Re: Windows 2003 NTP service
- From: "Erik Cheizoo" <echeizoo.XenD.nl@xxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 6 Feb 2007 12:51:28 +0100
Feras,
start by reading these, as it will give you detailed understanding of Windows time services:
http://technet2.microsoft.com/WindowsServer/en/library/71e76587-28f4-4272-a3d7-7f44ca50c0181033.mspx?mfr=true
http://technet2.microsoft.com/WindowsServer/en/library/a0fcd250-e5f7-41b3-b0e8-240f8236e2101033.mspx?mfr=true
The answers to your questions:
You not have to configure anything. By default, all machines joined to the forest/domain will follow the domain hierarchy for time services using SNTP. The PDCe will always be the authoritive time source, so make sure it is synchronized well with an external time source. Provided you have configured your sites and subnets correctly, computers will select the best time source, which is usually the DC in the local site. You can ignore the time.windows.com entries, they will not be used when the computer is joined to the domain. Be aware of the fact that this is default behavior, if someone already played around the configuration might be different. Do not set the NTP options in DHCP
As a side note, time within a domain/forest is always measured in UTC. The locally configured time zone will then translate the time to the human expected time, so adjusted for time zone and DST. This means that time zones must be configured on each and every computer out there. Setting it on the DCs only will not effect the time zones on the workstations.
The Windows Time service uses the computer’s Kerberos session key to create authenticated signatures on NTP packets that are sent across the network. NTP packets are not transmitted inside the Net Logon secure channel. Instead, when a computer requests the time from a domain controller in the domain hierarchy, the Windows Time service requires that the time be authenticated. The domain controller then returns the required information in the form of a 64-bit value that has been authenticated with the session key from the Net Logon service. If the returned NTP packet is not signed with the computer’s session key or is signed incorrectly, the time is rejected. All such authentication failures are logged in the Event Log. In this way, the Windows Time service provides security for NTP data in a Windows Server 2003 forest.
Port used for NTP and/or SNTP is UDP 123.
--
Kind regards,
Erik Cheizoo
eXcellence & Difference - we keep your business running
============================================
Always test in a non-production environment before implementing
Guidelines for posting: http://support.microsoft.com/?id=555375
============================================
"Feras Mustafa" <FerasMustafa@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:A6C409A9-D992-489B-B0EC-B92FCEB91BC0@xxxxxxxxxxxxxxxx
Hi,
I have some questions about Windows 2003 NTP service. Thanks in advance for
any answer to any of them or all of them!
1- Does the NTP in Windows 2003 supports authentication?? Secure NTP?? if
not, is there is any add-on or tools to make it support authentication?
2- I have a root domain and child domain in my forest, the root has 4 DCs
(in diffrnet sites accross firewall). the child domain has 24 DCs (in
diffrent sites accross firewall) all in the same time zone.
I want the clients in each remote site to get the time from thier DC placed
in that site (not come to the HQ PDC Em), and all the 28 DCs time must be
in-sync, Is there is any thing I need to configure on the DHCP options for
that site?? or nothing needs to be done and Clients will default to thier
local DC as SNTP??
Also, I need to open only the NTP port between the DCs in the Remote sites
and HQ PDCs, what is the required port (TCP/UDP) I need to open on the
firewall??
3- I have run the command (net time /querysntp --> and got
"time.windows.com") on all the DCs. None of them have access to the Internet.
To make use of internal clock on the Root PDC Emulator, Do I need to run
(net time /setsntp:root-pdc.root-domain) on the all root DCs and the child
domain PDC Em DC?? and run (net time /setsntp:child-pdc.child-domain) on all
DCs in the child domain to sync my forest??
Thanks again for your help!!
.
- Follow-Ups:
- Re: Windows 2003 NTP service
- From: Feras Mustafa
- Re: Windows 2003 NTP service
- Prev by Date: Re: ADFS & MOSS 2007 troubles
- Next by Date: Re: Remove Default Shares
- Previous by thread: Re: ADFS & MOSS 2007 troubles
- Next by thread: Re: Windows 2003 NTP service
- Index(es):
Relevant Pages
|
