MCITP 70-640: Setting an External Time Source

Uploaded by itfreetraining on 29.12.2011

It’s time for the next free video from IT Free Training for the Active Directory free
training course. In this video I will look at keeping time in your domain up to date
and accurate. All computers have a Bios in them with a battery
backup. The battery ensures the computer internal clock keeps time even when the computer is
shut down and not plugged in. Due to a number of reasons the time on a computer may drift
from the correct time. Kerberos and other authentication systems will not work if the
time on the local computer is too different from the time on the other computer. If you
attempt to login to a domain and the time on your local computer is too different from
the time on the domain controller you will not be able to log in. For this reason it is important
to keep all the computers on your network time up to date.
To keep time accurate in the domain Microsoft uses a hierarchy method of time syncing. The
root of hierarchy is the domain controller with the PDC emulator operational master role.
Under this you have your domain controllers. All the domain controllers in your domain
will sync their time from the PDC emulator. The clients on the network and this includes
member servers will sync their time from the closet domain controller. If the domain controller
holding the PDC emulator role is down for an extended time period this can cause your
client computer times to drift. Since the PDC emulator plays such an important
role in time synchronization, it is important to try and keep the time on this domain controller
as up to date as possible. If your company has the money they may consider installing
a hardware clock in the PDC emulator. These clocks are more accurate than the clock found
in the computer. In most cases a company will choose to sync
the PDC emulator internal clock from an external time source. This is generally the preferred
method because it will keep your clocks accurate and costs nothing in additional hardware.
If your network does not have internet access, for example it is a secure network, you may
have no choice but to install a hardware clock in your PDC emulator to ensure the time stays
accurate. If you have a multi domain environment you
will have one PDC emulator per domain. In this case it is recommended that the child
domains PDC emulators be configured to sync their time from any domain controller in the
root domain. The choice of domain controller can also be the PDC emulator in the root domain
if you so choose. If you decide to configure an external time
source you need to understand a little terminology on how external time sources work. External
time sources use a hierarchical with each level of the hierarchy called a stratum.
At the top of the hierarchy or stratum 0 are very reliable clocks. These are hardware atomic
clocks, GPS clocks and radio clocks. Stratum 0 clocks are connected directly to Stratum 1.
Stratum 1 are computers that generally act as times source for the next level stratum 2
In some cases stratum 1 clocks and stratum
2 clocks will have restricted access while others are open to the public. This brings
up the point, would you use Stratum 1 or Stratum 2 to sync your clocks if given the choice.
There are more Stratum 2 clocks then stratum 1 clocks available to the public. It is best
when choosing a time source to choose one that is near you. Syncing your server with
a time server on the other side of the world is silly if there is a closer one to you even
if the other time source is consider more accurate. You may even have a time clock closer
to you that is stratum 3 in the time hierarchy. The important thing to remember is to ensure
that you are keeping your time accurate from a trusted accurate location.
Microsoft does not keep a list of the external time sources, however you can refer to KB
document 262680. This document contains links to lists of external time sources you can
use. Once you have work out which time server you want to use, you can change Windows to
use that time server. I will now change to my Windows Server 2008 PDC emulator to show
you how to do that. From my Windows 2008 server, I will first
open internet explorer and open KB262680. Microsoft does not keep a list of external
time servers but this page does have a links to anther web site that does.
About half way down the article you can see the link for stratum one time servers and
below that the link for stratum two time servers. In my case I will select the link for stratum
two web sites. This list has a time server that is very close to where I am. Due to the
ever increasing load on stratum 1 time servers they ask that you use stratum 2 servers where
possible as there are more of them and there is generally less load on them.
When I select the link I get an error with the sites certificate. It was not issued by
a trusted authority which essentially means the page cannot be verified as being from
that site. It is up to you if you understand the risks and want to continue.
On the web site it is a matter of selecting a time server that is close to you. In my
case my ISP has a time server so I will select this one. Make sure that you check
the access is open access. If it is listed as restricted access you will not be able
to use it. Now that I have the time server that I want
to use I need to configure Windows Server 2008 to use it. To do this, open a command
prompt. From the command prompt run the command w32tm. This is used to configure the windows
time service. The first parameter you want to add is slash
config to indicate you want to make configuration changes. After this you need to add the time
server here. This is done with the parameter slash manual peer list colon and then the
time server. I will only add one time server here, but for redundancy you could always
add multiple time servers if you wanted to. The next parameter is slash SyncFromFlags
colon manual. This tells the time server to use the manual entry that has being put in.
By default Windows will attempt to sync from the domain. You need at least one computer
to sync it’s time for an external time source. You could configure all your computers to
sync off an external time source by using this command but this is considered to be
bad time server etiquette. In most organization having one or two servers syncing off an external
time source is enough to keep your organization time in sync. The second server is usually
a domain controller that is the stand by PDC emulator in case the first on needs to go
offline for an extended period. The next parameter slash reliable colon yes
tells Windows to consider this external time server as a reliable time server that this
time server’s time to be accurate. The last parameter, slash update, tells the windows
time service to attempt to update it time from this server straight away. Once you launch
the command Windows will start syncing off this external time server and update it time
from the server immediately. If you want to ensure the process worked correctly, open
the event viewer and check for any time related errors.
That’s it for configuring an external time server. In the next video I will look at domain
functions levels. The domain function levels determines what features are available in
you domain. The higher the domain functional level the more features. The down side is
that older operating systems like Windows 2000 and 2003 will not be able to be used
as domain controller depending on how high you set the domain functional level.
This is only one of the free video for the 70-640 course provide by IT Free Training.
For the rest of the course please see are web page or you tube channel. Thanks for watching.