Re: [ntp:questions] Issues with w32tm on AD network
Danny, Danny Mayer wrote: > Check out this PDF document: > > http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/%5BMS-W32T%5D.pdf > > which seems to indicate that it uses RPC to get its list of time servers. thanks for the pointer. I'll have a look at it. Martin -- Martin Burnicki Meinberg Funkuhren Bad Pyrmont Germany ___ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions
Re: [ntp:questions] Issues with w32tm on AD network
Ryan, Ryan Malayter wrote: > Active Directory is completely dependent on DNS. In fact, an Active > Dfirectory domain requires a DNS server that allows SRV records and > dynamic updates to even function. Active directory is generally not > used for name resolution (with a few exceptions, such as specifying IP > ranges for AD sites to tweak the replication topology). Otherwise, DNS > supplies the name resolution layer for all Windows domain operations. [...] As already mentioned I'm not very familiar with AD, I've just done some basic tests with w32time vs. ntpd. So your comments make things much clearer. Thanks, Martin -- Martin Burnicki Meinberg Funkuhren Bad Pyrmont Germany ___ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions
Re: [ntp:questions] Issues with w32tm on AD network
Danny Mayer wrote: > Martin Burnicki wrote: >> Evandro, >> >> Evandro Menezes wrote: >>> On Feb 27, 7:06 am, Ryan Malayter <[EMAIL PROTECTED]> wrote: This is not true. Windows time service uses UDP/123, just like every other NTP or SNTP implmentation. All of Microsoft's documentation that I have read (and I think I have read everything concerning w32time) agrees on that point. >>> That's true. But W32TIME also registers the time service to the >>> domain or AD hierarchy, allowing the workstations to synchronize with >>> it. >> That's what I meant in one of my earlier posts. >> >>> But when the workstations contact the DC, I think that NTP will >>> reply instead. >> If that setup really works then it's indeed a good workaround for using ntpd >> on the PDC. >> >> Unfortunately I've currently no W2k3 domain set up for testing ... >> > > I do. My main machine at home is a domain controller running Active > Directory. I needed this for some Kerberos work that I was doing. I also > run BIND 9.5.0 on it rather than Microsoft's DNS. > > I have search for information in it but I don't see anything specific > and it didn't seem to add any records to the DNS when I ran w32time on it. > > Danny Check out this PDF document: http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/%5BMS-W32T%5D.pdf which seems to indicate that it uses RPC to get its list of time servers. Danny ___ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions
Re: [ntp:questions] Issues with w32tm on AD network
Martin Burnicki wrote: > Evandro, > > Evandro Menezes wrote: >> On Feb 27, 7:06 am, Ryan Malayter <[EMAIL PROTECTED]> wrote: >>> This is not true. Windows time service uses UDP/123, just like every >>> other NTP or SNTP implmentation. All of Microsoft's documentation that >>> I have read (and I think I have read everything concerning w32time) >>> agrees on that point. >> That's true. But W32TIME also registers the time service to the >> domain or AD hierarchy, allowing the workstations to synchronize with >> it. > > That's what I meant in one of my earlier posts. > >> But when the workstations contact the DC, I think that NTP will >> reply instead. > > If that setup really works then it's indeed a good workaround for using ntpd > on the PDC. > > Unfortunately I've currently no W2k3 domain set up for testing ... > I do. My main machine at home is a domain controller running Active Directory. I needed this for some Kerberos work that I was doing. I also run BIND 9.5.0 on it rather than Microsoft's DNS. I have search for information in it but I don't see anything specific and it didn't seem to add any records to the DNS when I ran w32time on it. Danny ___ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions
Re: [ntp:questions] Issues with w32tm on AD network
Maarten Wiltink wrote: > "Martin Burnicki" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] > [...] >> I guess a Windows domain would work without a local DNS since the names >> of the Windows machines could also be resolved by the WINS service ... > > DNS _is_ used as a database for some domain information. You can, with > some work, use a non-local DNS but that's probably as far as it goes. > NTP information would not go into DNS, though, and that's as close as > this subject will ever come to saying anything NTP-related. > There is nothing to prevent you using SRV records for NTP information and in fact they are designed for that sort of thing. SRV records are used by Windows to locate the Domain Controllers which may not be the same as the DNS nameservers. Danny > Groetjes, > Maarten Wiltink ___ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions
Re: [ntp:questions] Issues with w32tm on AD network
