Guest Kent Posted July 28, 2008 Posted July 28, 2008 Hello all, I am setting up the NTP server function in the Windows 2003 PDC server. There are not much information about the value in W32Time registry, so hope to get some help here. The NTP server on Windows 2003 is for company wide usage purpose that will synchronize cisco network devices, unix servers and windows 2000/NT. Also the Windows 2003 will act as a NTP client to synchronize from the GRPS time source.(The Windows 2003 is also a Primary Domain Controller). /----- Network Devices (Cisco...) GPRS Time Source -- Win2003 PDC ----- Domain Clients (XP) \----- Unix, Win2000, NT Servers From the technical documents on the microsoft website, there isn't much about the detail to set up an NTP server. I have followed the steps of those technical documents and modified the "W32Time" in registry. Finally, it could synchronize the other machines. But I have not much confidence on it, since there isn't much information about the meaning of values in the registry. And any unknown change could be a risk to the PDC and the whole infrastructure. At present, I installed another Win2k3 to simulate the PDC as a NTP server(Not client for GPRS yet), and it works. This synchronizes with the Cisco Switch 2950 and Unix about every 17 minutes. Here are the registries I changed under "W32Time": =========================================== \Parameters\Type -> NTP \Config\AnnounceFlags -> 5 \TimeProviders\NtpServer\Enabled -> 1 \TimeProviders\NtpClient\SpecialPollInterval -> 900 \Config\MaxPosPhaseCorrection -> 172800 \Config\MaxNegPhaseCorrection -> 172800 \Config\LocalClockDispersion -> 0 (Previous 10) Run the commands to restart the time service: - net stop w32time - net start w32time =========================================== There are questions about the NTP in Win2003 (1) Does NTP in Win2003 have the security option to set a key for authentication? (2) How to set the value of registry and control the interval that clients update their time? I have made a call to Microsoft, but they treated it as a "How to", no support on this. @.@ Thanks to all, any information is appreciated.
Guest Meinolf Weber Posted July 28, 2008 Posted July 28, 2008 Re: How to do better on Win2003's NTP? Hello Kent, See here and inline: http://support.microsoft.com/kb/816042 Expand all on the left pane and you got a lot of infos: http://technet2.microsoft.com/windowsserver/en/library/ac86e77c-0be3-430a-ba0b-c2225506fc4f1033.mspx Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > Hello all, I am setting up the NTP server function in the Windows 2003 > PDC server. There are not much information about the value in W32Time > registry, so hope to get some help here. > > The NTP server on Windows 2003 is for company wide usage purpose that > will synchronize cisco network devices, unix servers and windows > 2000/NT. Also the Windows 2003 will act as a NTP client to synchronize > from the GRPS time source.(The Windows 2003 is also a Primary Domain > Controller). > > /----- > Network Devices (Cisco...) > > GPRS Time Source -- Win2003 PDC ----- Domain Clients (XP) > > \----- > Unix, Win2000, NT Servers > > From the technical documents on the microsoft website, there isn't > much about the detail to set up an NTP server. I have followed the > steps of those technical documents and modified the "W32Time" in > registry. Finally, it could synchronize the other machines. But I have > not much confidence on it, since there isn't much information about > the meaning of values in the registry. And any unknown change could be > a risk to the PDC and the whole infrastructure. > > At present, I installed another Win2k3 to simulate the PDC as a NTP > server(Not client for GPRS yet), and it works. This synchronizes with > the Cisco Switch 2950 and Unix about every 17 minutes. > > Here are the registries I changed under "W32Time": > > =========================================== > > \Parameters\Type -> NTP > > \Config\AnnounceFlags -> 5 > > \TimeProviders\NtpServer\Enabled -> 1 > > \TimeProviders\NtpClient\SpecialPollInterval -> 900 > > \Config\MaxPosPhaseCorrection -> 172800 > > \Config\MaxNegPhaseCorrection -> 172800 > > \Config\LocalClockDispersion -> 0 (Previous 10) > > Run the commands to restart the time service: > > - net stop w32time > > - net start w32time > > =========================================== > > There are questions about the NTP in Win2003 > > (1) Does NTP in Win2003 have the security option to set a key for > authentication? Within an Active Directory forest, the Windows Time service (W32time) relies on standard domain security features to enforce the authentication of time data. The security of Network Time Protocol (NTP) packets that are sent between a domain member and a local domain controller that is acting as a time server is based on shared key authentication. The Windows Time service uses the local computer's Kerberos session key to create authenticated signatures on NTP packets that are sent across the network. When a computer requests the time from a domain controller in the domain hierarchy, the Windows Time service requires that the time be authenticated. The domain controller then returns the required information in the form of a 64-bit value that has been authenticated with the session key from the Net Logon service. If the returned NTP packet is not signed with the computer's session key or if it is not signed correctly, the time is rejected. In this way, the Windows Time service provides security for NTP data in an Active Directory forest. > (2) How to set the value of registry and control the interval that > clients update their time? http://technet2.microsoft.com/windowsserver/en/library/fcc66e8b-58d9-41c9-83ee-56d07397e3e01033.mspx?mfr=true > I have made a call to Microsoft, but they treated it as a "How to", no > support on this. @.@ > > Thanks to all, any information is appreciated. >
Guest Kent Posted July 29, 2008 Posted July 29, 2008 Re: How to do better on Win2003's NTP? Hello, Meinolf Thanks for your reply, the web link of registry is helpful to me. And the question about the authentication key I asked about is for the Unix server's switch/router's NTP. They got authencation key for security option, but window2003 support this? Best regards, Kent Si "Meinolf Weber" wrote: > Hello Kent, > > See here and inline: > http://support.microsoft.com/kb/816042 > > Expand all on the left pane and you got a lot of infos: > http://technet2.microsoft.com/windowsserver/en/library/ac86e77c-0be3-430a-ba0b-c2225506fc4f1033.mspx > > Best regards > > Meinolf Weber > Disclaimer: This posting is provided "AS IS" with no warranties, and confers > no rights. > ** Please do NOT email, only reply to Newsgroups > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > > > Hello all, I am setting up the NTP server function in the Windows 2003 > > PDC server. There are not much information about the value in W32Time > > registry, so hope to get some help here. > > > > The NTP server on Windows 2003 is for company wide usage purpose that > > will synchronize cisco network devices, unix servers and windows > > 2000/NT. Also the Windows 2003 will act as a NTP client to synchronize > > from the GRPS time source.(The Windows 2003 is also a Primary Domain > > Controller). > > > > /----- > > Network Devices (Cisco...) > > > > GPRS Time Source -- Win2003 PDC ----- Domain Clients (XP) > > > > \----- > > Unix, Win2000, NT Servers > > > > From the technical documents on the microsoft website, there isn't > > much about the detail to set up an NTP server. I have followed the > > steps of those technical documents and modified the "W32Time" in > > registry. Finally, it could synchronize the other machines. But I have > > not much confidence on it, since there isn't much information about > > the meaning of values in the registry. And any unknown change could be > > a risk to the PDC and the whole infrastructure. > > > > At present, I installed another Win2k3 to simulate the PDC as a NTP > > server(Not client for GPRS yet), and it works. This synchronizes with > > the Cisco Switch 2950 and Unix about every 17 minutes. > > > > Here are the registries I changed under "W32Time": > > > > =========================================== > > > > \Parameters\Type -> NTP > > > > \Config\AnnounceFlags -> 5 > > > > \TimeProviders\NtpServer\Enabled -> 1 > > > > \TimeProviders\NtpClient\SpecialPollInterval -> 900 > > > > \Config\MaxPosPhaseCorrection -> 172800 > > > > \Config\MaxNegPhaseCorrection -> 172800 > > > > \Config\LocalClockDispersion -> 0 (Previous 10) > > > > Run the commands to restart the time service: > > > > - net stop w32time > > > > - net start w32time > > > > =========================================== > > > > There are questions about the NTP in Win2003 > > > > (1) Does NTP in Win2003 have the security option to set a key for > > authentication? > > Within an Active Directory forest, the Windows Time service (W32time) relies > on standard domain security features to enforce the authentication of time > data. The security of Network Time Protocol (NTP) packets that are sent between > a domain member and a local domain controller that is acting as a time server > is based on shared key authentication. The Windows Time service uses the > local computer's Kerberos session key to create authenticated signatures > on NTP packets that are sent across the network. When a computer requests > the time from a domain controller in the domain hierarchy, the Windows Time > service requires that the time be authenticated. The domain controller then > returns the required information in the form of a 64-bit value that has been > authenticated with the session key from the Net Logon service. If the returned > NTP packet is not signed with the computer's session key or if it is not > signed correctly, the time is rejected. In this way, the Windows Time service > provides security for NTP data in an Active Directory forest. > > > > > (2) How to set the value of registry and control the interval that > > clients update their time? > > http://technet2.microsoft.com/windowsserver/en/library/fcc66e8b-58d9-41c9-83ee-56d07397e3e01033.mspx?mfr=true > > > I have made a call to Microsoft, but they treated it as a "How to", no > > support on this. @.@ > > > > Thanks to all, any information is appreciated. > > > > >
Guest Kent Posted July 30, 2008 Posted July 30, 2008 RE: How to do better on Win2003's NTP? Found a good blog about W32time and NTP, and it should be from Microsoft. http://blogs.msdn.com/w32time/default.aspx "Kent" wrote: > Hello all, I am setting up the NTP server function in the Windows 2003 PDC > server. There are not much information about the value in W32Time registry, > so hope to get some help here. > > > > The NTP server on Windows 2003 is for company wide usage purpose that will > synchronize cisco network devices, unix servers and windows 2000/NT. Also the > Windows 2003 will act as a NTP client to synchronize from the GRPS time > source.(The Windows 2003 is also a Primary Domain Controller). > > > > /----- > Network Devices (Cisco...) > > GPRS Time Source -- Win2003 PDC ----- Domain Clients (XP) > > \----- Unix, > Win2000, NT Servers > > > > From the technical documents on the microsoft website, there isn't much > about the detail to set up an NTP server. I have followed the steps of those > technical documents and modified the "W32Time" in registry. Finally, it could > synchronize the other machines. But I have not much confidence on it, since > there isn't much information about the meaning of values in the registry. And > any unknown change could be a risk to the PDC and the whole infrastructure. > > > > At present, I installed another Win2k3 to simulate the PDC as a NTP > server(Not client for GPRS yet), and it works. This synchronizes with the > Cisco Switch 2950 and Unix about every 17 minutes. > > Here are the registries I changed under "W32Time": > > =========================================== > > \Parameters\Type -> NTP > > \Config\AnnounceFlags -> 5 > > \TimeProviders\NtpServer\Enabled -> 1 > > \TimeProviders\NtpClient\SpecialPollInterval -> 900 > > \Config\MaxPosPhaseCorrection -> 172800 > > \Config\MaxNegPhaseCorrection -> 172800 > > \Config\LocalClockDispersion -> 0 (Previous 10) > > > > Run the commands to restart the time service: > > - net stop w32time > > - net start w32time > > =========================================== > > > > > > > There are questions about the NTP in Win2003 > > (1) Does NTP in Win2003 have the security option to set a key for > authentication? > > (2) How to set the value of registry and control the interval that clients > update their time? > > > > I have made a call to Microsoft, but they treated it as a "How to", no > support on this. @.@ > > > > Thanks to all, any information is appreciated.
