Re: Windows NTP setup problem. - NTP

This is a discussion on Re: Windows NTP setup problem. - NTP ; Hello Everyone, I am deploying an NTP service in our intranet and am facing some problems. Perhaps I am not setting the parameters correctly in the ntp.conf file. The platform is Windows 2003 x64. I am running the windows build ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: Re: Windows NTP setup problem.

  1. Re: Windows NTP setup problem.

    Hello Everyone,



    I am deploying an NTP service in our intranet and am facing some
    problems. Perhaps I am not setting the parameters correctly in the
    ntp.conf file.



    The platform is Windows 2003 x64. I am running the windows build of
    meinberg ntp server.



    Basically, there are two servers which will preferably feed off an
    external time source, and in case the external time source is
    unreachable, they will feed off of each other. Since these machines are
    the domain controllers, all the children members of this domain, will
    act as client to this ntp service, and will sync with the domain
    controllers.



    Here are the ntp.conf files:



    Server A (192.168.3.114)

    ####################################

    driftfile "C:\Program Files (x86)\NTP\etc\ntp.drift"



    crypto pw abc1234

    keysdir "C:\Program Files (x86)\NTP\etc\keys"



    server 127.127.1.0

    server tic.nrc.ca

    server 192.168.3.210 autokey

    fudge 127.127.1.0 stratum 12

    #peer 192.168.3.210 autokey

    #server toc.nrc.ca



    # End of generated ntp.conf --- Please edit this to suite your needs

    ###################################



    Server B (192.168.3.210)

    ###################################

    driftfile "D:\Program Files (x86)\NTP\etc\ntp.drift"



    server 127.127.1.0

    server tic.nrc.ca

    server 192.168.3.114 autokey

    fudge 127.127.1.0 stratum 12

    #peer 192.168.3.114 autokey

    #server tock.usask.ca



    crypto pw abc1234

    keysdir "D:\Program Files (x86)\NTP\etc\keys"



    # End of generated ntp.conf --- Please edit this to suite your needs

    ####################################



    The communication between the two internal servers should be
    authenticated. So, for that, I am using IFF keys, stored at the $keysdir
    location.



    The problem is that if I remove the external server reference from the
    ntp files on both the machines, and change the time on any one of them,
    the other one does not sync its time with this machine. It continues to
    run with a time gap, irrespective of how long I wait for it to sync. Am
    I doing something wrong here?



    Is it necessary that atleast one external time source should be
    reachable in order for this setup to work?



    Secondly, I don't understand what "fudge" means and difference between
    peer and server. I have read the documentation, but I am still not sure
    if I should be using my internal server's references as peer or server.



    Any help would be much appreciated.



    Thanks & Regards,

    tualha


    This message (and any associated files) is intended only for the use of the individual or entity to which it is addressed and may contain information that is confidential, subject to copyright or constitutes a trade secret. If you are not the intended recipient you are hereby notified that any dissemination, copying or distribution of this message, or files associated with this message, is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. Messages sent to and from us may be monitored.

    Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Therefore, we do not accept responsibility for any errors or omissions that are present in this message, or any attachment, that have arisen as a result of e-mail transmission. If verification is required, please request a hard-copy version. Any views or opinions presented are solely those of the author and do not necessarily represent those of the company.

  2. Re: Windows NTP setup problem.

    Tualha Khan wrote:
    []
    > Secondly, I don't understand what "fudge" means and difference between
    > peer and server. I have read the documentation, but I am still not
    > sure
    > if I should be using my internal server's references as peer or
    > server.

    []
    > Thanks & Regards,
    > tualha


    Tualha,

    I'll let those more expert to comment on the configuration files - I know
    nothing about authentication. Having just two external servers is not
    good, four is better.

    server 127.127.1.0
    fudge 127.127.1.0 stratum 12

    "Fudge" here means "consider my local clock server to be at a
    high-stratum, and therefore only to be used as a last resort, when serving
    time to others". Please see the documentation for more details about
    stratum levels.

