Properly synchronizing your network with a consistent and accurate time source is very important. However, it's not enough to simply synchronize the time on your network devices—this effort should extend all the way to the desktop. In this edition of Security Solutions, Mike Mullins discusses how to synchronize time throughout an entire Windows network.
Last time, I discussed the importance of synchronizing the time on your network and devices, and I explained why accurate time is even more important for security logs ("Make sure security logs exhibit accurate time with NTP"). In the article, I reviewed the different types of timing sources and looked at methods you can use to coordinate the time on your network security devices.
However, it's not enough to simply synchronize the time on your network devices—this effort should extend all the way to the desktop. Applying a single, consistent time source throughout your network can boost both network efficiency and security.
Synchronizing time on your Windows domain requires following the Active Directory domain hierarchy to find a reliable time source for your entire domain. In a Windows Server 2003 Active Directory forest, the server that holds the primary domain controller (PDC) emulator role acts as the default time source for your entire network.
Each workstation and server in this network will try to locate a time source for synchronization. Using an internal algorithm designed to reduce network traffic, systems will make up to six attempts to find a time source. Here's a look at the order of these attempts:
- Parent domain controller (on-site)
- Local domain controller (on-site)
- Local PDC emulator (on-site)
- Parent domain controller (off-site)
- Local domain controller (off-site)
- Local PDC emulator (off-site)
To ensure that your servers are finding the proper time, you must configure your PDC emulator to receive the time from a valid and accurate time source. To configure this role, follow these steps:
- Log on to the domain controller.
- Enter the following at the command line:
W32tm /config /manualpeerlist:<timeserver> /syncfromflags:manual
<timeserver> is a space-delimited list of DNS and/or IP addresses. When specifying multiple time servers, enclose the list in quotation marks.
- Update the Windows Time Service configuration. At the command line, you can either enter W32tm /config /update, or you can enter the following:
Net stop w32time Net start w32time
If a system isn't a member of a domain, you must manually configure it to synchronize with a specified time source. Follow these steps:
- Go to Start | Control Panel, and double-click Date And Time.
- On the Internet Time tab, select a time server from the drop-down list, or enter the DNS name of your network's internal time source.
- Click Update Now, click Apply, and click OK.
Note: It's important to make sure that any access control lists on your network allow UDP port 123 to and from systems to the selected time source. For more information, see Microsoft's Windows Time Service Tools and Settings documentation.
Properly synchronizing your network with a consistent and accurate time source will pay big dividends when it comes down to tracking anomalies and security problems within your network. Setting and distributing the accurate time for your network is an easy process—you just need to find the time to do it.
Miss a column?
Check out the Security Solutions Archive, and catch up on the most recent editions of Mike Mullins' column.
Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.
Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.