Shulou(Shulou.com)06/02 Report--

All computers running Windows Domain Services (AD DS) that synchronize the date and time of the Active Directory time Service (W32Time). Many Windows services and line-of-business (LOB) applications that are critical to time synchronization are running normally. The Network time Protocol (NTP) used by the Windows time service to synchronize computer clocks on the network. NTP ensures that accurate clock values or timestamps can be assigned to network authentication and access requests for resources.

The importance of time protocols

If two computers want to exchange time information, and then use that information to synchronize the time protocol between their clocks. When using Windows service time protocol, the client requests time information from the server and synchronizes its clock according to the information received.

The Windows time service uses NTP to help synchronize time on the network. NTP is an Internet time protocol that includes professional algorithms that do not need to synchronize clocks. NTP is a more precise time protocol than simple Network time Protocol (SNTP), available in some versions of Windows. However, W32Time still supports SNTP to enable backward compatibility with computers running SNTP time-based services, such as Windows 2000.

The time accuracy in Windows 10 and Windows Server 2016 has been significantly improved while maintaining complete backward NTP compatibility with older Windows versions. Under the correct operating conditions, systems running Windows 10 or Windows Server 2016 and later can provide accuracy of 1 second, 50 milliseconds (milliseconds) or 1 millisecond. (time accuracy: time accuracy requires accurate end-to-end time allocation from a highly accurate authoritative time source to terminal equipment. Any factor that introduces network asymmetry can have a negative impact on accuracy, such as high CPU load on physical network devices or target systems. )

Windows time service structure:

The Windows time service consists of the following components:

Service Control Manager

Windows time Services Manager

Clock major

Time provider

The following figure shows the architecture Windows time service.

The Service Control Manager is responsible for starting and stopping the Windows time service. The Windows time service manager is responsible for initiating the operation of the time provider with the operating system NTP. The Windows time service manager controls all the functions of the Windows time service and merges all time samples. In addition to providing information about the current system state, such as the current time source or the last time system clock has been updated, the Windows time service manager program is also responsible for creating events in the event log.

The following steps are involved in the time synchronization process:

Enter the provider requirements to receive time samples from the configured NTP time source.

These time examples will be passed to the Windows time service manager, which will collect all samples and transfer them to the clock professional sub-component.

The clock professional sub-component applies the NTP algorithm which will result in the best time example next to the selected content.

The clock professional subcomponent adjusts the time from the most accurate time to the system clock by adjusting the clock rate or directly changing the time.

If the computer has specified that the time server is, it can be sent to any computer that requests time synchronization anywhere in this process.

Windows time Service time Protocol

The time protocol determines the degree of clock synchronization between the two computers. The time protocol is responsible for determining the best available time information and converging clocks to ensure consistent time in different systems.

The Network time Protocol (NTP) used by the Windows time service to synchronize time over the network. NTP is an Internet time protocol that includes professional algorithms that do not need to synchronize clocks. NTP is a more precise time protocol than simple Network time Protocol (SNTP), available in some versions of Windows. However, W32Time continues to support SNTP to enable backward compatibility with computers running SNTP time-based services, such as Windows 2000.

Network time protocol

The Network time Protocol (NTP) is the default time synchronization protocol in the Windows time service operating system. NTP is a capability failure, highly scalable time protocol, and a protocol that synchronizes computer clocks with reference to the most common use of specified times.

NTP time synchronization occurs over a period of time and involves the transmission of NTP packets through the network. The NTP packet contains the timestamps of the client and server participation time examples included in the time synchronization.

NTP relies on the reference clock to define the most precise time to use and synchronizes to all clocks on the reference clock network. NTP current time coordinated Universal time (UTC) uses a common standard. UTC independent time zone and enables NTP to be used anytime anywhere in the locale world regardless of time zone.

Support of NTP algorithm

NTP includes two algorithms, clock filtering algorithm and clock selection algorithm to help determine the best time example Windows time service. The clock filtering algorithm is designed to filter the time and examples that will be received from the query's time source to determine the best time for each source. The clock selection algorithm then determines the most accurate time server on the network. This information is then passed on to the clock professional algorithm, when used, due to network delays and computer clock inaccuracy errors compensate for corrected computer, local clock information collected.