    As I understand it, "Server" is a box which can set its time using NTP,
    and respond to requests from clients. Two boxes working as "Peers" can
    set the time on each other, as well as behave as a "Server". But please
    it anyone else has a better description, please speak up.

    Cheers,
    David



  3. Re: Windows NTP setup problem.

    >>> In article , tualhakhan@truition.com (Tualha Khan) writes:

    Tualha> Hello Everyone, I am deploying an NTP service in our intranet and am
    Tualha> facing some problems. Perhaps I am not setting the parameters
    Tualha> correctly in the ntp.conf file.

    I think you are correct.

    Have you seen:

    http://support.ntp.org/Support/DesigningYourNTPNetwork

    http://support.ntp.org/Support/Confi...LocalRefclocks

    There is also "orphan mode", which is described in the miscopt.html page of
    recent ntp-dev releases (it is documented in different places in other
    versions of ntp-4.2).

    Tualha> The problem is that if I remove the external server reference from
    Tualha> the ntp files on both the machines, and change the time on any one
    Tualha> of them, the other one does not sync its time with this machine. It
    Tualha> continues to run with a time gap, irrespective of how long I wait
    Tualha> for it to sync. Am I doing something wrong here?

    Yes, look at the stratum of the two servers.

    Tualha> Is it necessary that atleast one external time source should be
    Tualha> reachable in order for this setup to work?

    I don't think so.

    Tualha> Secondly, I don't understand what "fudge" means and difference
    Tualha> between peer and server. I have read the documentation, but I am
    Tualha> still not sure if I should be using my internal server's references
    Tualha> as peer or server.

    "fudge" is a way to change some default behaviors.

    Peers exchange time with each other. One only *gets* time from a server,
    there is no exchange of time information.

    --
    Harlan Stenn
    http://ntpforum.isc.org - be a member!

  4. Re: Windows NTP setup problem.

    Tualha Khan wrote:
    > Hello Everyone,
    >


    > The platform is Windows 2003 x64. I am running the windows build of
    > meinberg ntp server.


    I think you mean the Meinberg build of the reference implementation of
    ntpd. All that Meinberg do is to compile and package the standard code,
    for Windows. A version number might help, though.

    >
    > Basically, there are two servers which will preferably feed off an
    > external time source, and in case the external time source is
    > unreachable, they will feed off of each other. Since these machines are


    Feeding off each other can only be done properly using the recently
    introduced orphan mode. I've not used it, but I have a feeling that you
    do not specify local clocks in that case. The alternative approach is
    to use a strict client server relationship and fudge the local clock
    stratums so that the client one is, numerically, at least two greater
    than the server one, although no more than 14.

    Trying to peer with local clocks can cause all sorts of misbehaviour,
    and it is more or less essential that you provide enough real sources of
    time to outvote-them.


    >
    > The problem is that if I remove the external server reference from the
    > ntp files on both the machines, and change the time on any one of them,


    Please note that ntpd is not designed to handle this situation well.
    Time doesn't jump at one place but not another!

    > the other one does not sync its time with this machine. It continues to
    > run with a time gap, irrespective of how long I wait for it to sync. Am
    > I doing something wrong here?


    I imagine they both think the other machine is broken.

    >
    > Secondly, I don't understand what "fudge" means and difference between


    The meaning of fudge comes from its sense of meaning cheat.

    It should always be done with a local clock in this situation so that it
    appears to be so far from the root server that its bogus idea of the
    time cannot propagate very far. Times derived more than 15 hops from
    the client are ignored, so fudging to 14 results in direct client s
    accepting the time, but any indirect ones ignoring it. (Of course, some
    versions of w32time are broken, so if you use them as clients, they will
    set the stratum back to 2.)

    > peer and server. I have read the documentation, but I am still not sure
    > if I should be using my internal server's references as peer or server.


    Server means that the client will use the time information that the
    server sends, but the server will ignore the information that the client
    sends, even though it will send it. Peer means that:

    1) at some times, one may nominate the other as its official reference
    reference source, at some time vice versa, and sometimes a completely
    different source may be used;

    2) according to rules with which I'm not completely familiar, although
    I believe they have restrictions on trivial loops, and stratum
    difference, they can both use the other as one of the sources of time
    in the average of all usable servers used to discipline their own
    time. Even if that works with two local clocks, it is not guaranteed
    to be stable.
    >
    > This message (and any associated files) is intended only for the use
    > of the individual or entity to which it is addressed and may contain


    Then why did you send it to the whole universe?

  5. Re: Windows NTP setup problem.

    David J Taylor wrote:
    > Tualha Khan wrote:
    > []
    >
    >>Secondly, I don't understand what "fudge" means and difference between
    >>peer and server. I have read the documentation, but I am still not
    >>sure
    >>if I should be using my internal server's references as peer or
    >>server.

    >
    > []
    >
    >>Thanks & Regards,
    >>tualha

    >
    >
    > Tualha,
    >
    > I'll let those more expert to comment on the configuration files - I know
    > nothing about authentication. Having just two external servers is not
    > good, four is better.


    > As I understand it, "Server" is a box which can set its time using NTP,
    > and respond to requests from clients. Two boxes working as "Peers" can
    > set the time on each other, as well as behave as a "Server". But please
    > it anyone else has a better description, please speak up.


    I'd argue with the above wording. Peers don't "set" the time on each
    other. They can serve time to each other. Normally peers would each
    have at least one unique time source else peering would be pointless.


  6. Re: Windows NTP setup problem.

    Richard B. Gilbert wrote:
    []
    > I'd argue with the above wording. Peers don't "set" the time on each
    > other. They can serve time to each other. Normally peers would each
    > have at least one unique time source else peering would be pointless.


    Thanks for that clarification, Richard, much appreciated.

    David



  7. Re: Windows NTP setup problem.

    Hi Everyone,

    Thanks for all the inputs. I have gone through the documentation once
    more, and did find some interesting pieces, which I was missing earlier.


    Long story short (incase you think its just too much garbage), I can't
    sync two machines with each other, incase there is no external time
    source available. If I change the time of one of the server's by a few
    minutes (less than 1024 seconds), then also, they don't re-sync each
    other, they just maintain that time gap.

    Here is a long email which I had to write to my superior. I know its not
    relevant or appropriate to read the long email, but I hope you can make
    an exception.

    Thanks & Regards,
    Tualha

    ###############################################

    I have been trying to set this NTP service on two of our test servers
    here. Following is what I have noticed, alongwith some pointers from ntp
    mailing list:

    1) I referring to two external time servers which are defined as stratum
    1.
    tic.nrc.ca prefer
    tock.usask.ca

    2) Both the servers will resort to their own times as last resort.
    server 127.127.1.0
    fudge 127.127.1.0 stratum 12

    3) Both the servers are configured to feed off of each other incase the
    external time sources are unreachable.
    On first server:
    server 192.168.3.114
    On second server:
    server 192.168.3.210

    4) The internal servers will authenticate each other through public key
    cryptography.\
    crypto pw abc123
    keysdir "D:\Program Files (x86)\NTP\etc\keys"


    Now, the problem part. Under my test conditions, i have both servers
    configured as follows:

    #crypto pw abc123
    #keysdir "D:\Program Files (x86)\NTP\etc\keys"

    server 127.127.1.0
    server tic.nrc.ca prefer
    server 192.168.3.114 OR server 192.168.3.210
    fudge 127.127.1.0 stratum 12
    #server tock.usask.ca
    #peer 192.168.3.114 autokey

    (some parts commented due to testing.)