On Feb 28, 2:55 am, Martin Burnicki <[EMAIL PROTECTED]> wrote: > Of course. However, we must distinguish between DNS domains and Windows > Active Directory domains which have nothing to do with DNS in the first > place. Active Directory is completely dependent on DNS. In fact, an Active Dfirectory domain requires a DNS server that allows SRV records and dynamic updates to even function. Active directory is generally not used for name resolution (with a few exceptions, such as specifying IP ranges for AD sites to tweak the replication topology). Otherwise, DNS supplies the name resolution layer for all Windows domain operations. Most people use Microsoft's DNS server with AD, because it automatically and reliably replicates data using the same distributed multi-master replication mechanism that AD uses. But they are actually separate - you can set up AD domains using BIND or other DNS that supports the relevand RFCs. I did it for a customer once back around 2002. That said, based on refIDs reported by member servers, I believe the Windows Time Service simply contacts the domain controller that the machine logged into for the time, using DNS to resolve the name. You can find which domain controller a machine used by using the "echo %LOGONSERVER%" command. When a Windows domain member loses contact with its logon server, it does a DNS SRV record lookup (such as _ldap._tcp.gc._msdcs.exmaple.com) to find another one. How this affects running the reference ntpd on domain controllers I do not know. I really don't have the time to set up a lab to test the behvaior in depth. I run ntpd on other systems, and have our Windows domain controllers configured to get their time from those stratum-2 systems. ___ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions
Re: [ntp:questions] Issues with w32tm on AD network
Evandro, Evandro Menezes wrote: > On Feb 27, 7:06 am, Ryan Malayter <[EMAIL PROTECTED]> wrote: >> This is not true. Windows time service uses UDP/123, just like every >> other NTP or SNTP implmentation. All of Microsoft's documentation that >> I have read (and I think I have read everything concerning w32time) >> agrees on that point. > > That's true. But W32TIME also registers the time service to the > domain or AD hierarchy, allowing the workstations to synchronize with > it. That's what I meant in one of my earlier posts. > But when the workstations contact the DC, I think that NTP will > reply instead. If that setup really works then it's indeed a good workaround for using ntpd on the PDC. Unfortunately I've currently no W2k3 domain set up for testing ... Martin -- Martin Burnicki Meinberg Funkuhren Bad Pyrmont Germany ___ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions
Re: [ntp:questions] Issues with w32tm on AD network
Maarten, Maarten Wiltink wrote: > "Martin Burnicki" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] > [...] >> I guess a Windows domain would work without a local DNS since the names >> of the Windows machines could also be resolved by the WINS service ... > > DNS _is_ used as a database for some domain information. Of course. However, we must distinguish between DNS domains and Windows Active Directory domains which have nothing to do with DNS in the first place. As already mentioned in my reply to Danny, if we want to have ntpd compatible with w32time in a Windows domain we have to rely on what MS has decided to use. > You can, with > some work, use a non-local DNS but that's probably as far as it goes. > NTP information would not go into DNS, though, and that's as close as > this subject will ever come to saying anything NTP-related. Do you think the way (S)NTP clints detect their servers is not related to NTP? > Groetjes, > Maarten Wiltink Regards, Martin -- Martin Burnicki Meinberg Funkuhren Bad Pyrmont Germany ___ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions
Re: [ntp:questions] Issues with w32tm on AD network
Danny Mayer wrote: > Martin Burnicki wrote: >> I've mentioned in my earlier post that the entry is supposed to be in the >> LDAP tree. Why should this be in DNS? Directory services have been >> designed to as a database to keep track of objects and attributes of >> those objects. > > Because thats the right place to put it. Putting in the LDAP tree means > a lot of additional work. Creating and using an SRV record is simple. I don't think MS cares about what you or I think is the right place to specify the authoritative time server for the Windows domain. If they have decided to put it into the LDAP tree then it's there, whether we agree or not. If w32time sets a flag in the LDAP tree when it is active, and the clients look for that flag in the LDAP tree then the only chance to have the clients autodetect ntpd instead of w32time is to let ntpd set the same flag when it is running (unless you configure the domain members in a different way, i.e. manually, or using some policy or whatever). >> I guess a Windows domain would work without a local DNS since the names >> of the Windows machines could also be resolved by the WINS service ... >> > > Not with W2003. WINS won't help with things like w32time. The question is whether DNS is required to let w32time on the PDC resolve the host name of its NTP upstream server, or whether the clients really require DNS to detect the PDC, which is what I meant. Martin -- Martin Burnicki Meinberg Funkuhren Bad Pyrmont Germany ___ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions
Re: [ntp:questions] Issues with w32tm on AD network
Martin Burnicki wrote: > Jason Rabel wrote: >> I *believe* you can also tell the PDC (via some w32time command) that the >> primary time source is another machine, and all clients will use that. Of >> course that means another machine to manage rather than just installing >> ntpd on it. >> >> If you search the MS website for words like "NTP Domain Controller" >> there's a lot of info that pops up. > > I've already read a bunch of KB articles about Windows time synchronization. > Unfortunately most of those articles care about special problems with > w32time, while other articles are pretty common only and don't cover > specific scenarios. > > A common configuration for our customers which install a PCI card as a > primary time source would be as follows: > > - Install the PCI card in the root PDC > > - Since w32time does not support the PCI card directly, install our driver > which is shipped with the card and let the PDC's system