The NTP algorithm is most accurate in the case of light to medium network and server load. Meeting to consider the network bus time any algorithm, NTP algorithm support, may run well in the case of extreme network congestion.

NTP time provider

Windows time service, can support a variety of hardware devices and time protocols for a complete time synchronization package. To enable this support, the service uses a pluggable time provider. Time providers are responsible for obtaining accurate timestamps (from the network or hardware) or other computers provided through the network for these timestamps.

The NTP provider comes with a standard time provider for the operating system. NTP providers follow NTP version 3 clients and servers, by specified standards, and can interact with SNTP clients and servers for backward compatibility with Windows 2000 and other SNTP clients. The service NTP provider at Windows time consists of the following two parts:

NtpServer output provider. This is in response to the client time request time server on the network.

NtpClient input provider. This is the time client that gets the time information from the hardware device or other source of the NTP server and can return a useful time sample for synchronizing the local clock.

Although the actual operations of these two providers are closely related, they will be shown as independent to time services. When a Server, Windows computer from Windows 2000 connects to the network, it is configured as a NTP client. In addition, the Windows time service that the computer is running only attempts to synchronize the domain controller or manually specify the default time for the length of time source. The following are the preferred time providers for time because they are available automatic and secure sources of time.

NTP security

In AD DS forests, Windows time services rely on standard domain security features to enforce time data authentication. The security of NTP packets sent between a domain member computer and a local domain controller that acts as a time server is based on shared key authentication. The Windows time service uses the computer's Kerberos session key to create an authenticated signature on NTP packets sent over the network. NTP packets are not transmitted within the Net Logon secure channel. In contrast, the Windows time service requires authentication of time when a computer requests time from a domain controller in the domain hierarchy. The domain controller then returns the required information in the form of a 64-bit value that has been authenticated using the session key in the Net Logon service. If the returned NTP packet is not signed with the computer's session key or the signature is incorrect, the time is rejected. All such authentication failures are logged in the event log. In this way, the Windows time service provides security for NTP data in the AD DS forest.

Typically, the Windows time client automatically obtains the exact synchronization time from domain controllers in the same domain. In the forest, the domain controller of the child domain synchronizes time with the domain controller in its parent domain. When the time server returns the authenticated NTP packet to the client requesting the time, the packet is signed with the Kerberos session key defined by the interdomain trust account. When a new AD DS domain joins the forest, an interdomain trust account is created and the Net Logon service manages the session key. In this way, domain controllers configured as reliable in the forest root domain become the authenticated time source for all domain controllers in the parent and child domains, and indirectly become the domain of all computers in the domain tree.

The Windows time service can be configured to work between forests, but it is important to note that this configuration is not secure. For example, the NTP server may be available in different forests. However, because the computer is in a different forest, there is no Kerberos session key for signing and authenticating NTP packets. To obtain accurate time synchronization from computers in different forests, the client needs network access to that computer, and the time service must be configured to use a specific time source located in another forest. If the client is manually configured to access time from a NTP server other than its own domain hierarchy, the NTP packets sent between the client and the time server are not authenticated and are therefore insecure. Even if forest trust is implemented, the Windows time service cannot be secure across forests. Although Net Logon secure channel is the authentication mechanism of Windows time service, it does not support cross-forest authentication.

Hardware devices subject to Windows time servic

Hardware-based clocks such as GPS or radio clocks are often used as highly accurate reference clock devices. By default, the Windows time service NTP time provider does not support connecting hardware devices directly to the computer, but you can create a stand-alone software-based time provider that supports such connections. This type of provider works with Windows time services to provide reliable and stable time references

Hardware devices, such as cesium clocks or Global Positioning system (GPS) receivers, provide accurate current times in accordance with the criteria for accurate clarity of time. The Cesium clock is extremely stable and independent of temperature, pressure or humidity, such as factors, but it is also very high. GPS receivers are cheaper to run and accurately refer to the clock. The GPS receiver acquires satellite time that obtains the time from the cesium clock. When the name of the provider is not used independently, the Windows time server can obtain the time to connect to the hardware device by connecting to the external NTP server, via phone or Internet. As provided by the US Naval Observatory, the connection to the reference clock NTP server is very reliable.

