Last time, I discussed the importance of synchronizing the
time on your network and devices, and I explained why accurate time is even
more important for security logs (“Make sure
security logs exhibit accurate time with NTP”
). In the article, I reviewed
the different types of timing sources and looked at methods you can use to coordinate
the time on your network security devices.

However, it’s not enough to simply synchronize the time on
your network devices—this effort should extend all the way to the desktop. Applying
a single, consistent time source throughout
your network can boost both network efficiency and security.

Synchronizing time on your Windows domain requires following
the Active Directory domain hierarchy to find a reliable time source for your
entire domain. In a Windows Server 2003 Active Directory forest, the server
that holds the primary
domain controller (PDC) emulator role
acts as the default time source for
your entire network.

Each workstation and server in this network will try to
locate a time source for synchronization. Using an internal algorithm designed
to reduce network traffic, systems will make up to six attempts to find a time
source. Here’s a look at the order of these attempts:

  • Parent
    domain controller (on-site)
  • Local
    domain controller (on-site)
  • Local
    PDC emulator (on-site)
  • Parent
    domain controller (off-site)
  • Local
    domain controller (off-site)
  • Local
    PDC emulator (off-site)

To ensure that your servers are finding the proper time, you
must configure your PDC emulator to receive the time from a valid and accurate
time source. To configure this role, follow these steps:

  1. Log on
    to the domain controller.
  2. Enter
    the following at the command line:
W32tm /config /manualpeerlist:<timeserver> /syncfromflags:manual

is a space-delimited list of DNS and/or IP addresses. When specifying multiple time
servers, enclose the list in quotation marks.

  1. Update the Windows Time Service configuration. At the command line,
    you can either enter W32tm
    /config /update
    , or you can
    enter the following:
Net stop w32time
Net start w32time

If a system isn’t a member of a domain, you must manually configure
it to synchronize with a specified time source. Follow these steps:

  1. Go to
    Start | Control Panel, and double-click Date And Time.
  2. On the
    Internet Time tab, select a time server from the drop-down list, or enter the
    DNS name of your network’s internal time source.
  3. Click
    Update Now, click Apply, and click OK.

Note: It’s
important to make sure that any access control lists on your network allow UDP
port 123 to and from systems to the selected time source. For more information,
see Microsoft’s Windows Time Service Tools and Settings

Final thoughts

Properly synchronizing your network with a consistent and
accurate time source will pay big dividends when it comes down to tracking
anomalies and security problems within your network. Setting and distributing the
accurate time for your network is an easy process—you just need to find the
time to do it.

Miss a column?

Check out the Security Solutions Archive,
and catch up on the most recent editions of Mike Mullins’ column.

Worried about security issues? Who isn’t? Automatically
sign up for our free Security Solutions newsletter
, delivered each Friday,
and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant
network administrator and a network security administrator for the U.S. Secret
Service and the Defense Information Systems Agency. He is currently the
director of operations for the Southern Theater Network Operations and Security