RE: NTP, GPO users and server
- From: v-mzhuan@xxxxxxxxxxxxxxxxxxxx (Manfred Zhuang [MSFT])
- Date: Tue, 18 Sep 2007 10:57:05 GMT
Hello Customer,
Thank you for posting here.
From your post, I understand that you would like to configure SBS server tosynchronize the time with an external server and service time requests from
the internal client workstations. In the mean time, error 675 was found in
event log.
In most situations, these two problems are not associated. In order to
avoid confusion, I suggest we focus on the time service problem in this
thread and post the second problem in a new thread so that it can be
resolved more efficiently. Thank you for your understanding.
For the time service issue, firstly I would like to confirm that did you
modify the policy in Default Domain Policy? Please understand that we don't
recommend you do that since if we edit time service policy in this policy,
it will apply to all the servers and client workstations in the domain.
By default, all the client workstations created in "Server
Management"->"Client Computers" are saved in
MyBusiness\Computers\SBSComputers. Therefore, I suggest you create a new
GPO and link it to this OU. If you find computers in Computers, they are
created automatically. Please move them to SBSComputers.
To achieve your goal, I suggest you try following steps:
Step 1: Ensure Windows Time service is started:
=============================
1. Run services.msc
2. Find Windows Time service, start it and set its startup type to
Automatically.
Step 2: Configure the ISA server (If ISA server is not installed on the SBS
server, please skip this step)
====================
1. In the ISA Server management tool, expand the management nodes that are
beneath your server name.
2. Expand the Access Policy branch to view the list of access policies.
3. Right-click IP Packet Filters, point to New, and then click Filter to
start the New IP Packet Filter Wizard.
4. Type a descriptive name for the filter (such as SNTP Allow Filter), and
then click Next.
5. Click Allow packet transmission as the Filter Mode, and then click Next.
6. Click Custom as the filter type, and then click Next.
7. On the Filter Settings page, click UDP for the IP protocol, click Send
receive for the direction, All ports as the local port, click Fixed port as
the remote port, use port 123 as the remote port number, and then click
Next.
8. Keep the default settings by clicking Next through the next two wizard
pages, and then click Finish at the Completing The New IP Packet Filter
Wizard page.
Step 3: Configuring the Windows Time service on SBS server to use an
external time source
==============================================
To configure an internal time server to synchronize with an external time
source, follow these steps on the SBS server:
1. Change the server type to NTP. To do this, follow these steps:
a. Click Start, click Run, type regedit, and then click OK.
b. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type
c. In the right pane, right-click Type, and then click Modify.
d. In Edit Value, type NTP in the Value data box, and then click OK.
2. Set AnnounceFlags to 5. To do this, follow these steps:
a. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\Announce
Flags
b. In the right pane, right-click AnnounceFlags, and then click Modify.
c. In Edit DWORD Value, type 5 in the Value data box, and then click OK.
3. Enable NTPServer. To do this, follow these steps:
a. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\N
tpServer\Enabled
b. In the right pane, right-click Enabled, and then click Modify.
c. In Edit DWORD Value, type 1 in the Value data box, and then click OK.
4. Specify the time sources. To do this, follow these steps:
a. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpS
erver
b. In the right pane, right-click NtpServer, and then click Modify.
c. In Edit Value, type Peers in the Value data box, and then click OK.
Note Peers is a placeholder for a space-delimited list of peers from which
your computer obtains time stamps. Each DNS name that is listed must be
unique. You must append ,0x1 to the end of each DNS name. If you do not
append ,0x1 to the end of each DNS name, the changes made in step 5 will
not take effect.
5. Select the poll interval. To do this, follow these steps:
a. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\N
tpClient\SpecialPollInterval
b. In the right pane, right-click SpecialPollInterval, and then click
Modify.
c. In Edit DWORD Value, type TimeInSeconds in the Value data box, and then
click OK.
Note TimeInSeconds is a placeholder for the number of seconds that you want
between each poll. A recommended value is 384. This value configures the
Time Server to poll every 15 minutes.
6. Configure the time correction settings. To do this, follow these steps:
a. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxPosPh
aseCorrection
b. In the right pane, right-click MaxPosPhaseCorrection, and then click
Modify.
c. In Edit DWORD Value, select Decimal in the Base box.
d. In Edit DWORD Value, type TimeInSeconds in the Value data box, and then
click OK.
Note TimeInSeconds is a placeholder for a reasonable value, such as 1 hour
(3600) or 30 minutes (1800). The value that you select will depend upon the
poll interval, network condition, and external time source.
e. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxNegPh
aseCorrection
f. In the right pane, right-click MaxNegPhaseCorrection, and then click
Modify.
g. In Edit DWORD Value, select Decimal in the Basebox.
h. In Edit DWORD Value, type TimeInSeconds in the Value data box, and then
click OK.
