How to do better on Win2003's NTP?

[Guest Kent]

Hello all, I am setting up the NTP server function in the Windows 2003 PDC

server. There are not much information about the value in W32Time registry,

so hope to get some help here.

 

 

 

The NTP server on Windows 2003 is for company wide usage purpose that will

synchronize cisco network devices, unix servers and windows 2000/NT. Also the

Windows 2003 will act as a NTP client to synchronize from the GRPS time

source.(The Windows 2003 is also a Primary Domain Controller).

 

 

 

/-----

Network Devices (Cisco...)

 

GPRS Time Source -- Win2003 PDC ----- Domain Clients (XP)

 

\----- Unix,

Win2000, NT Servers

 

 

 

From the technical documents on the microsoft website, there isn't much

about the detail to set up an NTP server. I have followed the steps of those

technical documents and modified the "W32Time" in registry. Finally, it could

synchronize the other machines. But I have not much confidence on it, since

there isn't much information about the meaning of values in the registry. And

any unknown change could be a risk to the PDC and the whole infrastructure.

 

 

 

At present, I installed another Win2k3 to simulate the PDC as a NTP

server(Not client for GPRS yet), and it works. This synchronizes with the

Cisco Switch 2950 and Unix about every 17 minutes.

 

Here are the registries I changed under "W32Time":

 

===========================================

 

\Parameters\Type -> NTP

 

\Config\AnnounceFlags -> 5

 

\TimeProviders\NtpServer\Enabled -> 1

 

\TimeProviders\NtpClient\SpecialPollInterval -> 900

 

\Config\MaxPosPhaseCorrection -> 172800

 

\Config\MaxNegPhaseCorrection -> 172800

 

\Config\LocalClockDispersion -> 0 (Previous 10)

 

 

 

Run the commands to restart the time service:

 

- net stop w32time

 

- net start w32time

 

===========================================

 

 

 

 

 

 

There are questions about the NTP in Win2003

 

(1) Does NTP in Win2003 have the security option to set a key for

authentication?

 

(2) How to set the value of registry and control the interval that clients

update their time?

 

 

 

I have made a call to Microsoft, but they treated it as a "How to", no

support on this. @.@

 

 

 

Thanks to all, any information is appreciated.

[Guest Meinolf Weber]

Re: How to do better on Win2003's NTP?

 

Hello Kent,

 

See here and inline:

http://support.microsoft.com/kb/816042

 

Expand all on the left pane and you got a lot of infos:

http://technet2.microsoft.com/windowsserver/en/library/ac86e77c-0be3-430a-ba0b-c2225506fc4f1033.mspx

 

Best regards

 

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

** Please do NOT email, only reply to Newsgroups

** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Hello all, I am setting up the NTP server function in the Windows 2003

> PDC server. There are not much information about the value in W32Time

> registry, so hope to get some help here.

>

> The NTP server on Windows 2003 is for company wide usage purpose that

> will synchronize cisco network devices, unix servers and windows

> 2000/NT. Also the Windows 2003 will act as a NTP client to synchronize

> from the GRPS time source.(The Windows 2003 is also a Primary Domain

> Controller).

>

> /-----

> Network Devices (Cisco...)

>

> GPRS Time Source -- Win2003 PDC ----- Domain Clients (XP)

>

> \-----

> Unix, Win2000, NT Servers

>

> From the technical documents on the microsoft website, there isn't

> much about the detail to set up an NTP server. I have followed the

> steps of those technical documents and modified the "W32Time" in

> registry. Finally, it could synchronize the other machines. But I have

> not much confidence on it, since there isn't much information about

> the meaning of values in the registry. And any unknown change could be

> a risk to the PDC and the whole infrastructure.

>

> At present, I installed another Win2k3 to simulate the PDC as a NTP

> server(Not client for GPRS yet), and it works. This synchronizes with

> the Cisco Switch 2950 and Unix about every 17 minutes.

>

> Here are the registries I changed under "W32Time":

>

> ===========================================

>

> \Parameters\Type -> NTP

>

> \Config\AnnounceFlags -> 5

>

> \TimeProviders\NtpServer\Enabled -> 1

>

> \TimeProviders\NtpClient\SpecialPollInterval -> 900

>

> \Config\MaxPosPhaseCorrection -> 172800

>

> \Config\MaxNegPhaseCorrection -> 172800

>

> \Config\LocalClockDispersion -> 0 (Previous 10)

>

> Run the commands to restart the time service:

>

> - net stop w32time

>

> - net start w32time

>

> ===========================================

>

> There are questions about the NTP in Win2003

>

> (1) Does NTP in Win2003 have the security option to set a key for

> authentication?

