Window Entry

How to Set Up an Authoritative Time Server in a Windows 2003 Server Based Active Directory Network

The Windows Time service (W32Time) is designed to allow all Windows 2000 or later machines in an organisation to utilise a synchronised time. The service is used to ensure the security of the Windows Kerberos authentication protocol. This article describes the procedure to set up an Authoritative Time Server for a Windows 2003 Server based Active Directory Network. It also describes the hierarchical relationship of the time synchronisation authority. The article also presents some time synchronisation hints, tips and troubleshooting.

The 'Windows Time' Hierarchy.

The Windows Time Service uses a hierarchical synchronisation structure. By default, Windows computers utilise the following hierarchy:

- All time client workstations nominate their domain controller as their time synchronisation source.

- All member servers also nominate their domain controller as their time synchronisation source.

- All domain controllers in a domain nominate the primary domain controller (PDC) as their time synchronisation source.

- All Primary Domain controllers follow the hierarchy of domains in the selection of their time synchronisation source.

In the hierarchy the PDC emulator in the forest root domain is the primary time reference for the organisation. The PDC in the forest root domain can have its internal reference clock controlled in a number of ways:

- By utilising it's own internal system clock. However, unsynchronised system clocks will drift significantly over time.

- By synchronising to an Internet based NTP time server. An accurate time can be obtained from an Internet NTP server, however, this raises security issues since accuracy cannot be guaranteed. Also, the NTP port in the firewall must be left open for synchronisation. Additionally, Internet based NTP servers cannot provide authentication, so the source of time cannot be guaranteed.

- By synchronising with a local intranet based NTP time server. A local NTP server has the advantage of providing a traceable time reference and also secure authentication.

- By utilising a hardware reference clock such as a GPS or time and frequency radio based time transmission. A GPS or radio based hardware reference clock provides a secure traceable time reference.

Windows Time Service Configuration.

Configuration of the Windows Time Service is carried out by editing registry entries. It is highly recommended that the registry be backed up before conducting any modifications. This allows the registry to be restored in the event of erroneous modification.

To configure the PDC master to utilise its internal system clock requires only that the W32Time registry entry 'HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeConfigAnnounceFlags' is set to 'A'. This makes the PDC announce itself as a reliable time source. However, the system clock can drift over time and is not referenced to an accurate time source. Additionally, Windows Time will periodically generate system event log warnings indicating that the PDC should be configured to synchronise to an external time source. This warning can be ignored.

To configure the PDC to to synchronise to an external time reference, the following registry entries must be modified:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeParametersType

This registry entry specifies the types of peers that the Windows Time Service will synchronise to. Change the registry entry to 'NTP' to synchronise to an external NTP server.

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeConfigAnnounceFlags

The 'Announce Flags' registry entry indicates that the PDC should announce itself as a reliable time source. Set this registry entry to the value '5'.

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeTimeProvidersNtpServer

The 'NtpServer' registry indicates that non-standard mode combinations are allowed in synchronisation between peers. This entry should be set to the value 1.

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeParametersNtpServer

The 'NtpServer' registry entry contains a space-delimited list of stratum 1 time servers from which the PDC can obtain time. If DNS names are used rather than IP addresses, you must append 0x1 to the end of each DNS name.

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeTimeProvidersNtpClientSpecialPollInterval

The 'Special Poll Interval' registry entry indicates the period, in seconds, between each poll of a NTP server. Microsoft recommends a value of 900 seconds which transposes to one poll every 15 minutes.

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeConfigMaxPosPhaseCorrection

The 'MaxPosPhaseCorrection' field indicates the maximum positive time correction in seconds that the time service can make. If a time correction larger than the maximum is required the time service logs an Event in the Event Log. If this field is set to 0xFFFFFFFF a time correction is always made regardless of size. A suitable value may be 3600 seconds (1 hour).

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeConfigMaxNegPhaseCorrection

The 'MaxNegPhaseCorrection' field indicates the maximum negative time correction in seconds that the time service can make. If a time correction larger than the maximum is required the time service logs an Event in the Event Log. If this field is set to 0xFFFFFFFF a time correction is always made regardless of size. A suitable value may be 3600 seconds (1 hour).