Note TimeInSeconds is a placeholder for a reasonable value, such as 1 hour
(3600) or 30 minutes (1800). The value that you select will depend upon the
poll interval, network condition, and external time source.
7. Quit Registry Editor.
8. Stop and restart Windows Time service.
Step 4: Creating a new policy and linking it to the client workstations:
==========================================
1. Open SBS Server Management console.
2. Locate "Advanced Management"->"Active Directory Users and
Computers"->domain name.
3. Make sure the computers are located under
MyBusiness\Computers\SBSComputers. If there were computers under Computers,
it means these accounts are created while the computers manually joined
this domain. Please move them to MyBusiness\Computers\SBSComputers. Also,
if you cannot find some computers on the list, create them.
4. Locate "Advanced Management"->"Group Policy
Management"->"Forest:"->"Domains"->domain name
5. Right-click "MyBusiness"->"Computers"->"SBSComputers", select "Create
and Link a GPO Here".
6. Enter the name for this GPO. Right-click the new GPO and then select
"Edit".
7. Locate "Computer Configuration"->"Administrative
Templates"->"System"->"Windows Time Service"->"Time Provider".
8. Open "Configure Windows NTP Client" to configure NTP settings for the
clients.
- NOTE: This policy can only be used on Windows XP Professional and
Windows Server 2003 computers.
For the NTPserver option, type servername.domainname.local (we generally
use DNS name or IP address here to ensure connectivity).
After that, the SBS server will synchronize the time with the external
server and the client workstations will get the time from the SBS server.
I hope the above information is helpful to you. However, if it does not
work, please help me gather following information:
Please download the MPS Report tool from the following link and run it on
both the SBS server and the client, then send the generated CAB file to my
mailbox v-mzhuan@xxxxxxxxxxxxx for further investigation so that we can
find what the root cause is:
http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd9
15706/MPSRPT_SETUPPerf.EX
For your information:
http://www.microsoft.com/downloads/details.aspx?FamilyId=CEBF3C7C-7CA5-408F-
88B7-F9C79B7306C0&displaylang=en
Please try the above steps at your earliest convenience. If you have any
concern, please feel free to let me know.
Best regards,
Manfred Zhuang(MSFT)
Microsoft Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: NTP, GPO users and server
| thread-index: Acf5TrS0LFqIMxWxQsGk9fVcW2m+Ww==
| X-WBNR-Posting-Host: 207.46.192.207
| From: =?Utf-8?B?RS4gUGFsbWVy?= <EPalmer@xxxxxxxxxxxxxxxxxxxxxxxxx>
| Subject: NTP, GPO users and server
| Date: Mon, 17 Sep 2007 10:18:03 -0700
| Lines: 34
| Message-ID: <4C1D9B36-A185-4D35-A7EF-37516A308F53@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2929
| Newsgroups: microsoft.public.windows.server.sbs
| Path: TK2MSFTNGHUB02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:63544
| NNTP-Posting-Host: tk2msftsbfm01.phx.gbl 10.40.244.148
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Hi,
|
| I am working on fixing event 675 pre-authentication failures and want to
get
| NTP working correctly. I think the pre-auth error is not really this,
but
| while I am at it I want to get it right.
|
| I have used regedit to set the parameter for NTPserver time-b.nist.gov,0x1
| in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
|
| Then I opened up the Admin> System> Windows Time GPO but I am a little
| confused by how things are relating. In the second document listed below
you
| change the external time server parameter in regedit, but you also change
the
| NTP server in the GPO and they do not appear to be the same. If I want
the
| SBS box to go to the external, but the domain members on the LAN to get
their
| time from the SBS box, would the GPO server setting be to point to the
SBS
| box and the regedit setting to the external NTPserver?
|
| When I tried the NT5DS setting in the GPO I got W32time errors on the
server
| because the SBS box is trying to use itself as the server.
|
| Thanks for any help or insight.
|
| Sincerely,
|
|
|
|
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
security/ws03mngd/26_s3wts.mspx
|
| Using Windows Server 2003 in a Managed Environment
|
http://technet2.microsoft.com/windowsserver/en/library/b43a025f-cce2-4c82-b3
ea-3b95d482db3a1033.mspx?mfr=true
|
| Windows Time Service Tools and Settings
|
.
- Prev by Date: Re: mydocuments missing after logff logon sbs2003 win xp
- Next by Date: RE: Group Policy access denied
- Previous by thread: wholesale nike ,jordan,adidas, puma .shox ,dunk,T-shirt,jeans ,prada,hat,
- Next by thread: RE: NTP, GPO users and server
- Index(es):
Relevant Pages
|