 

Within an Active Directory forest, the Windows Time service (W32time) relies

on standard domain security features to enforce the authentication of time

data. The security of Network Time Protocol (NTP) packets that are sent between

a domain member and a local domain controller that is acting as a time server

is based on shared key authentication. The Windows Time service uses the

local computer's Kerberos session key to create authenticated signatures

on NTP packets that are sent across the network. When a computer requests

the time from a domain controller in the domain hierarchy, the Windows Time

service requires that the time be authenticated. The domain controller then

returns the required information in the form of a 64-bit value that has been

authenticated with the session key from the Net Logon service. If the returned

NTP packet is not signed with the computer's session key or if it is not

signed correctly, the time is rejected. In this way, the Windows Time service

provides security for NTP data in an Active Directory forest.

 

 

> (2) How to set the value of registry and control the interval that

> clients update their time?

 

http://technet2.microsoft.com/windowsserver/en/library/fcc66e8b-58d9-41c9-83ee-56d07397e3e01033.mspx?mfr=true

> I have made a call to Microsoft, but they treated it as a "How to", no

> support on this. @.@

>

> Thanks to all, any information is appreciated.

>

[Guest Kent]

Re: How to do better on Win2003's NTP?

 

Hello, Meinolf

 

Thanks for your reply, the web link of registry is helpful to me.

 

And the question about the authentication key I asked about is for the Unix

server's switch/router's NTP. They got authencation key for security option,

but window2003 support this?

 

Best regards,

Kent Si

 

 

"Meinolf Weber" wrote:

> Hello Kent,

>

> See here and inline:

> http://support.microsoft.com/kb/816042

>

> Expand all on the left pane and you got a lot of infos:

> http://technet2.microsoft.com/windowsserver/en/library/ac86e77c-0be3-430a-ba0b-c2225506fc4f1033.mspx

>

> Best regards

>

> Meinolf Weber

> Disclaimer: This posting is provided "AS IS" with no warranties, and confers

> no rights.

> ** Please do NOT email, only reply to Newsgroups

> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

>

> > Hello all, I am setting up the NTP server function in the Windows 2003

> > PDC server. There are not much information about the value in W32Time

> > registry, so hope to get some help here.

> >

> > The NTP server on Windows 2003 is for company wide usage purpose that

> > will synchronize cisco network devices, unix servers and windows

> > 2000/NT. Also the Windows 2003 will act as a NTP client to synchronize

> > from the GRPS time source.(The Windows 2003 is also a Primary Domain

> > Controller).

> >

> > /-----

> > Network Devices (Cisco...)

> >

> > GPRS Time Source -- Win2003 PDC ----- Domain Clients (XP)

> >

> > \-----

> > Unix, Win2000, NT Servers

> >

> > From the technical documents on the microsoft website, there isn't

> > much about the detail to set up an NTP server. I have followed the

> > steps of those technical documents and modified the "W32Time" in

> > registry. Finally, it could synchronize the other machines. But I have

> > not much confidence on it, since there isn't much information about

> > the meaning of values in the registry. And any unknown change could be

> > a risk to the PDC and the whole infrastructure.

> >

> > At present, I installed another Win2k3 to simulate the PDC as a NTP

> > server(Not client for GPRS yet), and it works. This synchronizes with

> > the Cisco Switch 2950 and Unix about every 17 minutes.

> >

> > Here are the registries I changed under "W32Time":

> >

> > ===========================================

> >

> > \Parameters\Type -> NTP

> >

> > \Config\AnnounceFlags -> 5

> >

> > \TimeProviders\NtpServer\Enabled -> 1

> >

> > \TimeProviders\NtpClient\SpecialPollInterval -> 900

> >

> > \Config\MaxPosPhaseCorrection -> 172800

> >

> > \Config\MaxNegPhaseCorrection -> 172800

> >

> > \Config\LocalClockDispersion -> 0 (Previous 10)

> >

> > Run the commands to restart the time service:

> >

> > - net stop w32time

> >

> > - net start w32time

> >

> > ===========================================

> >

> > There are questions about the NTP in Win2003

> >

> > (1) Does NTP in Win2003 have the security option to set a key for

> > authentication?

