Configuring a time source for the forest
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
The first domain controller that you deploy in a domain holds the primary domain controller (PDC) emulator operations master (also known as flexible single master operations or FSMO) role for the domain. By default, the domain controller that holds the PDC emulator master role in the forest root domain is the reliable time source at the top of the time-source domain hierarchy for the forest. As soon as you install the first domain controller in the forest, set the PDC emulator in the forest root domain to synchronize from a valid Network Time Protocol (NTP) source or from a hardware clock installed on the network. If no time source is configured on the PDC emulator or any other domain controller in the forest root domain, the PDC emulator advertises as a reliable time source and uses its internal clock as the source for forest synchronization. In this case, no manual configuration is required.
After initial deployment of your network, you typically reconfigure the time service on the PDC emulator in the forest root domain in only two situations:
You move the PDC emulator role to a different computer. In this case, you must configure the Windows Time service for the new PDC emulator master role holder and reconfigure the original PDC emulator master role holder to synchronize from the domain and not from an external or internal time source.
You change the time source for the PDC emulator. For example, you change from synchronizing with an external source to synchronizing with an internal hardware device.
In some environments, one or more domain controllers are configured to act as standby PDC emulator role holders. If the current PDC emulator fails or is otherwise unavailable, the role can quickly be transferred to the standby. If you anticipate moving the PDC emulator role and want to avoid reconfiguring the new and old PDC emulator every time the role is moved, you can configure a domain controller in the forest root domain that is not the PDC emulator as the reliable time source for the forest. In this way, the root of the time service stays the same and remains properly configured.
Make sure that the domain controller that you configure to be the forest time source is highly available and, if it is not the PDC emulator, that it does not hold other operations master roles that might need to be transferred.
Use the following recommendations for configuring the time source for the forest root domain, in this order of preference:
Install a hardware clock, such as a radio or Global Positioning System (GPS) device, as the time source for the forest root domain and configure Windows Time service (W32time) on the PDC emulator or other domain controller to synchronize with this device. Many consumer and enterprise devices are available that use NTP. You can install the device on an internal network and configure the PDC emulator to use it as its time source.
Hardware clocks have the following advantages:
More secure. You do not have to connect to the Internet.
Highest accuracy, although the accuracy level of NTP servers is as high as that of Windows Time Service (that is, the effect of the higher accuracy is not appreciated).
Hardware clocks have the following disadvantage:
- Expense and maintenance. You must purchase and install a hardware clock, whereas you can connect to a public time server at no cost and without hardware installation.
Configure the Windows Time service on the PDC emulator or other domain controller to synchronize with an external time server. Computer clocks synchronize with external time servers by using the NTP protocol over an IPnetwork. You can manually configure the PDC emulator in the forest root domain to synchronize with the external time source.
External time servers have the following advantages:
Low cost or no cost. Cost is usually limited to bandwidth.
Good accuracy. Although hardware clocks have the highest accuracy, the accuracy of a hardware clock can actually exceed the accuracy of Windows Time Service, so the comparison of accuracy is not relevant.
External time servers have the following disadvantage:
- Security risk. NTP synchronization with an external time source is not authenticated and is therefore less secure than if time is sourced from inside the network.
Many GPS receivers and other time devices can function as NTP servers on a network. You can configure your Active Directory forest to synchronize time from these external hardware devices only if they are also acting as NTP servers on your network. To do so, configure the domain controller functioning as the PDC emulator in your forest root to synchronize with the NTP server provided by the GPS device. To do so, see Configure the Windows Time service on the PDC emulator in the Forest Root Domain (https://go.microsoft.com/fwlink/?LinkId=91969).
If you are using an external time source, you can use the following sites to select an NTP server:
USNO NTP Network Time Servers (https://go.microsoft.com/fwlink/?LinkId=112036)
Set Your Computer Clock Via the Internet: NIST Internet Time Service (ITS) (https://go.microsoft.com/fwlink/?LinkId=112035)
If you choose to implement an NTP time synchronization product other than the Windows Time service, you must disable the Windows Time service on the forest root domain reliable time source. All NTP servers need access to UDP port 123. If the Windows Time service is running on a Windows Server 2003–based computer, port 123 will remain occupied for the Windows Time service.
The following tools are required to perform the procedures for this task:
Services snap-in if you need to disable the Windows Time service
Perform the following procedures as needed to configure a time source for your forest:
If you move the role of the PDC emulator to a new domain controller, Change the Windows Time service configuration on the previous PDC emulator.
If you are implementing a time synchronization product other than the Windows Time service in your environment that uses the NTP protocol, Disable the Windows Time service to free UDP port 123 on the network.