Guest Meinolf Weber Posted July 30, 2008 Posted July 30, 2008 Re: How to do better on Win2003's NTP? Hello Kent, In the time service you have no option for adding authentication. See here how the authentication works, scroll down to"NTP Security": http://technet2.microsoft.com/windowsserver/en/library/71e76587-28f4-4272-a3d7-7f44ca50c0181033.mspx?mfr=true Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > Hello, Meinolf > > Thanks for your reply, the web link of registry is helpful to me. > > And the question about the authentication key I asked about is for the > Unix server's switch/router's NTP. They got authencation key for > security option, but window2003 support this? > > Best regards, Kent Si > > "Meinolf Weber" wrote: > >> Hello Kent, >> >> See here and inline: >> http://support.microsoft.com/kb/816042 >> Expand all on the left pane and you got a lot of infos: >> http://technet2.microsoft.com/windowsserver/en/library/ac86e77c-0be3- >> 430a-ba0b-c2225506fc4f1033.mspx >> >> Best regards >> >> Meinolf Weber >> Disclaimer: This posting is provided "AS IS" with no warranties, and >> confers >> no rights. >> ** Please do NOT email, only reply to Newsgroups >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >>> Hello all, I am setting up the NTP server function in the Windows >>> 2003 PDC server. There are not much information about the value in >>> W32Time registry, so hope to get some help here. >>> >>> The NTP server on Windows 2003 is for company wide usage purpose >>> that will synchronize cisco network devices, unix servers and >>> windows 2000/NT. Also the Windows 2003 will act as a NTP client to >>> synchronize from the GRPS time source.(The Windows 2003 is also a >>> Primary Domain Controller). >>> >>> /----- >>> Network Devices (Cisco...) >>> GPRS Time Source -- Win2003 PDC ----- Domain Clients (XP) >>> >>> \----- >>> Unix, Win2000, NT Servers >>> From the technical documents on the microsoft website, there isn't >>> much about the detail to set up an NTP server. I have followed the >>> steps of those technical documents and modified the "W32Time" in >>> registry. Finally, it could synchronize the other machines. But I >>> have not much confidence on it, since there isn't much information >>> about the meaning of values in the registry. And any unknown change >>> could be a risk to the PDC and the whole infrastructure. >>> >>> At present, I installed another Win2k3 to simulate the PDC as a NTP >>> server(Not client for GPRS yet), and it works. This synchronizes >>> with the Cisco Switch 2950 and Unix about every 17 minutes. >>> >>> Here are the registries I changed under "W32Time": >>> >>> =========================================== >>> >>> \Parameters\Type -> NTP >>> >>> \Config\AnnounceFlags -> 5 >>> >>> \TimeProviders\NtpServer\Enabled -> 1 >>> >>> \TimeProviders\NtpClient\SpecialPollInterval -> 900 >>> >>> \Config\MaxPosPhaseCorrection -> 172800 >>> >>> \Config\MaxNegPhaseCorrection -> 172800 >>> >>> \Config\LocalClockDispersion -> 0 (Previous 10) >>> >>> Run the commands to restart the time service: >>> >>> - net stop w32time >>> >>> - net start w32time >>> >>> =========================================== >>> >>> There are questions about the NTP in Win2003 >>> >>> (1) Does NTP in Win2003 have the security option to set a key for >>> authentication? >>> >> Within an Active Directory forest, the Windows Time service (W32time) >> relies on standard domain security features to enforce the >> authentication of time data. The security of Network Time Protocol >> (NTP) packets that are sent between a domain member and a local >> domain controller that is acting as a time server is based on shared >> key authentication. The Windows Time service uses the local >> computer's Kerberos session key to create authenticated signatures on >> NTP packets that are sent across the network. When a computer >> requests the time from a domain controller in the domain hierarchy, >> the Windows Time service requires that the time be authenticated. The >> domain controller then returns the required information in the form >> of a 64-bit value that has been authenticated with the session key >> from the Net Logon service. If the returned NTP packet is not signed >> with the computer's session key or if it is not signed correctly, the >> time is rejected. In this way, the Windows Time service provides >> security for NTP data in an Active Directory forest. >> >>> (2) How to set the value of registry and control the interval that >>> clients update their time? >>> >> http://technet2.microsoft.com/windowsserver/en/library/fcc66e8b-58d9- >> 41c9-83ee-56d07397e3e01033.mspx?mfr=true >> >>> I have made a call to Microsoft, but they treated it as a "How to", >>> no support on this. @.@ >>> >>> Thanks to all, any information is appreciated. >>>