>

> Within an Active Directory forest, the Windows Time service (W32time) relies

> on standard domain security features to enforce the authentication of time

> data. The security of Network Time Protocol (NTP) packets that are sent between

> a domain member and a local domain controller that is acting as a time server

> is based on shared key authentication. The Windows Time service uses the

> local computer's Kerberos session key to create authenticated signatures

> on NTP packets that are sent across the network. When a computer requests

> the time from a domain controller in the domain hierarchy, the Windows Time

> service requires that the time be authenticated. The domain controller then

> returns the required information in the form of a 64-bit value that has been

> authenticated with the session key from the Net Logon service. If the returned

> NTP packet is not signed with the computer's session key or if it is not

> signed correctly, the time is rejected. In this way, the Windows Time service

> provides security for NTP data in an Active Directory forest.

>

>

>

> > (2) How to set the value of registry and control the interval that

> > clients update their time?

>

> http://technet2.microsoft.com/windowsserver/en/library/fcc66e8b-58d9-41c9-83ee-56d07397e3e01033.mspx?mfr=true

>

> > I have made a call to Microsoft, but they treated it as a "How to", no

> > support on this. @.@

> >

> > Thanks to all, any information is appreciated.

> >

>

>

>

[Guest Kent]

RE: How to do better on Win2003's NTP?

 

Found a good blog about W32time and NTP, and it should be from Microsoft.

 

http://blogs.msdn.com/w32time/default.aspx

 

 

"Kent" wrote:

> Hello all, I am setting up the NTP server function in the Windows 2003 PDC

> server. There are not much information about the value in W32Time registry,

> so hope to get some help here.

>

>

>

> The NTP server on Windows 2003 is for company wide usage purpose that will

> synchronize cisco network devices, unix servers and windows 2000/NT. Also the

> Windows 2003 will act as a NTP client to synchronize from the GRPS time

> source.(The Windows 2003 is also a Primary Domain Controller).

>

>

>

> /-----

> Network Devices (Cisco...)

>

> GPRS Time Source -- Win2003 PDC ----- Domain Clients (XP)

>

> \----- Unix,

> Win2000, NT Servers

>

>

>

> From the technical documents on the microsoft website, there isn't much

> about the detail to set up an NTP server. I have followed the steps of those

> technical documents and modified the "W32Time" in registry. Finally, it could

> synchronize the other machines. But I have not much confidence on it, since

> there isn't much information about the meaning of values in the registry. And

> any unknown change could be a risk to the PDC and the whole infrastructure.

>

>

>

> At present, I installed another Win2k3 to simulate the PDC as a NTP

> server(Not client for GPRS yet), and it works. This synchronizes with the

> Cisco Switch 2950 and Unix about every 17 minutes.

>

> Here are the registries I changed under "W32Time":

>

> ===========================================

>

> \Parameters\Type -> NTP

>

> \Config\AnnounceFlags -> 5

>

> \TimeProviders\NtpServer\Enabled -> 1

>

> \TimeProviders\NtpClient\SpecialPollInterval -> 900

>

> \Config\MaxPosPhaseCorrection -> 172800

>

> \Config\MaxNegPhaseCorrection -> 172800

>

> \Config\LocalClockDispersion -> 0 (Previous 10)

>

>

>

> Run the commands to restart the time service:

>

> - net stop w32time

>

> - net start w32time

>

> ===========================================

>

>

>

>

>

>

> There are questions about the NTP in Win2003

>

> (1) Does NTP in Win2003 have the security option to set a key for

> authentication?

>

> (2) How to set the value of registry and control the interval that clients

> update their time?

>

>

>

> I have made a call to Microsoft, but they treated it as a "How to", no

> support on this. @.@

>

>

>

> Thanks to all, any information is appreciated.

[Guest Meinolf Weber]

Re: How to do better on Win2003's NTP?

 

Hello Kent,

 

In the time service you have no option for adding authentication. See here

how the authentication works, scroll down to"NTP Security":

http://technet2.microsoft.com/windowsserver/en/library/71e76587-28f4-4272-a3d7-7f44ca50c0181033.mspx?mfr=true

 

Best regards

 

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

** Please do NOT email, only reply to Newsgroups

** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Hello, Meinolf

>

> Thanks for your reply, the web link of registry is helpful to me.

>

> And the question about the authentication key I asked about is for the

> Unix server's switch/router's NTP. They got authencation key for

> security option, but window2003 support this?

>

> Best regards, Kent Si

>

> "Meinolf Weber" wrote:

>

>> Hello Kent,

>>

>> See here and inline:

>> http://support.microsoft.com/kb/816042

>> Expand all on the left pane and you got a lot of infos:

>> http://technet2.microsoft.com/windowsserver/en/library/ac86e77c-0be3-

>> 430a-ba0b-c2225506fc4f1033.mspx

>>

>> Best regards

>>

>> Meinolf Weber

>> Disclaimer: This posting is provided "AS IS" with no warranties, and

>> confers

>> no rights.

