Recipe 3.13 Configuring a Domain Controller to Use an External Time Source
3.13.1 Problem
You want to set the reliable time source for a domain controller.
3.13.2 Solution
3.13.2.1 Using a command-line interface
Run the following commands
from the
command
line on a domain controller:
> net time /setsntp:<TimeServerNameOrIP>
> net stop w32time
> net start w32time
3.13.2.2 Using VBScript
' This codes configures a reliable time source on a domain controller
' ------ SCRIPT CONFIGURATION ------
strPDC = "<DomainControllerName>" ' e.g. dc01.rallencorp.com
strTimeServer = "<TimeServerNameOrIP>" ' e.g. ntp01.rallencorp.com
' ------ END CONFIGURATION ---------
strTimeServerReg = "SYSTEM\CurrentControlSet\Services\W32Time\Parameters"
const HKLM = &H80000002
set objReg = GetObject("winmgmts:\\" & strPDC & "\root\default:StdRegProv")
objReg.GetStringValue HKLM, strTimeServerReg, "ntpserver", strCurrentServer
WScript.Echo "Current Value: " & strCurrentServer
objReg.SetStringValue HKLM, strTimeServerReg, "ntpserver", strTimeServer
objReg.SetStringValue HKLM, strTimeServerReg, "type", "NTP"
strCurrentServer = ""
objReg.GetStringValue HKLM, strTimeServerReg, "ntpserver", strCurrentServer
WScript.Echo "New Value: " & strCurrentServer
' Restart Time Service
set objService = GetObject("winmgmts://" & strPDC & _
"/root/cimv2:Win32_Service='W32Time'")
WScript.Echo "Stopping " & objService.Name
objService.StopService( )
Wscript.Sleep 2000 ' Sleep for 2 seconds to give service time to stop
WScript.Echo "Starting " & objService.Name
objService.StartService( )
3.13.3 Discussion
You need to set a reliable time source on the PDC Emulator FSMO for
only the forest root domain. All other domain controllers sync their
time either from that server or from a PDC (or designated time
server) within their own domain. The list of external time servers is
stored in the registry under the W32Time Service registry key in the
following location:
HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\ntpserver.
If you want a domain controller, such as the PDC, to use an external
time source, you have to set the ntpserver
registry value along with the type value. The
default value for type on a domain controller is
Nt5DS, which means that the domain controller will
use the Active Directory domain hierarchy to find a time source. You
can override this behavior and have a domain controller contact a
non-DC time source by setting type to
NTP. In the CLI example, the
/setsntp switch automatically sets the
type value to NTP. In the
VBScript solution, I had to set it in the code.
After setting the time server, the W32Time service should be
restarted for the change to take effect. You can check that the
server was set properly by running the following command:
> net time /querysntp
Since the PDC Emulator is the time source for the other domain
controllers, you should also make sure that it is advertising the
time service, which you can do with the following command:
> nltest /server:<DomainControllerName> /dsgetdc:<DomainDNSName> /TIMESERV
3.13.4 See Also
MS KB 216734 (How to Configure an Authoritative Time Server in
Windows 2000), MS KB 223184 (Registry Entries for the W32Time
Service), MS KB 224799 (Basic Operation of the Windows Time Service),
MSDN: StdRegProv, and MSDN: Win32_Service
|