Windows includes the W32Time time service tool that is required by the Kerberos authentication protocol. The purpose of the Time service is to ensure that all computers that are running Windows 2000 in an organization use a common time.

Windows-based computers use the following hierarchy by default:

• All client PCs and member servers nominate the authenticating DC as their in-bound time Server.

• DCs may nominate the PDC operations master as their in-bound time partner but may use a parent DC based on stratum numbering.

• All PDC operations masters follow the hierarchy of domains in the selection of their inbound time partner.

PDC operations master at the root of the forest becomes authoritative for the organization. This PDC can be configured to recognize an external Simple Network Time Protocol (SNTP) time server as authoritative by using the following net time command:

Net time /setsntp: server_list

To reset the local computer's time against the authoritative time server for the domain:

Net time /domain_name /set

Net stop w32time

W32tm -once

Net start w32time

SNTP defaults to using UDP port 123. If this port is not open to the Internet, you cannot synchronize your server to Internet SNTP servers. Administrators can also configure an internal time server as authoritative by using the net time command. If the administrator directs the command to the operations master, it may be necessary to reboot the server for the changes to take effect.