>> ** Please do NOT email, only reply to Newsgroups

>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

>>> Hello all, I am setting up the NTP server function in the Windows

>>> 2003 PDC server. There are not much information about the value in

>>> W32Time registry, so hope to get some help here.

>>>

>>> The NTP server on Windows 2003 is for company wide usage purpose

>>> that will synchronize cisco network devices, unix servers and

>>> windows 2000/NT. Also the Windows 2003 will act as a NTP client to

>>> synchronize from the GRPS time source.(The Windows 2003 is also a

>>> Primary Domain Controller).

>>>

>>> /-----

>>> Network Devices (Cisco...)

>>> GPRS Time Source -- Win2003 PDC ----- Domain Clients (XP)

>>>

>>> \-----

>>> Unix, Win2000, NT Servers

>>> From the technical documents on the microsoft website, there isn't

>>> much about the detail to set up an NTP server. I have followed the

>>> steps of those technical documents and modified the "W32Time" in

>>> registry. Finally, it could synchronize the other machines. But I

>>> have not much confidence on it, since there isn't much information

>>> about the meaning of values in the registry. And any unknown change

>>> could be a risk to the PDC and the whole infrastructure.

>>>

>>> At present, I installed another Win2k3 to simulate the PDC as a NTP

>>> server(Not client for GPRS yet), and it works. This synchronizes

>>> with the Cisco Switch 2950 and Unix about every 17 minutes.

>>>

>>> Here are the registries I changed under "W32Time":

>>>

>>> ===========================================

>>>

>>> \Parameters\Type -> NTP

>>>

>>> \Config\AnnounceFlags -> 5

>>>

>>> \TimeProviders\NtpServer\Enabled -> 1

>>>

>>> \TimeProviders\NtpClient\SpecialPollInterval -> 900

>>>

>>> \Config\MaxPosPhaseCorrection -> 172800

>>>

>>> \Config\MaxNegPhaseCorrection -> 172800

>>>

>>> \Config\LocalClockDispersion -> 0 (Previous 10)

>>>

>>> Run the commands to restart the time service:

>>>

>>> - net stop w32time

>>>

>>> - net start w32time

>>>

>>> ===========================================

>>>

>>> There are questions about the NTP in Win2003

>>>

>>> (1) Does NTP in Win2003 have the security option to set a key for

>>> authentication?

>>>

>> Within an Active Directory forest, the Windows Time service (W32time)

>> relies on standard domain security features to enforce the

>> authentication of time data. The security of Network Time Protocol

>> (NTP) packets that are sent between a domain member and a local

>> domain controller that is acting as a time server is based on shared

>> key authentication. The Windows Time service uses the local

>> computer's Kerberos session key to create authenticated signatures on

>> NTP packets that are sent across the network. When a computer

>> requests the time from a domain controller in the domain hierarchy,

>> the Windows Time service requires that the time be authenticated. The

>> domain controller then returns the required information in the form

>> of a 64-bit value that has been authenticated with the session key

>> from the Net Logon service. If the returned NTP packet is not signed

>> with the computer's session key or if it is not signed correctly, the

>> time is rejected. In this way, the Windows Time service provides

>> security for NTP data in an Active Directory forest.

>>

>>> (2) How to set the value of registry and control the interval that

>>> clients update their time?

>>>

>> http://technet2.microsoft.com/windowsserver/en/library/fcc66e8b-58d9-

>> 41c9-83ee-56d07397e3e01033.mspx?mfr=true

>>

>>> I have made a call to Microsoft, but they treated it as a "How to",

>>> no support on this. @.@

>>>

>>> Thanks to all, any information is appreciated.

>>>

[Guest Kent]

Re: How to do better on Win2003's NTP?

 

Thank you very much for you help.

 

 

"Meinolf Weber" wrote:

> Hello Kent,

>

> In the time service you have no option for adding authentication. See here

> how the authentication works, scroll down to"NTP Security":

> http://technet2.microsoft.com/windowsserver/en/library/71e76587-28f4-4272-a3d7-7f44ca50c0181033.mspx?mfr=true

>

> Best regards

>

> Meinolf Weber

> Disclaimer: This posting is provided "AS IS" with no warranties, and confers

> no rights.

> ** Please do NOT email, only reply to Newsgroups

> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

>

> > Hello, Meinolf

> >

> > Thanks for your reply, the web link of registry is helpful to me.