Many GPS receivers and other time devices can act as servers on NTP networks. You can configure the AD DS forest to also act as a server on the NTP network before synchronizing time from the following hardware external devices. To do this, configure the emulator that acts as the primary domain controller (PDC) and synchronize the domain controller at the root of your forest with the NTP server that provides the GPS device.

Simple network time protocol

The simple Network time Protocol (SNTP) is a time protocol that is accurate and suitable for servers and clients that do not require NTP. SNTP,NTP, a more basic version, is the main time protocol used in Windows 2000. Because SNTP and NTP have the same network packet format, the two protocols interoperate. The main difference between the two is that SNTP does not have error management and the filtering system provided by complex NTP.

Time protocol interoperability

Because Windows 2000 can use the SNTP protocol to interoperate with the Windows XP and Windows Server 2003 NTP protocols, you can run Windows time services in Windows 2000, Windows XP, and Windows Server 2003 environments that can be run on mixed computers.

On Windows NT Server 4.0, called TimeServ, the time service synchronizes time across the Windows NT 4.0 network. TimeServ is available as part of the add-on functionality. The Microsoft Windows NT 4.0 Resource Kit does not provide the reliability of Windows Server 2003 required for a degree of time synchronization.

Windows time services can run Windows NT 4.0because they are compatible with computers running Windows 2000 or Windows Server 2003; computers that synchronize time but Windows 2000 or Windows Server 2003 running computers do not automatically detect Windows NT 4.0time servers. For example, if your domain is configured to synchronize using hierarchical time-based domain synchronization, and you want to synchronize at the domain level, use computers in the Windows NT 4.0 domain controller, you need to manually synchronize these computers using the Windows NT 4.0 domain controller configuration.

Windows NT 4. 0 uses a mechanism that is easier to use than synchronization used by Windows time services. Therefore, to ensure accurate time synchronization on your network, it is recommended that you upgrade any Windows NT 2000 domain controllers for Windows 2000 or Windows Server 2003.

Windows time service processes and interactions

The Windows time service is designed to synchronize the clocks of computers on the network. When the network synchronizes the process, also known as time fusion for each computer access time occurs throughout the network of more accurate time servers. The process authority server involved in time fusion is provided to the client computer in the following form: the current time of the NTP packet. The information provided in the packet indicates whether it is necessary to adjust the current clock time synchronized with the more accurate server to the computer.

As part of the time fusion process, domain members try to synchronize the time of any domain controller in the same domain. If the computer domain controller, it will try to synchronize with a more authoritative domain controller.

Computers running Windows XP Home Edition or computers that are not joined to a domain do not attempt to synchronize with the domain hierarchy, but are configured by default to obtain time from the time.windows.com.

To build a computer running Windows Server 2003 as an authority, you must configure the computer as a reliable time source. By default, the first domain controller installed in a Windows Server 2003 domain is automatically configured as a time-reliable source. Is a domain authoritative computer because it must configure an external time source instead of synchronizing with the domain hierarchy. In addition, by default, other Windows Server 2003 domain members are configured to synchronize with the domain hierarchy.

After establishing a Windows Server 2003 network, you can configure Windows time service synchronization to use one of the following options:

Domain layering is based on synchronization

Manually specify the synchronization source

All available synchronization mechanisms

Out of sync.

The type of each synchronization is described in the following sections.

Domain layering is based on synchronization

Synchronization uses AD DS domain priorities to find sources that are time-reliable to synchronize based on the domain level. Based on the hierarchical domain, the Windows time service determines the accuracy of each server. In the Windows Server 2003 forest, the computer has the primary role of the primary domain controller (PDC) emulator operator, which is located in the forest root domain and is the best time source for the saved location, unless another reliable time source is configured. The following figure illustrates the path of the time synchronization computer between domain levels.

Time synchronization in AD DS Architecture

Time-reliable source configuration

A computer configured as a time-reliable source is identified as the time service root. The root time serves the domain authority server, which is usually configured to retrieve the time of an external NTP server or hardware device. As a reliable time source to optimize the entire transmission time at the domain level, the time server can be configured. If the domain controller is configured as a time-reliable source, the network login service is declared to be a time-reliable source when the domain controller logs in to the network. Other domain controllers look for time sources and synchronize when they choose a reliable source first if available.

