Synchronize time throughout your entire Windows network
Takeaway: Properly synchronizing your network with a consistent and accurate time source is very important. However, it's not enough to simply synchronize the time on your network devices—this effort should extend all the way to the desktop. In this edition of Security Solutions, Mike Mullins discusses how to synchronize time throughout an entire Windows network.
Last time, I discussed the importance of synchronizing the time on your network and devices, and I explained why accurate time is even more important for security logs ("Make sure security logs exhibit accurate time with NTP"). In the article, I reviewed the different types of timing sources and looked at methods you can use to coordinate the time on your network security devices.
However, it's not enough to simply synchronize the time on your network devices—this effort should extend all the way to the desktop. Applying a single, consistent time source throughout your network can boost both network efficiency and security.
Synchronizing time on your Windows domain requires following the Active Directory domain hierarchy to find a reliable time source for your entire domain. In a Windows Server 2003 Active Directory forest, the server that holds the primary domain controller (PDC) emulator role acts as the default time source for your entire network.
Each workstation and server in this network will try to locate a time source for synchronization. Using an internal algorithm designed to reduce network traffic, systems will make up to six attempts to find a time source. Here's a look at the order of these attempts:
- Parent domain controller (on-site)
- Local domain controller (on-site)
- Local PDC emulator (on-site)
- Parent domain controller (off-site)
- Local domain controller (off-site)
- Local PDC emulator (off-site)
To ensure that your servers are finding the proper time, you must configure your PDC emulator to receive the time from a valid and accurate time source. To configure this role, follow these steps:
- Log on to the domain controller.
- Enter the following at the command line:
W32tm /config /manualpeerlist:<timeserver> /syncfromflags:manual
<timeserver> is a space-delimited list of DNS and/or IP addresses. When specifying multiple time servers, enclose the list in quotation marks.
- Update the Windows Time Service configuration. At the command line, you can either enter W32tm /config /update, or you can enter the following:
Net stop w32time Net start w32time
If a system isn't a member of a domain, you must manually configure it to synchronize with a specified time source. Follow these steps:
- Go to Start | Control Panel, and double-click Date And Time.
- On the Internet Time tab, select a time server from the drop-down list, or enter the DNS name of your network's internal time source.
- Click Update Now, click Apply, and click OK.
Note: It's important to make sure that any access control lists on your network allow UDP port 123 to and from systems to the selected time source. For more information, see Microsoft's Windows Time Service Tools and Settings documentation.
Final thoughts
Properly synchronizing your network with a consistent and accurate time source will pay big dividends when it comes down to tracking anomalies and security problems within your network. Setting and distributing the accurate time for your network is an easy process—you just need to find the time to do it.
Miss a column?
Check out the Security Solutions Archive, and catch up on the most recent editions of Mike Mullins' column.
Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.
Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.
Print/View all Posts Comments on this article
 Windows NTP Configurationoz_ollie | 02/17/06 |
 Active Directory DomainsBFilmFan | 02/17/06 |
 AD & NTPoz_ollie | 02/17/06 |
 I dont get it?ServiceTech | 02/21/06 |
| Hacks ...oz_ollie | 03/01/06 |
| A Hack is a Hack - don't U get it yet ....jalfonso@... | 07/03/07 |
| CLI CommandsAGERanger10 | 03/02/06 |
| How does the new Daylight Savings affect time-sync?mwtimpe@... | 02/08/07 |
| another reason for time synchgshollingsworth | 02/17/06 |
| ...as well as...datitzer | 02/12/07 |
| Time source for VoIP phonesgtrapp@... | 03/01/06 |
| RE: Synchronize time throughout your entire Windows networkmanickambabu@... | 09/24/07 |
SponsoredWhite Papers, Webcasts, and Downloads
- Great Expectations: Why Virtualization Projects Fail GlassHouse Technologies
- Keeping Your Head Above the Cloud: Seven Data Center Challenges to Consider Before Going Virtual F5 Networks
- Hospital Improves Internal Communication and Business Processes with New Intranet Microsoft
- VMware DRS: Why You Still Need Assured Application Delivery and Application Delivery Networking F5 Networks
- Live Webcast: Adding Interactive Reporting to Your Applications: Challenges and Requirements BIRT Exchange (Actuate)
Article Categories
- Security
- Security Solutions, IT Locksmith
- Networking and Communications
- E-mail Administration NetNote, Cisco Routers and Switches
- CIO and IT Management
- Project Management, CIO Issues, Strategies that Scale
- Desktops, Laptops & OS
- Windows 2000 Professional, Microsoft Word, Microsoft Excel, Microsoft Access, Windows XP,
- Data Management
- Oracle, SQL Server
- Servers
- Windows NT, Linux NetNote, Windows Server 2003
- Career Development
- Geek Trivia
- Software/Web Development
- Web Development Zone, Visual Basic, .NET