> >

> > And the question about the authentication key I asked about is for the

> > Unix server's switch/router's NTP. They got authencation key for

> > security option, but window2003 support this?

> >

> > Best regards, Kent Si

> >

> > "Meinolf Weber" wrote:

> >

> >> Hello Kent,

> >>

> >> See here and inline:

> >> http://support.microsoft.com/kb/816042

> >> Expand all on the left pane and you got a lot of infos:

> >> http://technet2.microsoft.com/windowsserver/en/library/ac86e77c-0be3-

> >> 430a-ba0b-c2225506fc4f1033.mspx

> >>

> >> Best regards

> >>

> >> Meinolf Weber

> >> Disclaimer: This posting is provided "AS IS" with no warranties, and

> >> confers

> >> no rights.

> >> ** Please do NOT email, only reply to Newsgroups

> >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> >>> Hello all, I am setting up the NTP server function in the Windows

> >>> 2003 PDC server. There are not much information about the value in

> >>> W32Time registry, so hope to get some help here.

> >>>

> >>> The NTP server on Windows 2003 is for company wide usage purpose

> >>> that will synchronize cisco network devices, unix servers and

> >>> windows 2000/NT. Also the Windows 2003 will act as a NTP client to

> >>> synchronize from the GRPS time source.(The Windows 2003 is also a

> >>> Primary Domain Controller).

> >>>

> >>> /-----

> >>> Network Devices (Cisco...)

> >>> GPRS Time Source -- Win2003 PDC ----- Domain Clients (XP)

> >>>

> >>> \-----

> >>> Unix, Win2000, NT Servers

> >>> From the technical documents on the microsoft website, there isn't

> >>> much about the detail to set up an NTP server. I have followed the

> >>> steps of those technical documents and modified the "W32Time" in

> >>> registry. Finally, it could synchronize the other machines. But I

> >>> have not much confidence on it, since there isn't much information

> >>> about the meaning of values in the registry. And any unknown change

> >>> could be a risk to the PDC and the whole infrastructure.

> >>>

> >>> At present, I installed another Win2k3 to simulate the PDC as a NTP

> >>> server(Not client for GPRS yet), and it works. This synchronizes

> >>> with the Cisco Switch 2950 and Unix about every 17 minutes.

> >>>

> >>> Here are the registries I changed under "W32Time":

> >>>

> >>> ===========================================

> >>>

> >>> \Parameters\Type -> NTP

> >>>

> >>> \Config\AnnounceFlags -> 5

> >>>

> >>> \TimeProviders\NtpServer\Enabled -> 1

> >>>

> >>> \TimeProviders\NtpClient\SpecialPollInterval -> 900

> >>>

> >>> \Config\MaxPosPhaseCorrection -> 172800

> >>>

> >>> \Config\MaxNegPhaseCorrection -> 172800

> >>>

> >>> \Config\LocalClockDispersion -> 0 (Previous 10)

> >>>

> >>> Run the commands to restart the time service:

> >>>

> >>> - net stop w32time

> >>>

> >>> - net start w32time

> >>>

> >>> ===========================================

> >>>

> >>> There are questions about the NTP in Win2003

> >>>

> >>> (1) Does NTP in Win2003 have the security option to set a key for

> >>> authentication?

> >>>

> >> Within an Active Directory forest, the Windows Time service (W32time)

> >> relies on standard domain security features to enforce the

> >> authentication of time data. The security of Network Time Protocol

> >> (NTP) packets that are sent between a domain member and a local

> >> domain controller that is acting as a time server is based on shared

> >> key authentication. The Windows Time service uses the local

> >> computer's Kerberos session key to create authenticated signatures on

> >> NTP packets that are sent across the network. When a computer

> >> requests the time from a domain controller in the domain hierarchy,

> >> the Windows Time service requires that the time be authenticated. The

> >> domain controller then returns the required information in the form

> >> of a 64-bit value that has been authenticated with the session key

> >> from the Net Logon service. If the returned NTP packet is not signed

> >> with the computer's session key or if it is not signed correctly, the

> >> time is rejected. In this way, the Windows Time service provides

> >> security for NTP data in an Active Directory forest.

> >>

> >>> (2) How to set the value of registry and control the interval that

> >>> clients update their time?

> >>>

> >> http://technet2.microsoft.com/windowsserver/en/library/fcc66e8b-58d9-

> >> 41c9-83ee-56d07397e3e01033.mspx?mfr=true

> >>

> >>> I have made a call to Microsoft, but they treated it as a "How to",

> >>> no support on this. @.@

> >>>

> >>> Thanks to all, any information is appreciated.

> >>>

>

>

>