Re: Windows 2003 NTP service
- From: "Erik Cheizoo" <echeizoo.XenD.nl@xxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 6 Feb 2007 13:30:11 +0100
I've never done it myself, but I think you can.
Probably someone else will respond to this one.
--
Kind regards,
Erik Cheizoo
eXcellence & Difference - we keep your business running
============================================
Always test in a non-production environment before implementing
Guidelines for posting: http://support.microsoft.com/?id=555375
============================================
"Feras Mustafa" <FerasMustafa@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:3EE5A714-3FC3-4E50-A9C5-65099D485B1A@xxxxxxxxxxxxxxxx
Thanks for your great answers to my questions Erik.
last questions is, Can I use Windows 2003 as NTP for network devices
(switch, Router, etc.)?? Can I use normal domain authentication to place ntp
requetes between the network devices and the Windows NTP servers??
"Erik Cheizoo" wrote:
Feras,
start by reading these, as it will give you detailed understanding of
Windows time services:
http://technet2.microsoft.com/WindowsServer/en/library/71e76587-28f4-4272-a3d7-7f44ca50c0181033.mspx?mfr=true
http://technet2.microsoft.com/WindowsServer/en/library/a0fcd250-e5f7-41b3-b0e8-240f8236e2101033.mspx?mfr=true
The answers to your questions:
You not have to configure anything. By default, all machines joined to the
forest/domain will follow the domain hierarchy for time services using SNTP.
The PDCe will always be the authoritive time source, so make sure it is
synchronized well with an external time source. Provided you have configured
your sites and subnets correctly, computers will select the best time
source, which is usually the DC in the local site. You can ignore the
time.windows.com entries, they will not be used when the computer is joined
to the domain. Be aware of the fact that this is default behavior, if
someone already played around the configuration might be different. Do not
set the NTP options in DHCP
As a side note, time within a domain/forest is always measured in UTC. The
locally configured time zone will then translate the time to the human
expected time, so adjusted for time zone and DST. This means that time zones
must be configured on each and every computer out there. Setting it on the
DCs only will not effect the time zones on the workstations.
The Windows Time service uses the computer’s Kerberos session key to create
authenticated signatures on NTP packets that are sent across the network.
NTP packets are not transmitted inside the Net Logon secure channel.
Instead, when a computer requests the time from a domain controller in the
domain hierarchy, the Windows Time service requires that the time be
authenticated. The domain controller then returns the required information
in the form of a 64-bit value that has been authenticated with the session
key from the Net Logon service. If the returned NTP packet is not signed
with the computer’s session key or is signed incorrectly, the time is
rejected. All such authentication failures are logged in the Event Log. In
this way, the Windows Time service provides security for NTP data in a
Windows Server 2003 forest.
Port used for NTP and/or SNTP is UDP 123.
--
Kind regards,
Erik Cheizoo
eXcellence & Difference - we keep your business running
============================================
Always test in a non-production environment before implementing
Guidelines for posting: http://support.microsoft.com/?id=555375
============================================
"Feras Mustafa" <FerasMustafa@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A6C409A9-D992-489B-B0EC-B92FCEB91BC0@xxxxxxxxxxxxxxxx
> Hi,
> I have some questions about Windows 2003 NTP service. Thanks in > advance
> for
> any answer to any of them or all of them!
>
> 1- Does the NTP in Windows 2003 supports authentication?? Secure NTP?? > if
> not, is there is any add-on or tools to make it support authentication?
>
> 2- I have a root domain and child domain in my forest, the root has 4 > DCs
> (in diffrnet sites accross firewall). the child domain has 24 DCs (in
> diffrent sites accross firewall) all in the same time zone.
> I want the clients in each remote site to get the time from thier DC
> placed
> in that site (not come to the HQ PDC Em), and all the 28 DCs time must > be
> in-sync, Is there is any thing I need to configure on the DHCP options
> for
> that site?? or nothing needs to be done and Clients will default to > thier
> local DC as SNTP??
> Also, I need to open only the NTP port between the DCs in the Remote > sites
> and HQ PDCs, what is the required port (TCP/UDP) I need to open on the
> firewall??
>
> 3- I have run the command (net time /querysntp --> and got
> "time.windows.com") on all the DCs. None of them have access to the
> Internet.
> To make use of internal clock on the Root PDC Emulator, Do I need to > run
> (net time /setsntp:root-pdc.root-domain) on the all root DCs and the > child
> domain PDC Em DC?? and run (net time /setsntp:child-pdc.child-domain) > on
> all
> DCs in the child domain to sync my forest??
>
> Thanks again for your help!!
>
.
- References:
- Re: Windows 2003 NTP service
- From: Erik Cheizoo
- Re: Windows 2003 NTP service
- From: Feras Mustafa
- Re: Windows 2003 NTP service
- Prev by Date: Re: user cannot log into windows
- Next by Date: GPO Assigned Logon Scripts
- Previous by thread: Re: Windows 2003 NTP service
- Next by thread: Re: Windows 2003 NTP service
- Index(es):
Relevant Pages
|
