Re: Timr service

Thank you for your answers.

When I said that's no recomended to keep the PDEc as relible time
source, it was because of what I read in the "How Windows Time
ServiceWorks document in TechNet":
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/71e76587-28f4-4272-a3d7-7f44ca50c018.mspx

"To establish a computer running Windows Server 2003 as authoritative,
the computer must be configured to be a reliable time source. By
default, the first domain controller that is installed on a Windows
Server 2003 domain is automatically configured to be a reliable time
source. Because it is the authoritative computer for the domain, it
must be configured to synchronize with an external time source rather
than with the domain hierarchy. Also by default, all other Windows
Server 2003 domain members are configured to synchronize with the
domain hierarchy."


So, f I good understand you, in a already installed AD forest, I can
open the 123 UDP port in my firewall and to execute on the forest PDCe:

w32tm /config /update /syncfromflags:MANUAL
/manualpeerlist:"www.timesrv1.com IP"

where www.timesrv1.com is a time server on the Internet and
222.222.222.222 is it's IP address.

Is this all what I have to do?

Could you tell me if any registry modification is needed?
I need to run any other command on the forest PDCe or on other forest
DC's in order to synchronize?

Do you know if these kind of services (access on the time server) is
for free or I must register and pay?

Thank you very much,


Ulf a écrit :

> omg says...
> > 1. Anyone knows where could I find a guide about best practices in
> > congiguring time service in a large Windows 2003 AD forest?
>
> Usually configure a external timesource in one or multiple DCs in the Forest
> Root, and use the default behavior on all other machines.
>
> > I seen that it is not recommended to keep the root PDC as a time source for the
> > forest.
>
> Never heard about this, do you have a reference?
>
> > What could I do? Is the UDP 123 port opening in firewall and
> > connecting to a NTP Internet server a secure solution?
>
> Propably the most secure solution is using a Hardware-Clock connected to any
> machine in the network (might be the PDC-Emulator or any other, then have the
> PDCe pulling the time from that machine). However usually NTP is sufficient,
> and be aware that there are routers/switches or other devices you may have in
> your DMZ which are also able to function as NTP Client/server. I've also heard
> from Telephone-Systems which need to have a Timesource and provides NTP-Server-
> Services.
>
> > How to do this?
>
> Configure NTP on the PDCe:
> w32tm /config /update /syncfromflags:MANUAL /manualpeerlist:"dns1 dns2 ip3"
>
> (I always recommend putting in FQDNs (=dns) and IP-Adresses to make sure that
> timesync works when you have DNS-Issues)
>
> Configure a Hardware-Clock or trust the bios-clock:
> Registry:
> HKLM\System\CurrentControlSet\Services\w32time\Parameters
> type = NoSync
> ReliableTimeSource = 1 (reg_dword)
>
> Then configure the driver or software for your Hardware-Clock, and don't forget
> to restart w32time
> net stop w32time && net start w32time
>
> > Or there are external hardware clock devices to install?
>
> Sure there are, in most cases NTP would be sufficient.
>
> > Are these devices more recommended then Internet NTP server?
>
> A Hardwaredevice is a bit more secure, however you would be able to spoove
> both. So it's up to you. And I would make it dependent on the reliability of
> your connection to the internet as well.
>
> > What stratum server level is secure enough? Shuld be a pooled server or not?
>
> The Stratum level is not about security, it's about "how many hops it is away
> from a reliable time server"
>
> > 2. The NTP time source could be configured when the AD forest is
> > already deployed (root + child domains)?
>
> Yes - that's possible. However I've experienced that machines configured to
> sync with external timesources or trust it's own clock sometimes have issues
> when being switched back to the default domain behavior. Usually you can switch
> them back using
>
> w32tm /config /update /syncfromflags:DOMHIER
>
> If you experience issues that it's not falling back to the domain behavior you
> can use the following commands to "reset" the time service:
>
> net stop w32time
> w32tm /unregister
> w32tm /register
> net start w32time
>
> --
> Gruesse - Sincerely,
>
> Ulf B. Simon-Weidner

.

Relevant Pages

  • Re: NTP on OpenVMS using TCPIP services
    ... TCPIP 5.6, time server Windows Server 2003, and Windows XP professional.. ... NTP naming two Windows servers as "peers". ... Our VMS systems are so far all set up using external NTP servers as ...
    (comp.os.vms)
  • RE: NTDS replication problems...
    ... Actually, this forest contain 3 domains, where two of them still have Windows ... Regarding the replication issue... ... Windows Server 2003. ...
    (microsoft.public.windows.server.active_directory)
  • RE: NT4 to 2003 Migration
    ... you upgrade a Windows 2000 domain controller that resides in a Windows 2000 ... forest to Windows Server 2003 ...
    (microsoft.public.windows.server.migration)
  • Re: Interforest migration with domain name change
    ... server 2003 to server 2008? ... Upgrading my forest to 2003 by using a member server and promoting ... Forest trusts come first with 2003. ... Trusts across Windows Server 2003 and Windows 2000 forests: ...
    (microsoft.public.windows.server.migration)
  • Re: Timr service
    ... Usually configure a external timesource in one or multiple DCs in the Forest ... > connecting to a NTP Internet server a secure solution? ... Propably the most secure solution is using a Hardware-Clock connected to any ... > Are these devices more recommended then Internet NTP server? ...
    (microsoft.public.windows.server.active_directory)