Guest Kent Posted July 31, 2008 Posted July 31, 2008 Re: How to do better on Win2003's NTP? Thank you very much for you help. "Meinolf Weber" wrote: > Hello Kent, > > In the time service you have no option for adding authentication. See here > how the authentication works, scroll down to"NTP Security": > http://technet2.microsoft.com/windowsserver/en/library/71e76587-28f4-4272-a3d7-7f44ca50c0181033.mspx?mfr=true > > Best regards > > Meinolf Weber > Disclaimer: This posting is provided "AS IS" with no warranties, and confers > no rights. > ** Please do NOT email, only reply to Newsgroups > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > > > Hello, Meinolf > > > > Thanks for your reply, the web link of registry is helpful to me. > > > > And the question about the authentication key I asked about is for the > > Unix server's switch/router's NTP. They got authencation key for > > security option, but window2003 support this? > > > > Best regards, Kent Si > > > > "Meinolf Weber" wrote: > > > >> Hello Kent, > >> > >> See here and inline: > >> http://support.microsoft.com/kb/816042 > >> Expand all on the left pane and you got a lot of infos: > >> http://technet2.microsoft.com/windowsserver/en/library/ac86e77c-0be3- > >> 430a-ba0b-c2225506fc4f1033.mspx > >> > >> Best regards > >> > >> Meinolf Weber > >> Disclaimer: This posting is provided "AS IS" with no warranties, and > >> confers > >> no rights. > >> ** Please do NOT email, only reply to Newsgroups > >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > >>> Hello all, I am setting up the NTP server function in the Windows > >>> 2003 PDC server. There are not much information about the value in > >>> W32Time registry, so hope to get some help here. > >>> > >>> The NTP server on Windows 2003 is for company wide usage purpose > >>> that will synchronize cisco network devices, unix servers and > >>> windows 2000/NT. Also the Windows 2003 will act as a NTP client to > >>> synchronize from the GRPS time source.(The Windows 2003 is also a > >>> Primary Domain Controller). > >>> > >>> /----- > >>> Network Devices (Cisco...) > >>> GPRS Time Source -- Win2003 PDC ----- Domain Clients (XP) > >>> > >>> \----- > >>> Unix, Win2000, NT Servers > >>> From the technical documents on the microsoft website, there isn't > >>> much about the detail to set up an NTP server. I have followed the > >>> steps of those technical documents and modified the "W32Time" in > >>> registry. Finally, it could synchronize the other machines. But I > >>> have not much confidence on it, since there isn't much information > >>> about the meaning of values in the registry. And any unknown change > >>> could be a risk to the PDC and the whole infrastructure. > >>> > >>> At present, I installed another Win2k3 to simulate the PDC as a NTP > >>> server(Not client for GPRS yet), and it works. This synchronizes > >>> with the Cisco Switch 2950 and Unix about every 17 minutes. > >>> > >>> Here are the registries I changed under "W32Time": > >>> > >>> =========================================== > >>> > >>> \Parameters\Type -> NTP > >>> > >>> \Config\AnnounceFlags -> 5 > >>> > >>> \TimeProviders\NtpServer\Enabled -> 1 > >>> > >>> \TimeProviders\NtpClient\SpecialPollInterval -> 900 > >>> > >>> \Config\MaxPosPhaseCorrection -> 172800 > >>> > >>> \Config\MaxNegPhaseCorrection -> 172800 > >>> > >>> \Config\LocalClockDispersion -> 0 (Previous 10) > >>> > >>> Run the commands to restart the time service: > >>> > >>> - net stop w32time > >>> > >>> - net start w32time > >>> > >>> =========================================== > >>> > >>> There are questions about the NTP in Win2003 > >>> > >>> (1) Does NTP in Win2003 have the security option to set a key for > >>> authentication? > >>> > >> Within an Active Directory forest, the Windows Time service (W32time) > >> relies on standard domain security features to enforce the > >> authentication of time data. The security of Network Time Protocol > >> (NTP) packets that are sent between a domain member and a local > >> domain controller that is acting as a time server is based on shared > >> key authentication. The Windows Time service uses the local > >> computer's Kerberos session key to create authenticated signatures on > >> NTP packets that are sent across the network. When a computer > >> requests the time from a domain controller in the domain hierarchy, > >> the Windows Time service requires that the time be authenticated. The > >> domain controller then returns the required information in the form > >> of a 64-bit value that has been authenticated with the session key > >> from the Net Logon service. If the returned NTP packet is not signed > >> with the computer's session key or if it is not signed correctly, the > >> time is rejected. In this way, the Windows Time service provides > >> security for NTP data in an Active Directory forest. > >> > >>> (2) How to set the value of registry and control the interval that > >>> clients update their time? > >>> > >> http://technet2.microsoft.com/windowsserver/en/library/fcc66e8b-58d9- > >> 41c9-83ee-56d07397e3e01033.mspx?mfr=true > >> > >>> I have made a call to Microsoft, but they treated it as a "How to", > >>> no support on this. @.@ > >>> > >>> Thanks to all, any information is appreciated. > >>> > > >
Recommended Posts