Issues with w32tm on AD network - NTP

This is a discussion on Issues with w32tm on AD network - NTP ; Danny Mayer wrote: > Evandro Menezes wrote: >> I'm pretty sure that it's possible to run both NTP and W32TIME at the >> same time on the same Windows system provided that only NTP is used to >> keep the ...

+ Reply to Thread
Page 2 of 3 FirstFirst 1 2 3 LastLast
Results 21 to 40 of 42

Thread: Issues with w32tm on AD network

  1. Re: Issues with w32tm on AD network

    Danny Mayer wrote:
    > Evandro Menezes wrote:
    >> I'm pretty sure that it's possible to run both NTP and W32TIME at the
    >> same time on the same Windows system provided that only NTP is used to
    >> keep the clock under discipline and W32TIME is used solely to provide
    >> the time for the domain workstations.
    >>

    >
    > No, this is untrue. They both use the 123/UDP port. You cannot have more
    > than one application listening on the socket. Furthermore they cannot
    > both discipline the clock.


    Evandro had implicitely stated what to do to prevent w32time from
    disciplining the system time, so ntpd would be the only one to discipline
    the system time.

    Of course they still can't both open port 123, so the result should be what
    David Wooley has mentioned in his reply.

    Martin

    > Danny
    >
    >> In order to do this, the NTP service is added to the dependency list
    >> of the W32TIME service through the Platform SDK utility SC:
    >>
    >> sc config w32time depend= NTP
    >>
    >> It's also necessary to disable W32TIME from trying to discipline the
    >> clock using the registry editor (REGEDIT) under HKLM\CurrentControlSet
    >> \Services\w32time:
    >>
    >> [TimeProviders\NtpClient]
    >> InputProvider=DWORD:0
    >> [TimeProviders\NtpServer]
    >> InputProvider=DWORD:0
    >>
    >> This will cause NTP to start before W32TIME and thus NTP will take
    >> over disciplining the Windows DC clock and the domain workstations
    >> will still communicate with W32TIME.
    >>
    >> HTH


    --
    Martin Burnicki

    Meinberg Funkuhren
    Bad Pyrmont
    Germany

  2. Re: Issues with w32tm on AD network

    Jason Rabel wrote:
    > I *believe* you can also tell the PDC (via some w32time command) that the
    > primary time source is another machine, and all clients will use that. Of
    > course that means another machine to manage rather than just installing
    > ntpd on it.
    >
    > If you search the MS website for words like "NTP Domain Controller"
    > there's a lot of info that pops up.


    I've already read a bunch of KB articles about Windows time synchronization.
    Unfortunately most of those articles care about special problems with
    w32time, while other articles are pretty common only and don't cover
    specific scenarios.

    A common configuration for our customers which install a PCI card as a
    primary time source would be as follows:

    - Install the PCI card in the root PDC

    - Since w32time does not support the PCI card directly, install our driver
    which is shipped with the card and let the PDC's system time be
    synchronized by our driver.

    - Run w32time (or ntpd) configured not to touch the system time but make the
    diciplined time available on the network

    This is pretty easy using ntpd with local clock at stratum 0, but we have
    not been able to find a reliable way to configure w32time so that it
    behaves as desired.

    We have tried different registry settings, e.g. running

    w32tm /config /reliable:yes

    resulting in "AnnounceFlags" set to 5

    Sometimes w32time has been working correctly for some time, but then
    after a day suddenly stopped delivering time to it's clients.

    So the best and most reliable configuration seemed to be to specify an
    "external" NTP server on the PDC, which runs ntpd.

    BTW, I've searched the MS pages again for the keywords you mention, and I
    only receive search results when I start searching on www.microsoft.com. If
    I start searching at support.microsoft.com the search returns no results,
    which is pretty poor (for MS).


    Martin
    --
    Martin Burnicki

    Meinberg Funkuhren
    Bad Pyrmont
    Germany

  3. Re: Issues with w32tm on AD network

    On Feb 26, 2:57 am, Martin Burnicki
    wrote:
    >
    > Of course they still can't both open port 123, so the result should be what
    > David Wooley has mentioned in his reply.


    No, but the workstations use an RPC to UDP port 445 or 137, not 123.
    W32TIME only uses the UDP port 123 when it's configured to be an NTP
    client or server, both disabled in my post above.

    All that W32TIME would do in the configuration above would be to serve
    domain workstations the system time, which is itself then disciplined
    by NTP.

    It may not be the ideal configuration, but it works.

    HTH

  4. Re: Issues with w32tm on AD network

    Evandro Menezes wrote:
    >
    > No, but the workstations use an RPC to UDP port 445 or 137, not 123.
    > W32TIME only uses the UDP port 123 when it's configured to be an NTP
    > client or server, both disabled in my post above.
    >

    I don't think w32time is doing anything at all in that case. If the
    workstations are using Windows Networking for their time (which they
    should not be in a modern Windows domain configuration) the support for
    that pre-dates w32time by a long way. Modern workstations on modern
    Windows networks use their own copy of w32time, on port 123.

    w32time's main reason for existence is not establishing a correct
    absolute time, but for ensuring that times are close enough for
    Microsoft's derivative of Kerberos works.

  5. Re: Issues with w32tm on AD network

    On Feb 26, 11:43*am, Evandro Menezes wrote:

    > No, but the workstations use an RPC to UDP port 445 or 137, not 123.
    > W32TIME only uses the UDP port 123 when it's configured to be an NTP
    > client or server, both disabled in my post above.


    This is not true. Windows time service uses UDP/123, just like every
    other NTP or SNTP implmentation. All of Microsoft's documentation that
    I have read (and I think I have read everything concerning w32time)
    agrees on that point.

    If you disable both client and server aspects of w32time, it does
    nothting whatsoever, I would think.


  6. Re: Issues with w32tm on AD network

    Martin Burnicki wrote:
    > Danny Mayer wrote:
    >> Martin Burnicki wrote:
    >>> Though it's normally preferable to run ntpd rather than w32time, there is
    >>> a limitation if you run ntpd on a domain controller:
    >>> The domain members (workstations) will stop detecting the domain
    >>> controller automatically as their primary time source, so you'll have to
    >>> configure the domain controller explicitely as times source on every
    >>> client.

    >> Really? Why would it do that? Is this documented somewhere?

    >
    > We have tried it with a small test setup and found that w32time domain
    > members did identify their PDC as time source when w32time was running on
    > the PDC, but not when ntpd was running on the PDC.
    >
    > I have recently received a note from someone who seemed to be very familiar
    > with Active Directory. That person told me whn w32time starts it makes an
    > entry in the LDAP directory which tells the clients at logon that this
    > server is also their time server.
    >


    I tried running w32time on my domain controller at home and saw nothing
    in the DNS records which is where I would have expected to put such
    information, specifically an SRV record.

    The only other possibility that I can think of is by looking at the
    Active Directory LDAP tree which I didn't have time to look at,
    particularly as I would need to know where to look. I find it harder to
    believe that they would put information there but you never know.

    Danny
    > I assume if ntpd would do the same thing then domain clients would also
    > detect and accept ntpd running on the PDC.
    >
    > Unfortunately I don't have the original note handy right now, so I'll have
    > to investigate.
    >
    > Martin


  7. Re: Issues with w32tm on AD network

    Danny,

    Danny Mayer wrote:
    > Martin Burnicki wrote:
    >> I have recently received a note from someone who seemed to be very
    >> familiar with Active Directory. That person told me whn w32time starts it
    >> makes an entry in the LDAP directory which tells the clients at logon
    >> that this server is also their time server.
    >>

    >
    > I tried running w32time on my domain controller at home and saw nothing
    > in the DNS records which is where I would have expected to put such
    > information, specifically an SRV record.
    >
    > The only other possibility that I can think of is by looking at the
    > Active Directory LDAP tree which I didn't have time to look at,
    > particularly as I would need to know where to look. I find it harder to
    > believe that they would put information there but you never know.


