From Microsoft KB

How to Configure an Authoritative Time Server in Windows (Q216734)
--------------------------------------------------------------------------------
The information in this article applies to:

Microsoft Windows 2000 , Server
Microsoft Windows 2000 , Professional
Microsoft Windows 2000 , Advanced Server
Microsoft Windows 2000 , Datacenter Server
--------------------------------------------------------------------------------
For a Microsoft Windows XP version of this article, see Q314054.

SUMMARY

This article describes how to configure an authoritative time server in Windows.

MORE INFORMATION

Windows includes the W32Time Time service tool that is required by the Kerberos authentication protocol. The purpose of the Time service is to ensure that all computers that are running Windows 2000 or later in an organization use a common time. The Time service uses a hierarchical relationship that controls authority and does not permit loops to ensure appropriate common time usage.

Windows-based computers use the following hierarchy by default:

  • All client desktop computers nominate the authenticating domain controller as their in-bound time partner.
  • All member servers follow the same process as client desktop computers.
  • All domain controllers in a domain nominate the primary domain controller (PDC) operations master as their in-bound time partner.
  • All PDC operations masters follow the hierarchy of domains in the selection of their in-bound time partner.

Following this hierarchy, the PDC operations master at the root of the forest becomes authoritative for the organization, and you should configure the PDC operations master to gather the time from an external source. This is logged in the System event log on the computer as event ID 62. Administrators can configure the Time service on the PDC operations master at the root of the forest to recognize an external Simple Network Time Protocol (SNTP) time server as authoritative by using the following net time command, where server_list is the server list:



The if you need to check what is the current config, use the following command :



There are several SNTP time servers that are satisfactory for this function, for example:

USA
  ntp2.usno.navy.mil at 192.5.41.209
  tock.usno.navy.mil at 192.5.41.41

Europe
  ntp.univ-lyon1.fr at 134.214.100.6

Other SNTP Servers

After you set the SNTP time server as authoritative, run the following command on a computer other than the domain controller to reset the local computer's time against the authoritative time server:



More information about the net time command is available at a command prompt if you type the following command:



SNTP defaults to using User Datagram Protocol (UDP) port 123. If this port is not open to the Internet, you cannot synchronize your server to Internet SNTP servers.

NOTE : Administrators can also configure an internal time server as authoritative by using the net time command. If the administrator directs the command to the operations master, it may be necessary to reboot the server for the changes to take effect.


Basic Operation of the Windows Time Service (Q224799)

--------------------------------------------------------------------------------
The information in this article applies to:

Microsoft Windows 2000 , Server
Microsoft Windows 2000 , Professional
--------------------------------------------------------------------------------

SUMMARY

Windows 2000 uses a new time synchronization service to synchronize the date and time of computers running on a Windows 2000-based network. Synchronized time is critical in Window 2000 because the default authentication protocol (MIT Kerberos version 5) uses workstation time as part of the authentication ticket generation process.
The information in this article applies to Windows 2000 clients when they belong to a Windows 2000 Active Directory Domain. If the Windows 2000 clients belong to a workgroup, you must manually configure the time synchronization settings.

MORE INFORMATION

The Windows Time Synchronization service (W32Time) is a fully compliant implementation of the Simple Network Time Protocol (SNTP) as detailed in IETF RFC 1769.

Basic Operation

Client Boot
No client boot-specific information.
Polling Loop
The client contacts an authenticating domain controller.
Packets are exchanged to determine the latency of communication between the two computers.
W32Time determines what current time should be converged to locally, (the "target" time).
The client adjusts the local time.
If the target time is ahead of local time, local time is immediately set to the target time.
If the target time is behind local time, the local clock is slowed (slewed) until the two times are aligned, unless local time is more than 3 minutes out of synchronization, in which case the time is immediately set.
The time server client performs periodic checks.
The client connects to the authenticating domain controller once each "period."
The initial default period is 45 minutes.
If the time synchronization attempt is successful three consecutive times, then the interval check period is increased to 8 hours. If it is not successful three consecutive times, then it is reset to 45 minutes.

Time Convergence Hierarchy
All client desktops select an authenticating domain controller (the domain controller returned by DSGetDCName()) as their time source. If this domain controller becomes unavailable, the client re-issues its request for a domain controller.
All member servers follow the same process.
All domain controllers in a domain make 3 queries for a DC:
a reliable time service (preferred) in the parent domain,
a reliable time service (required) in the current domain,
the PDC of the current domain.
it will select one of these returned DCs as a time source.
The PDC FSMO at the root of the forest is authoritative, and can be manually set to synchronize with an outside time source (such as the United States Naval Observatory).