval. To do this, follow these steps: a. Find and click the registry subkey below:

HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / W32TIME / TIMEPROVIDERS / NTPCLIENT / SpecialPollInterval

b. In the right pane, right-click "SpecialPollInterval" and click Modify. c. Type TimeInseconds in the "Numerical Data" box of Edit Dword Value, and then click OK. Note: TimeInseconds is a placeholder that should be replaced with the number of seconds you want each polling. The recommended value is 900 (decimal). This value configures the time server to polls once every 15 minutes. 6. Configure time calibration settings. To do this, follow these steps:

a. Find and click the registry subkey below:

HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / W32TIME / CONFIG / MAXPOSPHASECORRECTION

b. In the right pane, right-click "MaxPospHaseCorRection" and click Modify. c. Click in the "Boundary" box of Edit DWORD Value "box to select" Decan ". d. Type TimeInseconds in the "Numerical Data" box of Edit Dword Value, and then click OK. Note: TimeInseconds is a placeholder that is replaced with an appropriate value, such as 1 hour (3600) or 30 minutes (1800). The value you choose will vary from polling intervals, network conditions, and external time sources. e. Find and click the registry subkey below: "HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / W32TIME / Config / MaxnegphaseCorRection" f. In the right pane, right-click "MaxnegphaseCorRection", and then click Modify. g. Click in the "Boundary" box of Edit Dword Value "to select" Decan ". h. Type TimeInseconds in the "Numerical Data" box of Edit Dword Value, and then click OK. Note: TimeInseconds is a placeholder that is replaced with an appropriate value, such as 1 hour (3600) or 30 minutes (1800). The value you choose will vary from polling intervals, network conditions, and external time sources. 7. Exit Registry Editor. 8. At the command prompt, type the following command to restart the Windows time service, then press ENTER.

Net Stop W32Time && Net Start W32Time

Troubleshooting Windows Time Services can run normally, the network infrastructure must run normally. The most common issues affecting Windows time services include the following:

• There is a problem with TCP / IP connection, such as dead gateways. • The name resolution service is not run correctly. • The network has high delays, especially when synchronizing through a highly delayed WAN (WAN) link. • Windows Time Services Attempts to synchronize with inaccurate time sources. It is recommended that you use the NetDiag.exe utility to resolve problems related to the network. NetDiag.exe is part of the Windows Server 2003 Support Tools Pack. See "Help" tools to get a complete list of command line parameters you can use with NetDiag.exe. If the problem has not been resolved, you can open the Windows Time Service Turkey. Since the debug log may contain very detailed information, it is recommended that you contact the Microsoft Product Support Service after opening the Windows Time Services Turkey. For a complete list of Microsoft Products Support Service Phone Number and Support Fee Information, please visit the following Microsoft website:

Http://support.microsoft.com/default.aspx?scid=fh; [LN];cntactms

Note: Special circumstances, if Microsoft Support Professionals determine that a specific update can solve your problem, it is generally charged to receive a call support service fee charged. For other support issues and matters that are unable to resolve specific updates, support fees will be charged.

Back to top

More information

Reliable time source configuration

Computer configured to reliably time source is identified as the root of Windows Time Services. The root of the Windows Time Services is the authoritative server of the domain, which is typically configured to retrieve time from an external NTP server or hardware device. You can configure a time server as a reliable time source to optimize how to transfer time in the entire domain hierarchy. If a domain controller is configured as a reliable time source, the NET Logon service will declare a reliable time source when the domain controller is logged in to the network. When other domain controllers find the time source to be synchronized with, they will first select a reliable time source (if any).

Back to top

Manually designated synchronization

When using manual specified synchronization, you can specify a single peer or a peer list of the computer from it. If the computer is not a member of the domain, you must manually configure it to synchronize with the specified time source. By default, the computer belonging to the domain member is configured to synchronize from the domain hierarchy. Manually specified synchronous parsers of forest roots or unreachable numbers are very useful. You provide a reliable time when you manually specify the external NTP server synchronize with the domain's authoritative computer. However, in order to provide high accuracy and security to the domain, it is recommended that you configure the authoritative computer of the domain to synchronize with the hardware clock.