time be > synchronized by our driver. > > - Run w32time (or ntpd) configured not to touch the system time but make the > diciplined time available on the network > > This is pretty easy using ntpd with local clock at stratum 0, but we have > not been able to find a reliable way to configure w32time so that it > behaves as desired. > > We have tried different registry settings, e.g. running > > w32tm /config /reliable:yes > > resulting in "AnnounceFlags" set to 5 > > Sometimes w32time has been working correctly for some time, but then > after a day suddenly stopped delivering time to it's clients. > > So the best and most reliable configuration seemed to be to specify an > "external" NTP server on the PDC, which runs ntpd. > > BTW, I've searched the MS pages again for the keywords you mention, and I > only receive search results when I start searching on www.microsoft.com. If > I start searching at support.microsoft.com the search returns no results, > which is pretty poor (for MS). > I usually find what I'm looking for using Google! Microsoft search is pretty poor for their own site. Danny > > Martin ___ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions
Re: [ntp:questions] Issues with w32tm on AD network
On Feb 27, 3:07 pm, Evandro Menezes <[EMAIL PROTECTED]> wrote: > That's true. But W32TIME also registers the time service to the > domain or AD hierarchy, allowing the workstations to synchronize with > it. But when the workstations contact the DC, I think that NTP will > reply instead. We're way off-topic. I see you're using malinator. Could you please reply off-list with your source for that information? Perhaps an LDAP query that might show me those records? I have never seen anything like that in MSFT documentation. ___ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions
Re: [ntp:questions] Issues with w32tm on AD network
On Feb 27, 7:06 am, Ryan Malayter <[EMAIL PROTECTED]> wrote: > > This is not true. Windows time service uses UDP/123, just like every > other NTP or SNTP implmentation. All of Microsoft's documentation that > I have read (and I think I have read everything concerning w32time) > agrees on that point. That's true. But W32TIME also registers the time service to the domain or AD hierarchy, allowing the workstations to synchronize with it. But when the workstations contact the DC, I think that NTP will reply instead. > If you disable both client and server aspects of w32time, it does > nothting whatsoever, I would think. Isn't it the idea, to take W32TIME out of the clock discipline business and just let it take care of DC stuff while NTP handles all the timekeeping on the server and on the workstations? After all, NTP is a much better package to not only discipline the clock as well as to monitor and administer. ___ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions
Re: [ntp:questions] Issues with w32tm on AD network
Martin Burnicki wrote: > Danny, > > Danny Mayer wrote: >> Martin Burnicki wrote: >>> I have recently received a note from someone who seemed to be very >>> familiar with Active Directory. That person told me whn w32time starts it >>> makes an entry in the LDAP directory which tells the clients at logon >>> that this server is also their time server. >>> >> I tried running w32time on my domain controller at home and saw nothing >> in the DNS records which is where I would have expected to put such >> information, specifically an SRV record. >> >> The only other possibility that I can think of is by looking at the >> Active Directory LDAP tree which I didn't have time to look at, >> particularly as I would need to know where to look. I find it harder to >> believe that they would put information there but you never know. > > I've mentioned in my earlier post that the entry is supposed to be in the > LDAP tree. Why should this be in DNS? Directory services have been designed > to as a database to keep track of objects and attributes of those objects. > Because thats the right place to put it. Putting in the LDAP tree means a lot of additional work. Creating and using an SRV record is simple. > I guess a Windows domain would work without a local DNS since the names of > the Windows machines could also be resolved by the WINS service ... > Not with W2003. WINS won't help with things like w32time. Danny > > Martin ___ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions
Re: [ntp:questions] Issues with w32tm on AD network
"Martin Burnicki" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] [...] > I guess a Windows domain would work without a local DNS since the names > of the Windows machines could also be resolved by the WINS service ... DNS _is_ used as a database for some domain information. You can, with some work, use a non-local DNS but that's probably as far as it goes. NTP information would not go into DNS, though, and that's as close as this subject will ever come to saying anything NTP-related. Groetjes, Maarten Wiltink ___ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions
Re: [ntp:questions] Issues with w32tm on AD network
Danny, Danny Mayer wrote: > Martin Burnicki wrote: >> I have recently received a note from someone who seemed to be very >> familiar with Active Directory. That person told me whn w32time starts it >> makes an entry in the LDAP directory which tells the clients at logon >> that this server is also their time server. >> > > I tried running w32time on my domain controller at home and saw nothing > in the DNS records which is where I would have expected to put such > information, specifically an SRV record. > > The only other possibility that I can think of is by looking at the > Active Directory LDAP tree which I didn't have time to look at, > particularly as I would need to know where to look. I find it harder to > believe that they would put information there but you never know. I've mentioned in my earlier post that the entry is supposed to be in the LDAP tree. Why should this be in DNS? Directory services have been designed to as a database to keep track of objects and attributes of those objects. I guess a Windows domain would work without a local DNS since the names of the Windows machines could also be resolved by the WINS service ... Martin -- Martin Burnicki Meinberg Funkuhren Bad Pyrmont Germany ___ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions
Re: [ntp:questions] Issues with w32tm on AD network
Evandro Menezes wrote: > On Feb 26, 2:57 am, Martin Burnicki <[EMAIL PROTECTED]> > wrote: >> >> Of course they still can't both open port 123, so the result should be >> what David Wooley has mentioned in his reply. > > No, but the workstations use an RPC to UDP port 445 or 137, not 123. Or are those ports 445 and/or 137 used for the old proprietary "net time" protocol used by Windows 95 and friends? Martin -- Martin Burnicki Meinberg Funkuhren Bad Pyrmont Germany ___ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions
Re: [ntp:questions] Issues with w32tm on AD network
Martin Burnicki wrote: > Danny Mayer wrote: >> Martin Burnicki wrote: >>> Though it's normally preferable to run ntpd rather than w32time, there is >>> a limitation if you run ntpd on a domain controller: >>> The domain members (workstations) will stop detecting the domain >>> controller automatically as their primary time source, so you'll have to >>> configure the domain controller explicitely as times source on every >>> client. >> Really? Why would it do that? Is this documented somewhere? > > We have tried it with a small test setup and found that w32time domain > members did identify their PDC as time source when w32time was running on > the PDC, but not when ntpd was running on the PDC. > > I have recently received a note from someone who seemed to be very familiar > with Active Directory. That person told me whn w32time starts it makes an > entry in the LDAP directory which tells the clients at logon that this > server is also their time server. > I tried running w32time on my domain controller at home and saw nothing in the DNS records which is where I would have expected to put such information, specifically an SRV record. The only other possibility that I can think of is by looking at the Active Directory LDAP tree which I didn't have time to look at, particularly as I would need to know where to look. I find it harder to believe that they would put information there but you never know. Danny > I assume if ntpd would do the same thing then domain clients would also > detect and accept ntpd running on the PDC. > > Unfortunately I don't have the original note handy right now, so I'll have > to investigate. > > Martin ___ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions
Re: [ntp:questions] Issues with w32tm on AD network
On Feb 26, 11:43 am, Evandro Menezes <[EMAIL PROTECTED]> wrote: > No, but the workstations use an RPC to UDP port 445 or 137, not 123. > W32TIME only uses the UDP port 123 when it's configured to be an NTP > client or server, both disabled in my post above. This is not true. Windows time service uses UDP/123, just like every other NTP or SNTP implmentation. All of Microsoft's documentation that I have read (and I think I have read everything concerning w32time) agrees on that point. If you disable both client and server aspects of w32time, it does nothting whatsoever, I would think. ___ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions
Re: [ntp:questions] Issues with w32tm on AD network
Evandro Menezes wrote: > > No, but the workstations use an RPC to UDP port 445 or 137, not 123. > W32TIME only uses the UDP port 123 when it's configured to be an NTP > client or server, both disabled in my post above. > I don't think w32time is doing anything at all in that case. If the workstations are using Windows Networking for their time (which they should not be in a modern Windows domain configuration) the support for that pre-dates w32time by a long way. Modern workstations on modern Windows networks use their own copy of w32time, on port 123. w32time's main reason for existence is not establishing a correct absolute time, but for ensuring that times are close enough for Microsoft's derivative of Kerberos works. ___ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions
Re: [ntp:questions] Issues with w32tm on AD network
On Feb 26, 2:57 am, Martin Burnicki <[EMAIL PROTECTED]> wrote: > > Of course they still can't both open port 123, so the result should be what > David Wooley has mentioned in his reply. No, but the workstations use an RPC to UDP port 445 or 137, not 123. W32TIME only uses the UDP port 123 when it's configured to be an NTP client or server, both disabled in my post above. All that W32TIME would do in the configuration above would be to serve domain workstations the system time, which is itself then disciplined by NTP. It may not be the ideal configuration, but it works. HTH ___ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions
Re: [ntp:questions] Issues with w32tm on AD network
