The Kerberos authentication protocol requires that all Windows 2000 computers in your enterprise use a common time. The Windows Time service, W32Time, insures appropriate common time usage.
Windows 2000 computers use the following default time partner hierarchy:
1. Clients and member servers use the authenticating domain controller, %LOGONSERVER%.
2. Domain controllers nominate the PDC FSMO.
3. The PDC FSMO at the root of the forest is authoritative for the enterprise.
It should be configured to use the SNTP (Simple Network Time Protocol)
to recognize an external time source using:
net time /setsntp:<server list>
To use the U.S. Naval Observatory:
ntp2.usno.navy.mil at 220.127.116.11
tock.usno.navy.mil at 18.104.22.168
Example: net time /setsntp:22.214.171.124
NOTE: SNTP use port 123. See tip 2337.
NOTE: If you can not use an external time source, use the PDC FSMO at the root of the forest.
NOTE: You may have to restart the PDC FSMO.