    I've mentioned in my earlier post that the entry is supposed to be in the
    LDAP tree. Why should this be in DNS? Directory services have been designed
    to as a database to keep track of objects and attributes of those objects.

    I guess a Windows domain would work without a local DNS since the names of
    the Windows machines could also be resolved by the WINS service ...


    Martin
    --
    Martin Burnicki

    Meinberg Funkuhren
    Bad Pyrmont
    Germany

  8. Re: Issues with w32tm on AD network

    Evandro Menezes wrote:
    > On Feb 26, 2:57 am, Martin Burnicki
    > wrote:
    >>
    >> Of course they still can't both open port 123, so the result should be
    >> what David Wooley has mentioned in his reply.

    >
    > No, but the workstations use an RPC to UDP port 445 or 137, not 123.


    Or are those ports 445 and/or 137 used for the old proprietary "net time"
    protocol used by Windows 95 and friends?

    Martin
    --
    Martin Burnicki

    Meinberg Funkuhren
    Bad Pyrmont
    Germany

  9. Re: Issues with w32tm on AD network

    "Martin Burnicki" wrote in message
    news:tt8g95-4hp.ln1@gateway.py.meinberg.de...
    [...]
    > I guess a Windows domain would work without a local DNS since the names
    > of the Windows machines could also be resolved by the WINS service ...


    DNS _is_ used as a database for some domain information. You can, with
    some work, use a non-local DNS but that's probably as far as it goes.
    NTP information would not go into DNS, though, and that's as close as
    this subject will ever come to saying anything NTP-related.

    Groetjes,
    Maarten Wiltink



  10. Re: Issues with w32tm on AD network

    Martin Burnicki wrote:
    > Danny,
    >
    > Danny Mayer wrote:
    >> Martin Burnicki wrote:
    >>> I have recently received a note from someone who seemed to be very
    >>> familiar with Active Directory. That person told me whn w32time starts it
    >>> makes an entry in the LDAP directory which tells the clients at logon
    >>> that this server is also their time server.
    >>>

    >> I tried running w32time on my domain controller at home and saw nothing
    >> in the DNS records which is where I would have expected to put such
    >> information, specifically an SRV record.
    >>
    >> The only other possibility that I can think of is by looking at the
    >> Active Directory LDAP tree which I didn't have time to look at,
    >> particularly as I would need to know where to look. I find it harder to
    >> believe that they would put information there but you never know.

    >
    > I've mentioned in my earlier post that the entry is supposed to be in the
    > LDAP tree. Why should this be in DNS? Directory services have been designed
    > to as a database to keep track of objects and attributes of those objects.
    >


    Because thats the right place to put it. Putting in the LDAP tree means
    a lot of additional work. Creating and using an SRV record is simple.

    > I guess a Windows domain would work without a local DNS since the names of
    > the Windows machines could also be resolved by the WINS service ...
    >


    Not with W2003. WINS won't help with things like w32time.

    Danny
    >
    > Martin


  11. Re: Issues with w32tm on AD network

    On Feb 27, 7:06 am, Ryan Malayter wrote:
    >
    > This is not true. Windows time service uses UDP/123, just like every
    > other NTP or SNTP implmentation. All of Microsoft's documentation that
    > I have read (and I think I have read everything concerning w32time)
    > agrees on that point.


    That's true. But W32TIME also registers the time service to the
    domain or AD hierarchy, allowing the workstations to synchronize with
    it. But when the workstations contact the DC, I think that NTP will
    reply instead.

    > If you disable both client and server aspects of w32time, it does
    > nothting whatsoever, I would think.


    Isn't it the idea, to take W32TIME out of the clock discipline
    business and just let it take care of DC stuff while NTP handles all
    the timekeeping on the server and on the workstations? After all, NTP
    is a much better package to not only discipline the clock as well as
    to monitor and administer.

  12. Re: Issues with w32tm on AD network

    On Feb 27, 3:07*pm, Evandro Menezes wrote:
    > That's true. *But W32TIME also registers the time service to the
    > domain or AD hierarchy, allowing the workstations to synchronize with
    > it. *But when the workstations contact the DC, I think that NTP will
    > reply instead.


    We're way off-topic. I see you're using malinator. Could you please
    reply off-list with your source for that information? Perhaps an LDAP
    query that might show me those records? I have never seen anything
    like that in MSFT documentation.

  13. Re: Issues with w32tm on AD network

    Martin Burnicki wrote:
    > Jason Rabel wrote:
    >> I *believe* you can also tell the PDC (via some w32time command) that the
    >> primary time source is another machine, and all clients will use that. Of
    >> course that means another machine to manage rather than just installing
    >> ntpd on it.
    >>
    >> If you search the MS website for words like "NTP Domain Controller"
    >> there's a lot of info that pops up.

    >
    > I've already read a bunch of KB articles about Windows time synchronization.
    > Unfortunately most of those articles care about special problems with
    > w32time, while other articles are pretty common only and don't cover
    > specific scenarios.
    >
    > A common configuration for our customers which install a PCI card as a
    > primary time source would be as follows:
    >
    > - Install the PCI card in the root PDC
    >
    > - Since w32time does not support the PCI card directly, install our driver
    > which is shipped with the card and let the PDC's system time be
    > synchronized by our driver.
    >
    > - Run w32time (or ntpd) configured not to touch the system time but make the
    > diciplined time available on the network
    >
    > This is pretty easy using ntpd with local clock at stratum 0, but we have
    > not been able to find a reliable way to configure w32time so that it
    > behaves as desired.
    >
    > We have tried different registry settings, e.g. running
    >
    > w32tm /config /reliable:yes
    >
    > resulting in "AnnounceFlags" set to 5
    >
    > Sometimes w32time has been working correctly for some time, but then
    > after a day suddenly stopped delivering time to it's clients.
    >
    > So the best and most reliable configuration seemed to be to specify an
    > "external" NTP server on the PDC, which runs ntpd.
    >
    > BTW, I've searched the MS pages again for the keywords you mention, and I
    > only receive search results when I start searching on www.microsoft.com. If
    > I start searching at support.microsoft.com the search returns no results,
    > which is pretty poor (for MS).
    >


    I usually find what I'm looking for using Google! Microsoft search is
    pretty poor for their own site.

    Danny
    >
    > Martin


  14. Re: Issues with w32tm on AD network

    Danny Mayer wrote:
    > Martin Burnicki wrote:
    >> I've mentioned in my earlier post that the entry is supposed to be in the
    >> LDAP tree. Why should this be in DNS? Directory services have been
    >> designed to as a database to keep track of objects and attributes of
    >> those objects.

    >
    > Because thats the right place to put it. Putting in the LDAP tree means
    > a lot of additional work. Creating and using an SRV record is simple.


    I don't think MS cares about what you or I think is the right place to
    specify the authoritative time server for the Windows domain. If they have
    decided to put it into the LDAP tree then it's there, whether we agree or
    not.

    If w32time sets a flag in the LDAP tree when it is active, and the clients
    look for that flag in the LDAP tree then the only chance to have the
    clients autodetect ntpd instead of w32time is to let ntpd set the same flag
    when it is running (unless you configure the domain members in a different
    way, i.e. manually, or using some policy or whatever).

    >> I guess a Windows domain would work without a local DNS since the names
    >> of the Windows machines could also be resolved by the WINS service ...
    >>

    >
    > Not with W2003. WINS won't help with things like w32time.


    The question is whether DNS is required to let w32time on the PDC resolve
    the host name of its NTP upstream server, or whether the clients really
    require DNS to detect the PDC, which is what I meant.

    Martin
    --
    Martin Burnicki

    Meinberg Funkuhren
    Bad Pyrmont
    Germany

  15. Re: Issues with w32tm on AD network

    Maarten,

    Maarten Wiltink wrote:
    > "Martin Burnicki" wrote in message
    > news:tt8g95-4hp.ln1@gateway.py.meinberg.de...
    > [...]
    >> I guess a Windows domain would work without a local DNS since the names
    >> of the Windows machines could also be resolved by the WINS service ...

    >
    > DNS _is_ used as a database for some domain information.


    Of course. However, we must distinguish between DNS domains and Windows
    Active Directory domains which have nothing to do with DNS in the first
    place.

    As already mentioned in my reply to Danny, if we want to have ntpd
    compatible with w32time in a Windows domain we have to rely on what MS has
    decided to use.

    > You can, with
    > some work, use a non-local DNS but that's probably as far as it goes.
    > NTP information would not go into DNS, though, and that's as close as
    > this subject will ever come to saying anything NTP-related.


    Do you think the way (S)NTP clints detect their servers is not related to
    NTP?

    > Groetjes,
    > Maarten Wiltink


    Regards,

    Martin
    --
    Martin Burnicki

    Meinberg Funkuhren
    Bad Pyrmont
    Germany

  16. Re: Issues with w32tm on AD network

    Evandro,

    Evandro Menezes wrote:
    > On Feb 27, 7:06 am, Ryan Malayter wrote:
    >> This is not true. Windows time service uses UDP/123, just like every
    >> other NTP or SNTP implmentation. All of Microsoft's documentation that
    >> I have read (and I think I have read everything concerning w32time)
    >> agrees on that point.

    >
    > That's true. But W32TIME also registers the time service to the
    > domain or AD hierarchy, allowing the workstations to synchronize with
    > it.


    That's what I meant in one of my earlier posts.

    > But when the workstations contact the DC, I think that NTP will
    > reply instead.


    If that setup really works then it's indeed a good workaround for using ntpd
    on the PDC.

    Unfortunately I've currently no W2k3 domain set up for testing ...

    Martin
    --
    Martin Burnicki

    Meinberg Funkuhren
    Bad Pyrmont
    Germany

  17. Re: Issues with w32tm on AD network

    On Feb 28, 2:55*am, Martin Burnicki
    wrote:

    > Of course. However, we must distinguish between DNS domains and Windows
    > Active Directory domains which have nothing to do with DNS in the first
    > place.


    Active Directory is completely dependent on DNS. In fact, an Active
    Dfirectory domain requires a DNS server that allows SRV records and
    dynamic updates to even function. Active directory is generally not
    used for name resolution (with a few exceptions, such as specifying IP
    ranges for AD sites to tweak the replication topology). Otherwise, DNS
    supplies the name resolution layer for all Windows domain operations.

    Most people use Microsoft's DNS server with AD, because it
    automatically and reliably replicates data using the same distributed
    multi-master replication mechanism that AD uses. But they are actually
    separate - you can set up AD domains using BIND or other DNS that
    supports the relevand RFCs. I did it for a customer once back around
    2002.

    That said, based on refIDs reported by member servers, I believe the
    Windows Time Service simply contacts the domain controller that the
    machine logged into for the time, using DNS to resolve the name. You
    can find which domain controller a machine used by using the "echo
    %LOGONSERVER%" command. When a Windows domain member loses contact
    with its logon server, it does a DNS SRV record lookup (such as
    _ldap._tcp.gc._msdcs.exmaple.com) to find another one.

