Monitor NTP time server using ActiveXperts

Monitor NTP
    Figure 1: ActiveXperts Network Monitor NTP Check


ActiveXperts solution to monitor NTP servers

Commercial organizations today rely on networks of computers, all of which have clocks that are the source of time for files or operations they handle. Most of these organizations use a time server to ensure accurate time settings. The NTP protocol is the protocol used to synchronize times between workstations and servers, and external time sources. ActiveXperts Network Monitor also uses NTP to check availability of internal and external time sources.

An NTP check takes the following parameters:

  • Time Server - Hostname or IP address of the time server;

Configuring and administering the Windows Time service

Windows 2000 includes the Windows Time service (W32Time), which you can use to make sure that all Windows XP and Win2K computers on your network run on the same time. W32Time synchronizes a computer you designate as an authoritative time server with an outside time source, then synchronizes all computers on your network to that time server. Let's examine W32Time and discuss how to configure and administer the service on your network.

If you choose not to use W32Time on your network, you might not notice any obvious consequences. However, several features and processes depend on accurate and synchronized timestamps. Kerberos, for example, requires timestamps as part of the authentication ticket generation process. By default, Kerberos authentication fails if the clock time of the client computer and the authenticating domain controller (DC) are more than 5 minutes apart. This interval is called the Maximum Tolerance for Synchronization of Computer Clocks. You can use Group Policy to change this value, but doing so can weaken security on your network.

Replication processes on the network also depend on accurate timestamps as they determine whether to replicate data. In fact, if the time difference between two DCs is greater than the Kerberos Maximum Tolerance for Synchronization of Computer Clocks, authentication between DCs fails, and that failure causes DC data replications to fail. Just as important, computers with different times can wreak havoc on data file writes. And inaccurate timestamps can compromise functions such as synchronizing offline files, entering database data, and working with collaborative documents.

Setting Up an Authoritative Time Server

The authoritative time server is a DC that checks its time against an outside clock deemed to be extremely accurate. If you have multiple DCs in a domain, the authoritative time server is the DC that serves as the Flexible Single-Master Operation (FSMO) PDC emulator. By default, the FSMO PDC emulator is the first DC that you install in a domain. If you have multiple domains (i.e., a forest), the FSMO PDC emulator of the first domain you created in the forest is the authoritative time server for the forest.

You must supply the URL or IP address of the authoritative external clock by entering the following command on the DC that serves as the authoritative time server:

net time /setsntp:(server_ address or server_list)

The target external server must be a Simple Network Time Protocol (SNTP) time server, and UDP port 123 must be open to the Internet. If you provide a list of target external servers (i.e., so that if one external server isn't available, the system can try to contact another server), follow each address with a space and enclose the entire list in quotation marks, as in the following example:

net time /setsntp:"192.5.41.209 192.5.41.41"

When you run the net time /setsntp command, the system writes the results to the registry. Thereafter, your authoritative time server synchronizes its clock to the external source automatically. The system writes the registry entries to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters subkey.

If you use a list of multiple external Network Time Protocol (NTP) servers, use IP addresses instead of URLs. If you specify NTP servers by DNS name, a bug in Win2K causes the OS to attempt to connect to the first name on the list only, instead of trying each name. But if you use IP addresses, the OS attempts to connect to each IP address until it successfully connects with a server and synchronizes the time. (Win2K Service Pack 3 SP3 corrects this problem.)

Using NTP with a Proxy Server

If W32Time runs behind a Microsoft Proxy Server system, the service might not be able to connect to the external NTP server. W32Time runs under the local system account on the internal server, but the proxy server generally uses the Access Control feature. You can resolve this problem in several ways:

  • Disable the Access Control feature for the Winsock proxy. To do so, open Microsoft IIS Manager from the Administrative Tools menu, open the Properties dialog box for the Winsock Proxy service, click the Permissions tab, then clear the Enable Access Control check box.
  • Set the time server to access the proxy server instead of the external server for its NTP server, then configure the proxy to point to the external server.
  • Use the Task Scheduler to schedule a batch file to run every day on the authoritative time server; include the following commands:
        net stop w32time
		w32tm -once
		net start w32time

The Hierarchical Search for an Accurate Time Source

XP and Win2K Professional workstations, Win2K member servers, and all DCs that aren't authoritative time servers automatically synchronize their clocks to an accurate DC on the network. W32Time uses a hierarchical method to synchronize the time throughout your network. This hierarchical synchronization effort assumes that you've established an authoritative time server. If the search for an accurate time source fails because you haven't established an authoritative time server, you'll find an abundance of error messages in the Event Viewers of your network computers (see the section "Common W32Time Errors" below for a description of these errors). The time service hierarchy has three levels:

  • Level 1: The authoritative time server
  • Level 2: Other DCs on the domain (if they exist) and other DCs across multiple domains in a forest (if they exist)
  • Level 3: Win2K member servers and XP and Win2K workstations

On Level 1, the authoritative time server searches the Internet for an accurate time source, attempting to access the external time servers you designated. You can have only one Level 1 computer, and only that computer can query an external time source. To verify that you configured this computer for the right external time source, type

net time /querysntp

at a command line. The system should return the Internet address of the external server you configured (or multiple Internet addresses if you entered a list of external time servers).