Jason Rabel wrote: > I *believe* you can also tell the PDC (via some w32time command) that the > primary time source is another machine, and all clients will use that. Of > course that means another machine to manage rather than just installing > ntpd on it. > > If you search the MS website for words like "NTP Domain Controller" > there's a lot of info that pops up. I've already read a bunch of KB articles about Windows time synchronization. Unfortunately most of those articles care about special problems with w32time, while other articles are pretty common only and don't cover specific scenarios. A common configuration for our customers which install a PCI card as a primary time source would be as follows: - Install the PCI card in the root PDC - Since w32time does not support the PCI card directly, install our driver which is shipped with the card and let the PDC's system time be synchronized by our driver. - Run w32time (or ntpd) configured not to touch the system time but make the diciplined time available on the network This is pretty easy using ntpd with local clock at stratum 0, but we have not been able to find a reliable way to configure w32time so that it behaves as desired. We have tried different registry settings, e.g. running w32tm /config /reliable:yes resulting in "AnnounceFlags" set to 5 Sometimes w32time has been working correctly for some time, but then after a day suddenly stopped delivering time to it's clients. So the best and most reliable configuration seemed to be to specify an "external" NTP server on the PDC, which runs ntpd. BTW, I've searched the MS pages again for the keywords you mention, and I only receive search results when I start searching on www.microsoft.com. If I start searching at support.microsoft.com the search returns no results, which is pretty poor (for MS). Martin -- Martin Burnicki Meinberg Funkuhren Bad Pyrmont Germany ___ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions
Re: [ntp:questions] Issues with w32tm on AD network
David Woolley wrote: > Evandro Menezes wrote: > >> >> This will cause NTP to start before W32TIME and thus NTP will take >> over disciplining the Windows DC clock and the domain workstations >> will still communicate with W32TIME. > > If this works, I suspect it is ntpd that is serving the time and all > that w32time is doing is maintaining the active directory entry. In > that case, Microsoft could always fix w32time so that it doesn't declare > itself available if it is unable to serve time. Agreed. Though it may currently work I don't think that's a proper solution. Martin -- Martin Burnicki Meinberg Funkuhren Bad Pyrmont Germany ___ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions
Re: [ntp:questions] Issues with w32tm on AD network
Danny Mayer wrote: > Evandro Menezes wrote: >> I'm pretty sure that it's possible to run both NTP and W32TIME at the >> same time on the same Windows system provided that only NTP is used to >> keep the clock under discipline and W32TIME is used solely to provide >> the time for the domain workstations. >> > > No, this is untrue. They both use the 123/UDP port. You cannot have more > than one application listening on the socket. Furthermore they cannot > both discipline the clock. Evandro had implicitely stated what to do to prevent w32time from disciplining the system time, so ntpd would be the only one to discipline the system time. Of course they still can't both open port 123, so the result should be what David Wooley has mentioned in his reply. Martin > Danny > >> In order to do this, the NTP service is added to the dependency list >> of the W32TIME service through the Platform SDK utility SC: >> >> sc config w32time depend= NTP >> >> It's also necessary to disable W32TIME from trying to discipline the >> clock using the registry editor (REGEDIT) under HKLM\CurrentControlSet >> \Services\w32time: >> >> [TimeProviders\NtpClient] >> InputProvider=DWORD:0 >> [TimeProviders\NtpServer] >> InputProvider=DWORD:0 >> >> This will cause NTP to start before W32TIME and thus NTP will take >> over disciplining the Windows DC clock and the domain workstations >> will still communicate with W32TIME. >> >> HTH -- Martin Burnicki Meinberg Funkuhren Bad Pyrmont Germany ___ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions
Re: [ntp:questions] Issues with w32tm on AD network
Evandro Menezes wrote: > > This will cause NTP to start before W32TIME and thus NTP will take > over disciplining the Windows DC clock and the domain workstations > will still communicate with W32TIME. If this works, I suspect it is ntpd that is serving the time and all that w32time is doing is maintaining the active directory entry. In that case, Microsoft could always fix w32time so that it doesn't declare itself available if it is unable to serve time. ___ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions
Re: [ntp:questions] Issues with w32tm on AD network
Evandro Menezes wrote: > I'm pretty sure that it's possible to run both NTP and W32TIME at the > same time on the same Windows system provided that only NTP is used to > keep the clock under discipline and W32TIME is used solely to provide > the time for the domain workstations. > No, this is untrue. They both use the 123/UDP port. You cannot have more than one application listening on the socket. Furthermore they cannot both discipline the clock. Danny > In order to do this, the NTP service is added to the dependency list > of the W32TIME service through the Platform SDK utility SC: > > sc config w32time depend= NTP > > It's also necessary to disable W32TIME from trying to discipline the > clock using the registry editor (REGEDIT) under HKLM\CurrentControlSet > \Services\w32time: > > [TimeProviders\NtpClient] > InputProvider=DWORD:0 > [TimeProviders\NtpServer] > InputProvider=DWORD:0 > > This will cause NTP to start before W32TIME and thus NTP will take > over disciplining the Windows DC clock and the domain workstations > will still communicate with W32TIME. > > HTH ___ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions
Re: [ntp:questions] Issues with w32tm on AD network
I'm pretty sure that it's possible to run both NTP and W32TIME at the same time on the same Windows system provided that only NTP is used to keep the clock under discipline and W32TIME is used solely to provide the time for the domain workstations. In order to do this, the NTP service is added to the dependency list of the W32TIME service through the Platform SDK utility SC: sc config w32time depend= NTP It's also necessary to disable W32TIME from trying to discipline the clock using the registry editor (REGEDIT) under HKLM\CurrentControlSet \Services\w32time: [TimeProviders\NtpClient] InputProvider=DWORD:0 [TimeProviders\NtpServer] InputProvider=DWORD:0 This will cause NTP to start before W32TIME and thus NTP will take over disciplining the Windows DC clock and the domain workstations will still communicate with W32TIME. HTH ___ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions
Re: [ntp:questions] Issues with w32tm on AD network
> We have tried it with a small test setup and found that w32time domain > members did identify their PDC as time source when w32time was running on > the PDC, but not when ntpd was running on the PDC. > > I have recently received a note from someone who seemed to be very familiar > with Active Directory. That person told me whn w32time starts it makes an > entry in the LDAP directory which tells the clients at logon that this > server is also their time server. > > I assume if ntpd would do the same thing then domain clients would also > detect and accept ntpd running on the PDC. I *believe* you can also tell the PDC (via some w32time command) that the primary time source is another machine, and all clients will use that. Of course that means another machine to manage rather than just installing ntpd on it. If you search the MS website for words like "NTP Domain Controller" there's a lot of info that pops up. Jason ___ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions
Re: [ntp:questions] Issues with w32tm on AD network
Andrew, Andrew Hodgson wrote: > On Fri, 22 Feb 2008 09:31:38 +0100, Martin Burnicki > <[EMAIL PROTECTED]> wrote: >>Though it's normally preferable to run ntpd rather than w32time, there is >>a limitation if you run ntpd on a domain controller: >>The domain members (workstations) will stop detecting the domain >>controller automatically as their primary time source, so you'll have to >>configure the domain controller explicitely as times source on every >>client. > > Yes, I have found this in a previous life, plus it caused some other > issues for us as well, which is why I would like to keep W32tm if > possible. Do you remember which kind of issues that were? >>If you also run any Linux or other *ix server then a better approach would >>be to let the *ix machine synchromize to the pool servers, and configure >>the *ix machine as "internet time source" for w32time on the domain >>controller. > > Unfortunately the Debian box I have is a laptop that is not on > continuously, so no good. I do have an ASA firewall and a Cisco > router however, which at present are set to get time from the Windows > box, but I could set one up as an NTP server perhaps? I don't know the ASA firewall, but I've heard several times that routers don't do a good job as NTP servers. Maybe you have another Windows server on which you can install NTP. That server could get the time from the pool servers, and the root PDC could run w32time and get the time from the server running ntpd. This is a good basic configuration if you want to use a built-in radio clock or GPS receiver as time source, which come with their own driver software. The reason is because it's hard to tell w32time that it does not need to have an upstream time source configured and thus not touch the system time, because the system time is already disciplined by another driver, and w32time just had to distribute that synchronized time on the network. With ntpd this configuration is pretty easy: just configure the local clock as ref time source with stratum 0. Martin -- Martin Burnicki Meinberg Funkuhren Bad Pyrmont Germany ___ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions
Re: [ntp:questions] Issues with w32tm on AD network
Ryan Malayter wrote: > Configuraing all the clients takes about 30 seconds using Windows > Group Policies on any of your domain controllers. There is an > administrative template for the WIndows Time service, and you can > configure time sources, poslling intervals, and many other parameters > for w32time. > > See: > http://technet2.microsoft.com/windowsserver/en/library/a0fcd250-e5f7-41b3-b0e8-240f8236e2101033.mspx?mfr=true > > Say what you will about w32time's accuracy... it *is* extremely > managable in large windows networks. That's why I mentioned that w32time may sometimes be the preferred solution. I'm not familiar with W2k domain management, so I wonder whether the group policied could also be used if ntpd was running on the PDC. Please see also my reply to Danny. Martin -- Martin Burnicki Meinberg Funkuhren Bad Pyrmont Germany ___ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions
Re: [ntp:questions] Issues with w32tm on AD network
Danny Mayer wrote: > Martin Burnicki wrote: >> Though it's normally preferable to run ntpd rather than w32time, there is >> a limitation if you run ntpd on a domain controller: >> The domain members (workstations) will stop detecting the domain >> controller automatically as their primary time source, so you'll have to >> configure the domain controller explicitely as times source on every >> client. > > Really? Why would it do that? Is this documented somewhere? We have tried it with a small test setup and found that w32time domain members did identify their PDC as time source when w32time was running on the PDC, but not when ntpd was running on the PDC. I have recently received a note from someone who seemed to be very familiar with Active Directory. That person told me whn w32time starts it makes an entry in the LDAP directory which tells the clients at logon that this server is also their time server. I assume if ntpd would do the same thing then domain clients would also detect and accept ntpd running on the PDC. Unfortunately I don't have the original note handy right now, so I'll have to investigate. Martin -- Martin Burnicki Meinberg Funkuhren Bad Pyrmont Germany ___ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions
Re: [ntp:questions] Issues with w32tm on AD network
Danny Mayer wrote: > Jason Rabel wrote: > Are there any GPS systems I could hook up to the Windows domain > controller, and configure W32tm to use this? > Yes. Trimble, Palisade, NMEA, Jupiter, and HOPF (DCF77) Serial and PCI are built for Windows. I cannot tell you much about them but the code is built for them. >>> Do these work with W32tm or NTPD for Windows? >> >> I didn't think (the Meinberg build of) NTPD for windows supported any of >> the refclocks? Or maybe they support the refclocks but no PPSAPI? > > I don't think that Meinberg touches the config.h file when creating > their builds. The refclocks that are to be supported are defined there. Right. The config.h file is left untouched, so whatever is included by the source code distribution is included by the binaries. However, I don't know how the PPS API should be supported under Windows, except that the Windows port would come with an own kernel driver which evaluated a PPS input signal. The remaining question is whether it would make much sense at all to write a such a driver since the resolution of the Windows clock is limited to ~16 milliseconds (1 ms under Vista, AFAIK). We have sometimes requests from customers who think they can just install a GPS PCI card in their Windows machine so their applications will get the Windows system time wit better than 1 microsecond accuracy. However, though some of the Windows API calls provide a resolution of 100 nanoseconds those API calls return exactly the same time stamps betwween 2 timer ticks, and then the returned time steps by the amount of the timer tick interval. Martin -- Martin Burnicki Meinberg Funkuhren Bad Pyrmont Germany ___ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions
Re: [ntp:questions] Issues with w32tm on AD network
Jason Rabel wrote: Are there any GPS systems I could hook up to the Windows domain controller, and configure W32tm to use this? >>> Yes. Trimble, Palisade, NMEA, Jupiter, and HOPF (DCF77) Serial and PCI >>> are built for Windows. I cannot tell you much about them but the code is >>> built for them. >> Do these work with W32tm or NTPD for Windows? > > I didn't think (the Meinberg build of) NTPD for windows supported any of the > refclocks? Or maybe they support the refclocks but no PPSAPI? I don't think that Meinberg touches the config.h file when creating their builds. The refclocks that are to be supported are defined there. Danny ___ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions
Re: [ntp:questions] Issues with w32tm on AD network
Andrew Hodgson wrote: > On Fri, 22 Feb 2008 02:51:07 GMT, [EMAIL PROTECTED] (Danny Mayer) > wrote: > >> Andrew Hodgson wrote: > > [...]> > >>> Are there any GPS systems I could hook up to the Windows domain >>> controller, and configure W32tm to use this? >>> >> Yes. Trimble, Palisade, NMEA, Jupiter, and HOPF (DCF77) Serial and PCI >> are built for Windows. I cannot tell you much about them but the code is >> built for them. > > Do these work with W32tm or NTPD for Windows? > NTPD only which was all I was referring to. w32tm doesn't know a refclock from a hole in the wall. Danny > Thanks. > Andrew. ___ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions
Re: [ntp:questions] Issues with w32tm on AD network
Martin Burnicki wrote: > Though it's normally preferable to run ntpd rather than w32time, there is a > limitation if you run ntpd on a domain controller: > The domain members (workstations) will stop detecting the domain controller > automatically as their primary time source, so you'll have to configure the > domain controller explicitely as times source on every client. Really? Why would it do that? Is this documented somewhere? Danny ___ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions
Re: [ntp:questions] Issues with w32tm on AD network
> >> Are there any GPS systems I could hook up to the Windows domain > >> controller, and configure W32tm to use this? > >> > > > >Yes. Trimble, Palisade, NMEA, Jupiter, and HOPF (DCF77) Serial and PCI > >are built for Windows. I cannot tell you much about them but the code is > >built for them. > > Do these work with W32tm or NTPD for Windows? I didn't think (the Meinberg build of) NTPD for windows supported any of the refclocks? Or maybe they support the refclocks but no PPSAPI? ___ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions
Re: [ntp:questions] Issues with w32tm on AD network
On Fri, 22 Feb 2008 09:31:38 +0100, Martin Burnicki <[EMAIL PROTECTED]> wrote: >Andrew, > >Andrew Hodgson wrote: >> Hi, >> >> I have had issues keeping accurate time on W32tm using an Active >> Directory based network with just Windows servers. I have a Linux >> workstation, and NTP on that workstation keeps loosing the time, and >> going to Stratum 16. Similarly, there are Cisco routers on the >> network, which also do likewise. >> >> I am using the NTP pool, but have done this for years on a Linux >> system with no problems. >> >> Should I think about switching to NTPD on Windows, and if I do this, >> will it cause an issue with both this and W32tm running at the same >> time? > >Though it's normally preferable to run ntpd rather than w32time, there is a >limitation if you run ntpd on a domain controller: >The domain members (workstations) will stop detecting the domain controller >automatically as their primary time source, so you'll have to configure the >domain controller explicitely as times source on every client. Yes, I have found this in a previous life, plus it caused some other issues for us as well, which is why I would like to keep W32tm if possible. > >If you also run any Linux or other *ix server then a better approach would >be to let the *ix machine synchromize to the pool servers, and configure >the *ix machine as "internet time source" for w32time on the domain >controller. Unfortunately the Debian box I have is a laptop that is not on continuously, so no good. I do have an ASA firewall and a Cisco router however, which at present are set to get time from the Windows box, but I could set one up as an NTP server perhaps? Thanks. Andrew. ___ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions
Re: [ntp:questions] Issues with w32tm on AD network
On Fri, 22 Feb 2008 02:51:07 GMT, [EMAIL PROTECTED] (Danny Mayer) wrote: >Andrew Hodgson wrote: [...]> >> Are there any GPS systems I could hook up to the Windows domain >> controller, and configure W32tm to use this? >> > >Yes. Trimble, Palisade, NMEA, Jupiter, and HOPF (DCF77) Serial and PCI >are built for Windows. I cannot tell you much about them but the code is >built for them. Do these work with W32tm or NTPD for Windows? Thanks. Andrew. ___ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions
Re: [ntp:questions] Issues with w32tm on AD network
On Feb 22, 2:31 am, Martin Burnicki <[EMAIL PROTECTED]> wrote: > Though it's normally preferable to run ntpd rather than w32time, there is a > limitation if you run ntpd on a domain controller: > The domain members (workstations) will stop detecting the domain controller > automatically as their primary time source, so you'll have to configure the > domain controller explicitely as times source on every client. > Configuraing all the clients takes about 30 seconds using Windows Group Policies on any of your domain controllers. There is an administrative template for the WIndows Time service, and you can configure time sources, poslling intervals, and many other parameters for w32time. See: http://technet2.microsoft.com/windowsserver/en/library/a0fcd250-e5f7-41b3-b0e8-240f8236e2101033.mspx?mfr=true Say what you will about w32time's accuracy... it *is* extremely managable in large windows networks. ___ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions
Re: [ntp:questions] Issues with w32tm on AD network
Andrew, Andrew Hodgson wrote: > Hi, > > I have had issues keeping accurate time on W32tm using an Active > Directory based network with just Windows servers. I have a Linux > workstation, and NTP on that workstation keeps loosing the time, and > going to Stratum 16. Similarly, there are Cisco routers on the > network, which also do likewise. > > I am using the NTP pool, but have done this for years on a Linux > system with no problems. > > Should I think about switching to NTPD on Windows, and if I do this, > will it cause an issue with both this and W32tm running at the same > time? Though it's normally preferable to run ntpd rather than w32time, there is a limitation if you run ntpd on a domain controller: The domain members (workstations) will stop detecting the domain controller automatically as their primary time source, so you'll have to configure the domain controller explicitely as times source on every client. If you also run any Linux or other *ix server then a better approach would be to let the *ix machine synchromize to the pool servers, and configure the *ix machine as "internet time source" for w32time on the domain controller. You should not let real NTP clients use w32time as time source, though. Martin -- Martin Burnicki Meinberg Funkuhren Bad Pyrmont Germany ___ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions
Re: [ntp:questions] Issues with w32tm on AD network
Danny Mayer wrote: [] > Yes. w32time needs to be disabled, you cannot run both. The Meinberg > installer does this for you and if you choose to uninstall NTP I > believe it will reenable it. [] > Danny FYI, that's at: http://www.meinberg.de/english/sw/ntp.htm Cheers, David ___ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions
Re: [ntp:questions] Issues with w32tm on AD network
Andrew Hodgson wrote: > Hi, > > I have had issues keeping accurate time on W32tm using an Active > Directory based network with just Windows servers. I have a Linux > workstation, and NTP on that workstation keeps loosing the time, and > going to Stratum 16. Similarly, there are Cisco routers on the > network, which also do likewise. > > I am using the NTP pool, but have done this for years on a Linux > system with no problems. > > Should I think about switching to NTPD on Windows, and if I do this, > will it cause an issue with both this and W32tm running at the same > time? > Yes. w32time needs to be disabled, you cannot run both. The Meinberg installer does this for you and if you choose to uninstall NTP I believe it will reenable it. > Are there any GPS systems I could hook up to the Windows domain > controller, and configure W32tm to use this? > Yes. Trimble, Palisade, NMEA, Jupiter, and HOPF (DCF77) Serial and PCI are built for Windows. I cannot tell you much about them but the code is built for them. Danny > Thanks. > Andrew.hook > > ___ > questions mailing list > questions@lists.ntp.org > https://lists.ntp.org/mailman/listinfo/questions > ___ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions