کد:
http://blogs.inetium.com/blogs/jdevries/archive/2006/04/29/87.aspx
Time synchronization is an almost invisible, but critical, task on your network. Windows 2000 and 2003 Active Directories will always attempt to use Kerberos to authenticate users from one computer or service to another. Kerberos relies on accurate time to prevent credential spoofing. If the two machines are more than five minutes apart in time, the receiving computer won't accept the Kerberos ticket as authentic. Time synchronization also allows logs from different servers and network devices to be compared and trusted as an accurate sequence of events. (Often used in security analysis.)
Getting the Windows Time Service to work correctly was something I struggled with for a long time. Since I haven't always followed a strict change management process (ahem) my experiments probably took me further from the solution. One of my new coworkers asked me about difficulty he was having, and it prompted me to fix things once and for all.
These are the key things to keep in mind:

  • Group policy is only used when you have an unusual configuration, such as using a non-Windows time server internally. A Cisco router would be a candidate for this role.
  • The domain controller with the PDC Emulator role is the root of your internal time infrastructure.
  • An NTP client application can help you diagnose networking issues.

To determine which domain controller holds the PDC role, open Active Directory Users and Computers. Right-click on the domain object in the left-hand pane, and select Operations Master. Click on the PDC tab - the dialog box will tell you which server you're looking for.
Windows Group Policy has a number of Time service settings you can manage. These policies are located at Computer Policy | Administrative Settings | System | Windows Time Service. To confirm that Group Policy configurations aren't interfering with your efforts, use the Group Policy Management Console to find any GPOs that modify any of these settings. If you find any, modify them this way:

  • The Global Configuration Settings GPO should be Not Configured.
  • Under Time Providers,
    • Enable Windows NTP Client should be Enabled
    • Configure Windows NTP Client should be Not Configured.
    • Enable Windows NTP Server can be disabled as long as this GPO does not apply to the PDC. You can manage this with GPO blocking or not applying the GPO above the PDC's computer object.


Log into the server with the PDC emulator role. Download the NISTIME application from here. This file is the actual executable, no installer required. Run the application, go to File | Select Server, and check the checkbox labelled "Using NTP Format" alongside the first timeserver listed. Click OK. Next, click Query Server and select Now. If you get an immediate response, your firewall is allowing Network Time Protocol (NTP) traffic to pass back and forth. If the application gives a "No response" error, look into issues with your firewall(s).
Next, you will configure the PDC emulator to use an external time source. Start a command prompt and enter the following: net time /setsntp:time.windows.com,0x1 The 0x1 parameter is needed if you enter the NTP server's name as a fully-qualified domain name. You can leave the comma and the parameter off if you enter an IP address. Note that using IP addresses is not a best practice as providers may change IPs on their servers and update the DNS entry without widely announcing the change.
Next, open a command prompt and enter w32tm /config /update. This too should return a result quickly. Compare the time on the computer clock with the results of the NISTIME application. When our systems are working, the time difference is generally under 2/100ths of a second.
As a final check of the servers, enter the w32tm /monitor from the command prompt. This command should list:

  • all the domain controllers
  • identify the PDC emulator
  • list the time differences between the PDC emulator and the computer running the w32tm command
  • list the source of each server's time. Your PDC emulator should list an external time source, while the other domain controllers should list the PDC emulator as their source.

Assuming the server is now retrieving time correctly, the final step is to make sure clients are updating correctly. If you made any changes to your Group Policy, run GPUPDATE from the command prompt to refresh your client's settings. Once that has completed, check the application event log on the computer and look for an event from SeCli stating that the security policy has been applied successfully. You can stop and start the time service by entering net stop w32time && net start w32time at the command prompt.
If the client settings are configured correctly, you can look in the System event log and find an event from source W32time stating that the time service is now synchronizing with time source {any domain controller.} You can also enter w32tm /resync at the command prompt.
If there are large adustments to be made to the client's clock, they will not be made abruptly. The computer will slow its clock to 1/4th to 1/2 the normal speed until the time is synchronized. The event in the System Log will be the immediately available sign that the updates are working



موضوعات مشابه: