Hi Arturo The way the Windows time services work is reasonably simple in theory, but complex in practice. Let's start with the default behaviour.
There is a role in a Windows domain called the PDC Emulator. This role runs on only 1 domain controller at any one time. The machine with this role is responsible for synchronizing to an NTP source (specifically, SNTP). Once the PDC Emulator is synchronized, all other domain controllers synchronise from that domain controller. Then, all the servers and clients use their closest domain controller to synchronise. When in this configuration, I've commonly seen systems ignore a defined NTP source for the PDC emulator source; this is done, I guess, to ensure Kerberos continues to work. There is also the capability to define a Group Policy that enforces this hierarchy; this definitely ignores locally defined sources. The same policy can enforce a different NTP source that also means the computer ignores locally defined sources. The way I always implement time in a Windows domain is as follows: 1. Define a group policy on the Domain Controllers container, filtered using WMI, that sets the NTP server on the PDC Emulator only; 2. Validate that the PDC Emulator is syncing to the NTP source (Event Log), and validate that the time is correct (w32tm /stripchart /computer:NTPSourceIP); 3. Define a group policy setting in the "$CompanyName Domain Policy" to use the NT5DS time protocol; 4. Validate using Event Logs and w32tm that the other domain controllers are also synchronised. It's probably a bit OT to go through more troubleshooting - you can contact me off-list if you wanted to discuss further troubleshooting or configuration steps. Dave. -- David Rawling Principal Consultant PD Consulting And Security 7 Virginia Ave Baulkham Hills, NSW 2153 Australia Mob: +61 412 135 513 Email: [email protected] Please note that whilst we take all care, neither PD Consulting and Security nor the sender accepts any responsibility for viruses and it is your responsibility to scan for viruses. The contents are intended only for use by the addressee and may contain confidential and/or privileged material and any use by other than the intended recipient is prohibited. If you received this in error, please inform the sender and/or addressee immediately and delete the material. -----Original Message----- From: [email protected] on behalf of Arturo 'Buanzo' Busleiman Sent: Thu 4/06/2009 1:18 AM To: [email protected] Subject: [time] [OT] W32TIME -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi! I have a customer who's attempting to sync their windows-based servers against a Linux/NTP server inside the LAN of the company, which itself synces to a number of ntp pool servers (including my own ones). Anyone can shed some light on such a setup? Apparently, w32time is not working, and the microsoft 'support' group asked 'is the ntp server joined ot the domain?'. Yeah, nonsense :) Any ideas? - -- Arturo "Buanzo" Busleiman / Arturo Busleiman @ 4:900/107 Independent Linux and Security Consultant - SANS - OISSG - OWASP http://www.buanzo.com.ar/pro/eng.html Mailing List Archives at http://archiver.mailfighter.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREKAAYFAkomlFQACgkQAlpOsGhXcE24kACfcghpObDVrK1stIPfmjHtZAlm S3UAnRVLyDnjxwUOJjsu6YIlp4s0BP1F =cfC+ -----END PGP SIGNATURE----- _______________________________________________ timekeepers mailing list [email protected] https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers _______________________________________________ timekeepers mailing list [email protected] https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
