How to Synchronize to an External Time Server
09/28/05
Copyright (c) 2005 Hedberg Data Systems, Inc. All rights reserved. This document is for informational
purposes only and should not be construed as a contract or commitment. Neither Hedberg Data Systems,
Inc. nor Steelcase Inc assumes any responsibility for any errors or omissions in this document or any
effects thereof. FaxSr is a copyright of Omtool. All rights reserved.
2
433BF6D9-4515-289F70
Table of Contents
Synchronizing to an External Time Server ............................................................................................... 4
Overview.............................................................................................................................................. 4
Internet Time Servers........................................................................................................................... 4
Configure Your Firewall........................................................................................................................ 4
Synchronizing a computer to an External Time source ......................................................................... 5
433BF6D9-4515-289F70
3
Synchronizing to an External Time Server
This document describes how to synchronize your network or an individual computer to an external time
server source.
Overview
When computers on your network need to interact securely with computers on other networks over the
Internet, the computer time can play an important role. Ensuring that computers are synchronized in time
is one of the mechanisms used to secure the transaction. Hedberg Web Services (HWS) uses this
security model and requires that the HWS server be synchronized with the partner computers it
communicates with. Fortunately, this is easy to do with the built-in features of Windows 2000 and higher.
Depending on your infrastructure, there are two ways to synchronize to an external time source. Pick the
option that matches your environment.
•
If you are in a Windows 2000 or Windows 2003 Active Directory environment:
You need to synchronize your primary domain controller to the external time source. In Active
Directory domains, all or your servers and desktops automatically synchronize to the primary
domain controller. By synchronizing that server to an external source, all other computers on
your network will become synchronized (assuming that they are running Windows 2000 or
higher). The definition of “primary” domain controller in an Active Directory environment is the
first domain controller that you installed or promoted from Windows NT.
•
If you are in a Windows NT domain or in a workgroup:
You need to synchronize individual computers to the external time source since there is no single
internal source that they synchronize to. For HWS, you would synchronize the Hedberg Web
Services server to the external source directly. It is important that you synchronize the HWS
server with an external time source only if you are not in an Active Directory environment.
Synchronizing the HWS server to an external time source in an Active Directory environment can
cause the HWS server to not be able to communicate with other servers on your own network.
Once this service is set up, it will synchronize once every 45 minutes until 3 good synchronizations occur,
then once every 8 hours for 3 check-ins per day.
Internet Time Servers
There are a variety of time servers on the Internet that can be used to synchronize with. A partial list can
be found at: http://www.boulder.nist.gov/timefreq/service/time-servers.html. You can select any of the
time sources on this list to synchronize to. This link points to The National Institute of Standards and
Technology (NIST) which operates within the US Dept of Commerce. NIST provides, among other things,
time synchronization for all non-military applications within the U.S. government.
Configure Your Firewall
Your firewall must be configured to allow the computer to be synchronized to talk to the time server on the
Internet. If your firewall is configured to allow all outbound traffic, then you don’t need to do anything. If
you restrict the traffic going out to the Internet, you must open the following UDP port:
Service Name
SNTP (or NTP)
UDP Port
123
You can also optionally limit which computers can use this firewall rule to the single computer that you
will be configuring to synchronize to an outside source.
4
433BF6D9-4515-289F70
Synchronizing a computer to an External Time source
1) If you are in an Active Directory environment,
identify your Active Directory Primary Domain
Controller.
If you are in a Windows NT domain or workgroup,
please go to step 2.
The primary domain controller is typically the first
domain controller created in your forest or domain.
If you are unsure, you can log on to any member
computer (non-domain controller), start a command
prompt and enter the following command:
NET TIME /DOMAIN
This will show you the domain controller that you
will need to modify.
2) Log in as domain administrator to the domain
controller you identified in step 1 or, if you are in a
workgroup or Windows NT domain, log in to the
Hedberg Web Services Server.
After logging in start a Command Prompt.
3) Enter the command:
net time /setsntp:{Server Address}
where {Server Address} is the address of the
Internet Time Server that you wish to synchronize
with (choose any server from the NIST web site
described above).
In the example to the right, the time server being
used is called time-a.nist.gov.
433BF6D9-4515-289F70
5
4) This configuration change is not effective until the
Windows Time Service restarts. Manually stop and
(re)start the w32time service by using the
commands:
net stop w32time (and press Enter – this will stop
the service)
net start w32time (and press Enter – this will start
the service)
5) It is then important to review the System Event
Viewer to make sure the change has taken place
and that synchronization is working.
After several minutes, you should see Information
events indicating that the computer has begun
synchronizing with the external time source.
You may not see effects of this configuration
change immediately. If the local computer clock is
determined to be set too far ahead (into the future),
but by less than three minutes, Windows will bring
the clock into gradual (rather than sudden)
adjustment.
If you continue to see synchronization errors, check
that you entered the correct name for a time server
in the earlier step. If this is correct, then your
firewall configuration has not been changed
correctly.
6) If you are in an Active Directory environment, you
should check the time on the HWS server.
You can stop and start the Windows Time service
and then check the Event Viewer to validate that it
is synchronizing with the domain controller.
6
433BF6D9-4515-289F70