    How this affects running the reference ntpd on domain controllers I do
    not know. I really don't have the time to set up a lab to test the
    behvaior in depth. I run ntpd on other systems, and have our Windows
    domain controllers configured to get their time from those stratum-2
    systems.

  18. Re: Issues with w32tm on AD network

    Maarten Wiltink wrote:
    > "Martin Burnicki" wrote in message
    > news:tt8g95-4hp.ln1@gateway.py.meinberg.de...
    > [...]
    >> I guess a Windows domain would work without a local DNS since the names
    >> of the Windows machines could also be resolved by the WINS service ...

    >
    > DNS _is_ used as a database for some domain information. You can, with
    > some work, use a non-local DNS but that's probably as far as it goes.
    > NTP information would not go into DNS, though, and that's as close as
    > this subject will ever come to saying anything NTP-related.
    >


    There is nothing to prevent you using SRV records for NTP information
    and in fact they are designed for that sort of thing. SRV records are
    used by Windows to locate the Domain Controllers which may not be the
    same as the DNS nameservers.

    Danny
    > Groetjes,
    > Maarten Wiltink


  19. Re: Issues with w32tm on AD network

    Martin Burnicki wrote:
    > Evandro,
    >
    > Evandro Menezes wrote:
    >> On Feb 27, 7:06 am, Ryan Malayter wrote:
    >>> This is not true. Windows time service uses UDP/123, just like every
    >>> other NTP or SNTP implmentation. All of Microsoft's documentation that
    >>> I have read (and I think I have read everything concerning w32time)
    >>> agrees on that point.

    >> That's true. But W32TIME also registers the time service to the
    >> domain or AD hierarchy, allowing the workstations to synchronize with
    >> it.

    >
    > That's what I meant in one of my earlier posts.
    >
    >> But when the workstations contact the DC, I think that NTP will
    >> reply instead.

    >
    > If that setup really works then it's indeed a good workaround for using ntpd
    > on the PDC.
    >
    > Unfortunately I've currently no W2k3 domain set up for testing ...
    >


    I do. My main machine at home is a domain controller running Active
    Directory. I needed this for some Kerberos work that I was doing. I also
    run BIND 9.5.0 on it rather than Microsoft's DNS.

    I have search for information in it but I don't see anything specific
    and it didn't seem to add any records to the DNS when I ran w32time on it.

    Danny

  20. Re: Issues with w32tm on AD network

    Danny Mayer wrote:
    > Martin Burnicki wrote:
    >> Evandro,
    >>
    >> Evandro Menezes wrote:
    >>> On Feb 27, 7:06 am, Ryan Malayter wrote:
    >>>> This is not true. Windows time service uses UDP/123, just like every
    >>>> other NTP or SNTP implmentation. All of Microsoft's documentation that
    >>>> I have read (and I think I have read everything concerning w32time)
    >>>> agrees on that point.
    >>> That's true. But W32TIME also registers the time service to the
    >>> domain or AD hierarchy, allowing the workstations to synchronize with
    >>> it.

    >> That's what I meant in one of my earlier posts.
    >>
    >>> But when the workstations contact the DC, I think that NTP will
    >>> reply instead.

    >> If that setup really works then it's indeed a good workaround for using ntpd
    >> on the PDC.
    >>
    >> Unfortunately I've currently no W2k3 domain set up for testing ...
    >>

    >
    > I do. My main machine at home is a domain controller running Active
    > Directory. I needed this for some Kerberos work that I was doing. I also
    > run BIND 9.5.0 on it rather than Microsoft's DNS.
    >
    > I have search for information in it but I don't see anything specific
    > and it didn't seem to add any records to the DNS when I ran w32time on it.
    >
    > Danny


    Check out this PDF document:

    http://download.microsoft.com/downlo...MS-W32T%5D.pdf

    which seems to indicate that it uses RPC to get its list of time servers.

    Danny

+ Reply to Thread
Page 2 of 3 FirstFirst 1 2 3 LastLast