On Level 2, all DCs on your network search the parent domain (if you have a forest), then search the current domain to find the authoritative time server. When the DCs find the authoritative time server, they synchronize their clocks with it. The authoritative time server is the NTP server for the DCs.

On Level 3, computers synchronize their clocks with their authenticating DCs. The authenticating DC clock is deemed accurate because it's synchronized with the authoritative time server. The authenticating DC is the NTP server for Level 3 clients. Only XP and Win2K computers can perform this automatic synchronization.

The Time Synchronization Process

As computers join a domain during the logon process, the time service checks the time on an appropriate computer to determine the "target time." For Level 2 computers, the target time is the time on the authoritative time server. For all other computers, the target time is the time on the authenticating DC (a Level 2 computer). To adjust its local time to the target time, the local (client) computer takes the following steps:

  • If the target time is later than local time, Win32Time automatically sets the local time to the target time.
  • If the target time is 3 minutes or fewer earlier than local time, Win32Time slews (the time service jargon for "slows") the local clock until the times match. If the local time is more than 3 minutes ahead of the target time, Win32Time automatically resets the local time.

Alternatively, you can synchronize clocks manually for any XP or Win2K computer on the network (except the authenticated time server) by typing

net time /set

at a command line.

Time synchronization isn't only a startup process. XP and Win2K computers synchronize clocks periodically. By default, client computers connect to their time source computers once each "period," as follows:

  • The initial period is 45 minutes.
  • If the time synchronization process is successful three consecutive times, the period becomes 8 hours.
  • If time synchronization isn't successful for three consecutive attempts, the period becomes 45 minutes and the process of defining the period starts over.

Using the net time /set command to synchronize clocks manually has no effect on the successful synchronization count.

Synchronizing NT 4.0 and Win9x Clients

If you have Windows NT 4.0 or Windows 9x clients on your network, you must synchronize their clocks manually. Type

net time \\ /set /yes

at a command line, where ComputerName is the name of a computer within the domain that you believe has an accurate clock. Because the W32Time service doesn't run on NT 4.0 and Win9x computers, no automated periodic synchronization occurs. You can put the command in a batch file and place a shortcut to the batch file in the Startup folder to synchronize time every time the computer starts up; or, you can place a shortcut to the command on the desktop and let users synchronize time at will.

Common W32Time Errors

W32Time error messages appear in the Event Viewer's System log with the source W32Time (click the Source column heading to sort the log by source). Many of the events that the time service records are Informational, but if you see a Warning event, you should try to fix the problem.

If you don't configure an authoritative time server, the first DC in your domain (or in the first domain, if you have a forest) will record the following event in its System log: This Machine is a PDC of the domain at the root of the forest. Configure to sync from External time source using the net command, 'net time /setsntp:.

If the authoritative time server isn't available and you experience DC replication problems, you might not realize that the problem lies with the time service. W32Time doesn't generate error messages in the System log when hosts become unavailable, which is an oversight that I hope Microsoft will correct in future versions of Windows. However, if you see the error message The RPC server is unavailable, a time synchronization failure is the likely source.

If an XP or Win2K client can't find a DC for authentication (most likely on small networks that have only one DC), the client can log on anyway because the system caches authentication credentials by default. However, the time synchronization process fails, which causes W32Time to log event ID 11 (The NTP Server didn't respond) in the System log.

Event ID 11 is a common Warning on the authoritative time server. If you see this warning often, reenter the net time /setsntp: command and change the Internet time server or add IP addresses for multiple NTP servers.

If your network is busy or if a computer is having a problem with a NIC or a cable, you might see a Warning event ID 64 in the System log. W32Time is the source of this event, but the problem isn't a W32Time problem. Nevertheless, this event might be the only clue you receive about a failing connection.


Locating Time Servers

When you synchronize your authoritative time server with an external Network Time Protocol (NTP) time server, Windows translates the time to your time zone and makes adjustments for Daylight Saving Time. In addition, the OS fine-tunes the time to account for any delay that occurred while it received the information over the Internet.

Time servers, which are available around the world, are maintained in a hierarchy. Primary (stratum 1) servers are the most accurate, but secondary (stratum 2) servers are generally either synchronized perfectly with stratum 1 servers or are only slightly off the clock ticks of the stratum 1 servers. The difference, a matter of a few nanoseconds, certainly won't create a problem for the network features that use Windows time services. Because stratum 1 time servers are very busy and can time out, you should select stratum 2 servers as your external NTP servers.

In the United States, the US Naval Observatory (USNO) maintains two popular external time servers: ntp2.usno.navy.mil (192.5.41.209) and tock.usno.navy.mil (192.5.41.41). In Canada, popular servers include clyde.concordia.ca (132.205.1.1), manitou.cs.concordia.ca (132.205.4.3), and xntp.ece.concordia.ca (132.205.2.1).


Time Server products

The NTP Time Servers supplied by Galleon provide accurate time as well as network security because they receive the time from either the GPS satellites or the Radio Atomic Clock in Colorado. This time is available without compromising your computer networks security they receive the time off air by radio signals or from satellites so maintain your firewall and network security.
Visit their web site at www.galleon.eu.com.