JSI Tip 8583. Configuring the Windows Time service against a large time offset.

Microsoft Knowledge Base Article 884776 contains the following introduction:

Windows includes W32Time, the Time Service tool that is required by the Kerberos authentication protocol. The purpose of the Time Service tool is to make sure that all computers that are running Microsoft Windows 2000 or later versions in an organization use a common time. To make sure that there is appropriate common time usage, the Time Service uses a hierarchical relationship that controls authority. Also, the Time Service does not permit loops. By default, Windows-based computers use the following hierarchy:
All client desktop computers nominate the authenticating domain controller as their inbound time partner.
All member servers follow the same process that client desktop computers follow.
All domain controllers in a domain nominate the primary domain controller (PDC) operations master as their inbound time partner.
All PDC operations masters follow the hierarchy of domains in the selection of their inbound time partner.
In this hierarchy, the PDC operations master at the root of the forest becomes the authoritative time server for the organization . We highly recommend that you configure the authoritative time server to gather the time from a hardware source . When you configure the authoritative time server to sync with an Internet time source, there is no authentication . We also recommend that you lower your time correction settings for your servers and stand-alone clients . These recommendations provide more accuracy to your domain.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.