OK so our empty forest root controllers are now syncing with tick.navy and tock.navy.usno.mil. I also enabled the NTP registry key so it will allow Win9x clients to sync up with the root controllers.
Now the question - when I do a browstat to determine who is the time server according to the browse list, it is some domain controller far away. I don't want that server to be the time server according to the browse list because that means clients will sync with it when they ask for a time sync unless they use /setsntp, right? So how do I fix the browse list to make my root controllers the TS? -----Original Message----- From: Free, Bob Sent: Friday, February 13, 2004 11:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] NTP Rimmerman, Russ <mailto:[EMAIL PROTECTED]> wrote: > What's everyone syncing all their clocks up with? We have our own enterprise NTP servers, the forest root DCs synch to them. Everything else in AD is in NT5DS mode and time flows down the domain hierarchy. The [gag] remaining NT boxes, have W32time pointed to the AD DC's and get time via SNTP. > Do Win2k AD domain controllers automatically respond to SNTP requests? Not sure exactly what you mean- A] Yes they will serve time to a SNTP client, but, you don't want any SNTP clients in your forest, they should all be in NT5DS mode. You want the time to flow down the tree. B] You can use ntpdate on a *NIX box or the W32 port of ntpdate to get a quick picture of how everything is peering up in the forest, what stratum the machines are in and how accurately they are keeping time. W32Time won't answer all NTP requests but the ones in the SNTP spec work. > We are currently > running a firewall that acts as a NTP server for all our internal PCs > (Symantec Enterprise FW) and we're looking at switching to a NetScreen > firewall which does not. We're trying to figure out where we should > redirect all our time requests to. How are you doing it? Where do your routers get their time? Cisco routers have very accurate clocks according to our NTP guru, (he's very fussy and wants the Stratum 1 machines within a few ms of each other) A lot of people just synch their DC to a core router that's synched to something like USNO or if running DNS on *NIX, they run NTP on the DNS boxes.. Some people in simpler networks just punch a hole for UDP 123 to their forest root PDCe and synch it directly to the internet sources like USNO. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Thursday, July 22, 2004 5:24 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] NTP server Where does everyone have their NTP services come from? We are getting rid of our current firewall which has NTP on it and everything is pointed to it for NTP services. Our new firewall won't have NTP built in, so we are going to have to set up an internal NTP server for all our internal hosts to sync to. Do we put it in the DMZ or the internal network? Or does it matter? Do we just install NTP on an existing Win2k server in our DMZ? What is everyone else doing for NTP? Thanks ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