After the registry entries have been correctly modified, the Windows Time service must be stopped and restarted. At a command prompt enter 'net stop w32time && net start w32time' to restart the service.

Hints and Tips.

The correct operation of the Windows Time service depends heavily on the correct functioning of network devices and infrastructure. Common problems such as TCP/IP connectivity, DNS resolution, inaccurate NTP time references and network delay can all cause problems with the synchronisation service. Additionally, when synchronising to an Internet NTP server, ensure that USP port 123 is open on the firewall. UDP port 123 is the port reserved for NTP communication packets.

About the Author

Dave Evans is an experienced technical author in the field of computer time synchronisation. For a number of years Dave has provided an authoring service to the telecommunications industry. Click here to find out more about Microsoft Windows 2003 time synchronisation and time server products.

Enjoy Your Privacy Through Window Tinting

Envision yourself residing in a window less residence and you are going to surely get the sense of suffocation. This is because it’s natural for residences to have windows; the bigger the better. These are after all the only way by which you can have enough sunshine in your house. Even if you have your shutters down, there’s always a good amount of natural light permitted inside. Windows also provide your interior the mandatory means by which air flow is achieved. You only have to open them and the interior will have a better supply of fresh air.

You’ll never get yourself into an argument over the benefits that windows can give to house owners but you can’t neglect that they also have weaknesses. These are facts that you have to know how to approach to avoid serious problems later. Such liabilities are related to the fact that windows are actually the most vulnerable spots in your house when it comes to protecting your privacy and your properties. One essential step in reducing the potential of such weak points is by window tinting.

Rather than entertaining the idea of making smaller windows and decreasing their number as well, window tinting is a better option. If you opt to reduce the amount of windows or decrease their sizes, you certainly compromise the interior’s need for light and ventilation. Windows with sufficient tinting material can provide you with protection without compromising both ventilation and light. They make the view from the exterior blurred or dimmed, making the happenings inside the home less familiar.

Tinted windows are not break-proof enough to make any attempt of forcible entry into the confines of your house next to impossible. The tint could possibly reduce the natural light going within your house by more than 90 percent but you can’t expect this to deter burglaries and other break-ins. Even so, the tinted windows would be able to prevent easy spying for the purpose of burglary later. Therefore, the possibilities of effective break-ins are decreased. For burglaries to be successful knowledge of the interior is essential.

By window tinting, the great possibility of injuries brought about by shattering glass panels are decreased significantly. Windows are very vulnerable to wayward balls from neighbourhood kids. Once they’re hit by such objects they might shatter quickly posing dangers to the people and things near it. By providing a good amount of tinting film a coating against brittle glass windows is installed. The glass panes may break but they won’t shatter.

If you are the type who values privacy you will surely find it more advantageous if you use one-way films in window tinting. This film used in window tinting actually allows only those from the inside to take a view of what lies outside. On the other hand, for those outside, they probably won't have the ability to see the interior. Such types of film definitely make your privacy more secure because you can do stuff that you enjoy inside the house without having to worry that some people might be watching you.

Premier Tint’s everlasting mission to provide only the best services to all Sydneysiders had been tested with their 2 decades of committing themselves to give only the best to their clients leaving them always satisfied. To learn more about their services, visit their site at http://www.premiertint.com.au.

how do I delete the registry entry that refuses to be deleted?

I couldn't install my netgear wireless pci card to my Window XP. It keeps saying the 'name' of my pci card is already used. Indeed, when I open 'regedit' and realize there is already an entry in my Window's registry. When trying to delete it, it refuses to be deleted.
what should I do now? I bet the installer of my wireless card has the same problem and that's why it keeps telling me the name is still in use. Is there another way to delete the registry hive? It's not a permission issue. I have no problem of deleting other entries.

Boot into safe mode and delete it from there.

Walt Disney World tightens the rules on FastPasses (boingboing)

On The Disney Blog, John Frost describes the upcoming rule-tightening for
FastPasses in Walt Disney World. FastPass is a ride reservation system: park
visitors visit a ride, feed their entry ticket to a kiosk, and it spits out a
coupon that can be redeemed later in the day for admission via a shorter
queue. Until [...]

boingboing

1992 Toyota Pickup With Aftermarket Power Windows/Door Locks/ Keyless Entry/ Remote Start