If there is no hardware time source, W32Time will be configured as NTP type. You must reconfigure the two registry items of MaxPosPhaseCorRection and MaxnegphaseCorRection. According to the time source, network conditions, and security requirements, it is recommended to set this value to 15 minutes or less. This requirement is also applicable to any reliable time source of forest root time source configured as a time synchronization subnet. For more information on these two registry entries, see the "Windows Time Services Registration" section of this article.

Note: Unless a specific time provider is written unless you specify the time source, they will not be authenticated, so these time sources are easily attacked. In addition, if the computer is synchronized with the manual specified time source, not synchronizing with its authentication domain controller, the two computers may not synchronize. This situation causes the Kerberos authentication failure, which will cause other operations that require network authentication (such as print or file sharing) fail. As long as Lingen is configured to synchronize with an external source, all other computers in the forest will be synchronized with each other. This configuration makes it difficult to replay attacks.

Back to top

All available synchronization mechanisms

"All Synchronous Mechanism" options are the synchronization method for network users. This method can achieve synchronization with the domain hierarchy, and according to the specific configuration, it can provide a spare time source when the domain hierarch is unavailable. If the client cannot synchronize with the domain hierarchy, the time source will switch the automatic failure to the "NTPServer" setting specified time source. This synchronization method is most likely to provide accurate time for the client. Back to top

Windows Time Service Registration Number

The following registration item is located in HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SYSTEM / CURRENTCONTROLSET / SERVICES / W32TIME / under:

Registration key MaxpospHaseCorRecion path HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCAL_MACHINE / SYSTEM / CURRENTCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / W32TIME / Config Note: This specified service can be made to the maximum positive time calibration amount (in seconds). If the service determines that a change amplitude is greater than the desired amplitude, it will record an event. (0xfffffffFff is a special case, which represents always calibration time.) The default value of the domain member is 0xfffffffff. The default value of the independent client and server is 54,000, which is 15 hours.

Registration Item MaxnegphasecorRecion Path HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCAL_MACHINE / SYSTEM / CURRENTCAL_MACHINE / SERVICES / W32TIME / Config Note: This specifies the maximum negative time calibration amount (in seconds) of the service. If the service determines that a change amplitude is greater than the desired amplitude, it will turn to record an event. (-1 is a special case, which means always calibration time.) The default value of the domain member is 0xffffffFff. The default value of the independent client and server is 54,000, which is 15 hours.

Registration key MaxPollInterval path hkey_local_machine / system / currentControlSet / Services / w32time / config Note: This item specifies the maximum interval allowed by the system polling interval (the unit is a diameter represented by the second). Although the system must poll according to a predetermined interval, the provider can refuse to generate an example based on the request. The default value of the domain member is 10. The default value of the standalone client and server is 15.

Registration Item SpecialPollinterval Path HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SYSTEM / CURRENTCONTROLSET / SERVICES / W32TIME / TIMEPROVIDERS / NTPCLIENT Note: This item specifies the special polling interval (in seconds) of the manual peer. When the SpecialInterval 0x1 flag is enabled, W32Time will use this polling interval without the polling interval determined by the operating system. The default value of the domain member is 3,600. The default value for the standalone client and server is 604,800.

Registration key MaxAllowedPhaseOffset path HKEY_LOCAL_MACHINE / System / CurrentControlSet / Services / W32Time / config Note: This item specifies the maximum offset (in seconds) of the W32Time attempt to adjust the maximum offset of the computer clock using the clock rate. When the offset is greater than this rate, W32TIME will directly set the computer clock. The default value of the domain member is 300. The default value for the independent client and server is 1.

Back to top

reference

For additional information about Windows Time Services, click the article number below to see the article in the Microsoft Knowledge Base:

816043 How to open a debug log in Windows Time Services

884776 Configuring Windows Time Services to prevent big time offset

321708 How to use Network Diagnostic Tools in Windows 2000 How to Configure Keiti Time Server in Windows XP

216734 How to configure an authority time server in Windows 2000

For additional information about Windows time services in Windows Server 2003, please visit the Microsoft website below:

Http://www.microsoft.com/resources/documentation/techref/en-us/default.asp?url=/resources/Documentation/WindowsServ/2003/All/techref/EN-US/W2K3TR_TIMES_INTRO .asp

转载请注明原文地址:https://www.9cbs.com/read-53415.html

9cbs

New Post(0)