Re: How to do better on Win2003's NTP?
- From: Meinolf Weber <meiweb(nospam)@gmx.de>
- Date: Wed, 30 Jul 2008 08:31:19 +0000 (UTC)
Hello Kent,
In the time service you have no option for adding authentication. See here how the authentication works, scroll down to"NTP Security":
http://technet2.microsoft.com/windowsserver/en/library/71e76587-28f4-4272-a3d7-7f44ca50c0181033.mspx?mfr=true
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Hello, Meinolf
Thanks for your reply, the web link of registry is helpful to me.
And the question about the authentication key I asked about is for the
Unix server's switch/router's NTP. They got authencation key for
security option, but window2003 support this?
Best regards, Kent Si
"Meinolf Weber" wrote:
Hello Kent,
See here and inline:
http://support.microsoft.com/kb/816042
Expand all on the left pane and you got a lot of infos:
http://technet2.microsoft.com/windowsserver/en/library/ac86e77c-0be3-
430a-ba0b-c2225506fc4f1033.mspx
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Hello all, I am setting up the NTP server function in the WindowsWithin an Active Directory forest, the Windows Time service (W32time)
2003 PDC server. There are not much information about the value in
W32Time registry, so hope to get some help here.
The NTP server on Windows 2003 is for company wide usage purpose
that will synchronize cisco network devices, unix servers and
windows 2000/NT. Also the Windows 2003 will act as a NTP client to
synchronize from the GRPS time source.(The Windows 2003 is also a
Primary Domain Controller).
/-----
Network Devices (Cisco...)
GPRS Time Source -- Win2003 PDC ----- Domain Clients (XP)
\-----
Unix, Win2000, NT Servers
From the technical documents on the microsoft website, there isn't
much about the detail to set up an NTP server. I have followed the
steps of those technical documents and modified the "W32Time" in
registry. Finally, it could synchronize the other machines. But I
have not much confidence on it, since there isn't much information
about the meaning of values in the registry. And any unknown change
could be a risk to the PDC and the whole infrastructure.
At present, I installed another Win2k3 to simulate the PDC as a NTP
server(Not client for GPRS yet), and it works. This synchronizes
with the Cisco Switch 2950 and Unix about every 17 minutes.
Here are the registries I changed under "W32Time":
===========================================
\Parameters\Type -> NTP
\Config\AnnounceFlags -> 5
\TimeProviders\NtpServer\Enabled -> 1
\TimeProviders\NtpClient\SpecialPollInterval -> 900
\Config\MaxPosPhaseCorrection -> 172800
\Config\MaxNegPhaseCorrection -> 172800
\Config\LocalClockDispersion -> 0 (Previous 10)
Run the commands to restart the time service:
- net stop w32time
- net start w32time
===========================================
There are questions about the NTP in Win2003
(1) Does NTP in Win2003 have the security option to set a key for
authentication?
relies on standard domain security features to enforce the
authentication of time data. The security of Network Time Protocol
(NTP) packets that are sent between a domain member and a local
domain controller that is acting as a time server is based on shared
key authentication. The Windows Time service uses the local
computer's Kerberos session key to create authenticated signatures on
NTP packets that are sent across the network. When a computer
requests the time from a domain controller in the domain hierarchy,
the Windows Time service requires that the time be authenticated. The
domain controller then returns the required information in the form
of a 64-bit value that has been authenticated with the session key
from the Net Logon service. If the returned NTP packet is not signed
with the computer's session key or if it is not signed correctly, the
time is rejected. In this way, the Windows Time service provides
security for NTP data in an Active Directory forest.
(2) How to set the value of registry and control the interval thathttp://technet2.microsoft.com/windowsserver/en/library/fcc66e8b-58d9-
clients update their time?
41c9-83ee-56d07397e3e01033.mspx?mfr=true
I have made a call to Microsoft, but they treated it as a "How to",
no support on this. @.@
Thanks to all, any information is appreciated.
.
- Follow-Ups:
- Re: How to do better on Win2003's NTP?
- From: Kent
- Re: How to do better on Win2003's NTP?
- References:
- Re: How to do better on Win2003's NTP?
- From: Kent
- Re: How to do better on Win2003's NTP?
- Prev by Date: RE: How to do better on Win2003's NTP?
- Next by Date: Re: Event ID 1091 Source Userenv
- Previous by thread: Re: How to do better on Win2003's NTP?
- Next by thread: Re: How to do better on Win2003's NTP?
- Index(es):
Relevant Pages
|