    If these servers are unable to reach the external time source, they will
    not try to sync up each other. While the services are running, if I
    manipulate any of the server's clock, the other one will notice the time
    offset, but will not do anything to sync itself to that clock or help
    other clock sync to itself. Its as if, they will continue to run with
    the time gap.

    However, if I restart the server (not the service), the time gets
    sync'ed at the startup. I was assuming that the restart of the ntp
    daemon will take care of it, but that does not happen.
    Also, what I have read in the documentation is, that, any time
    difference greater than 1024 (~17 minutes) between the two servers, will
    terminate the ntp daemon. In that case, the option is to set the clock
    close to the minute and restart ntpd to take over.

    I have tried the configuration by setting the internal servers as both,
    "peer" or "server", where they are heirarchically defined as:

    As server it makes its own time available as reference time for
    other clients.
    As peer it compares its system time to other peers until all the
    peers finally agree about the "true" time to synchchronize to.


    Another thing to note, as per the documentation:

    "Each NTP daemon can be configured to use several independend reference
    time sources. It synchronizes to the reference time source with best
    stratum and lowest jitter and delay. If that reference time source
    becomes unavailable then the daemon automatically switches to the best
    of the remaining time sources which may also result in a change of the
    daemon's stratum value."

    So, for example, in our case, the server which has the "wrong" time
    (192.168.3.114), the ntpq -p output is as follows:

    Checking current status of NTP service with ntpq -p
    remote refid st t when poll reach delay
    offset jitter

    ================================================== ======================
    ======
    *LOCAL(0) .LOCL. 12 l 47 64 377 0.000
    0.000 0.001
    tic.nrc.ca .INIT. 16 u - 64 0 0.000
    0.000 0.000
    CATEST02 LOCAL(0) 13 u 42 64 377 0.259
    534511. 7.910

    Which may mean, that it will not sync its time with CATEST02
    (192.168.3.210), since that server has more jitters and lower stratum
    (13) than its local clock (12).

    On absolutely different note, I have also read that, incase we go with
    ntpd, then the client machines on the network will not do time
    synchronization with the domain controllers automatically. We will have
    to configure each of them individually to get their time from the domain
    controller machine.

    And lastly, I have not been able to see any authentication flags for the
    w32time windows time service. The tool is called w32tm.

    ################################################## ######################
    ####


    This message (and any associated files) is intended only for the use of the individual or entity to which it is addressed and may contain information that is confidential, subject to copyright or constitutes a trade secret. If you are not the intended recipient you are hereby notified that any dissemination, copying or distribution of this message, or files associated with this message, is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. Messages sent to and from us may be monitored.

    Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Therefore, we do not accept responsibility for any errors or omissions that are present in this message, or any attachment, that have arisen as a result of e-mail transmission. If verification is required, please request a hard-copy version. Any views or opinions presented are solely those of the author and do not necessarily represent those of the company.

  8. Re: Windows NTP setup problem.

    Tualha Khan wrote:
    > Now, the problem part. Under my test conditions, i have both servers
    > configured as follows:


    I feel you are well out of your depth with this complexity of timing
    topology.

    >
    > #crypto pw abc123
    > #keysdir "D:\Program Files (x86)\NTP\etc\keys"
    >
    > server 127.127.1.0
    > server tic.nrc.ca prefer
    > server 192.168.3.114 OR server 192.168.3.210
    > fudge 127.127.1.0 stratum 12


    The very least you need to do here is to make one fudge to be 2
    different from the other. I think 12 and 14 will work in your
    configuration, but you could also use 10 and 12.

    If you are trying to be clever with multiple local clocks, it is also
    even more important than normal to have multiple real servers.

    >
    > However, if I restart the server (not the service), the time gets
    > sync'ed at the startup. I was assuming that the restart of the ntp


    When you restart the server, you are probably running something like
    ntpdate against a real server and putting the local clock within the
    error bounds for that server.

+ Reply to Thread