Time source selection

The time source selection process can create two questions on the network:

Other synchronization cycles.

Increased volume in network communications.

There is a time when synchronizing the network between a group of domain controllers sharing the same time without resynchronizing them with other reliable time sources. Windows time service time source selection algorithm is designed to defend against these types of problems.

A computer uses one of the following methods to identify time sources and synchronization:

If the computer does not belong to a domain, it must be configured to synchronize with the specified length of time source.

Whether the computer is a member server or workstation in a domain, by default, it follows the AD DS hierarchy and synchronizes its time with the domain controller in the local domain of the currently running Windows time service.

If the computer domain controller, it makes up to six queries to find other domain controllers to synchronize with. Each query is designed to determine certain properties of the time source, such as a type of domain controller, a specific location, and whether it is a reliable time source. The time source must also comply with the following restrictions:

You can only synchronize reliable time sources with domain controllers in the parent domain.

With reliable time sources for any domain controller in its own domain or parent domain, the PDC simulator can synchronize.

Manually specify synchronization

Manually specifying synchronization allows you to specify a single party or a list of times from the computer, etc. If the computer does not belong to a domain, it must be manually configured to synchronize with the specified length of time source. Computers are members of the domain configuration by default, to synchronize from the domain level, the forest root of the most useful domain or computers that are not joined to the domain are manually specified synchronization. Manually specify an external NTP server to synchronize with your domain authority's computer to provide reliable time. However, a computer configured to synchronize your domain authority with the hardware clock is actually the most accurate and secure solution for your domain.

Unless written by the provider at a specific time for them and therefore vulnerable, the source of time is not manually specified by authentication. In addition, if the computer synchronizes the manually specified source code instead of its authenticated domain controller, the two computers may use synchronization to cause Kerberos authentication to fail. This may result in other operations that require network authentication to fail, print or share files, and so on. If only the forest root is configured to synchronize with external sources, other computers in the forest remain synchronized with each other, making it difficult to replay.

All available synchronization mechanisms

The "in all available synchronization mechanisms" option is the most valuable synchronization method for users on the network. This method synchronizes with the domain hierarchy and may also provide an alternative time source if the domain hierarchy becomes unavailable, depending on the configuration. If the time client cannot be synchronized with the domain hierarchy, the time source is automatically rolled back to the specified time source NtpServer setting. Synchronizing this method is most likely to provide the client with an exact time.

Time to stop synchronization

In some cases, you will need to stop synchronizing the time on the computer. For example, if your computer tries to synchronize WAN through a dial-up connection from a time source on Internet or another website, it may incur high phone charges. Disable synchronization on this computer when you try to access the time source to block the computer through a dial-up connection.

You can also disable synchronization to prevent errors in the event log. Every time you try to synchronize with an unavailable, time source computer, an error is generated in its event log. If you do not plan to reconfigure the client to synchronize the time source shooting schedule to maintain network logout from other sources, you can disable synchronization on the client that is used to prevent the time server from being available.

It can disable synchronization on the computer at the root of the synchronization network. This means that the root computer trusts its local clock. If the synchronization hierarchy root is not set to be out of sync and the client cannot synchronize with another source, if it does not accept sending from this computer, because its time cannot be in a trusted packet.

Only time, even if they are not synchronized with other time sources where the client trusts the server that the client identifies as the server reliable time.

Disable the Windows time service

The Windows time Service (W32Time) can be disabled completely. If you choose to implement a third-party time synchronization product that uses NTP, you must first disable the Windows time service. This is because all NTP servers need access to user Datagram Protocol (UDP) port 123, and port 123 remains through Windows time as long as the Windows time service is running on the Windows Server 2003 operating system.

The network port of the service when using Windows

The Windows time service communication network identifies reliable sources of time, acquires time information and provides time information to other computers. It will be performed by the NTP and SNTP Rfc definitions.

Service name

UDP

TCP

NTP

one hundred and twenty three

Not applicable

SNTP

one hundred and twenty three

Not applicable

Welcome to the official account of Wechat: Xiao Wen study Society.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.