?
Solved

NTP Server Sync outside the domain

Posted on 2010-08-31
8
Medium Priority
?
964 Views
Last Modified: 2012-05-10
I have a windows 2003 based AD and the NTP works just fine for all the machines in the domain.

I have 2 Cisco servers in one of my datacenter. Unfortunately these servers doesnt have internet access and are not in the domain. So the NTP sync is not working.

So my question is, where in the Active directory does it mention that that PDC can sync time only for the machines in that time. Can I add the IPs of these Cisco servers in the list of machines that can sync time with the PDC?

Alternately how can I setup another server(which has internet access and which is in domain, but not the domain controller) as an NTP server and then in turn ask the Cisco Servers to sync time with this server

Thanks
0
Comment
Question by:vilasnair
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 22

Expert Comment

by:Matt V
ID: 33572449

To configure an internal time server to synchronize with an external time source, follow these steps:

   1. Change the server type to NTP. To do this, follow these steps:
         1. Click Start, click Run, type regedit, and then click OK.
         2. Locate and then click the following registry subkey:
            HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type
         3. In the right pane, right-click Type, and then click Modify.
         4. In Edit Value, type NTP in the Value data box, and then click OK.
   2. Set AnnounceFlags to 5. To do this, follow these steps:
         1. Locate and then click the following registry subkey:
            HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags
         2. In the right pane, right-click AnnounceFlags, and then click Modify.
         3. In Edit DWORD Value, type 5 in the Value data box, and then click OK.
   3. Enable NTPServer. To do this, follow these steps:
         1. Locate and then click the following registry subkey:
            HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer
         2. In the right pane, right-click Enabled, and then click Modify.
         3. In Edit DWORD Value, type 1 in the Value data box, and then click OK.
   4. Specify the time sources. To do this, follow these steps:
         1. Locate and then click the following registry subkey:
            HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
         2. In the right pane, right-click NtpServer, and then click Modify.
         3. In Edit Value, type Peers in the Value data box, and then click OK.

            Note Peers is a placeholder for a space-delimited list of peers from which your computer obtains time stamps. Each DNS name that is listed must be unique. You must append ,0x1 to the end of each DNS name. If you do not append ,0x1 to the end of each DNS name, the changes made in step 5 will not take effect.
   5. Select the poll interval. To do this, follow these steps:
         1. Locate and then click the following registry subkey:
            HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollInterval
         2. In the right pane, right-click SpecialPollInterval, and then click Modify.
         3. In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.

            Note TimeInSeconds is a placeholder for the number of seconds that you want between each poll. A recommended value is 900 Decimal. This value configures the Time Server to poll every 15 minutes.
   6. Configure the time correction settings. To do this, follow these steps:
         1. Locate and then click the following registry subkey:
            HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxPosPhaseCorrection
         2. In the right pane, right-click MaxPosPhaseCorrection, and then click Modify.
         3. In Edit DWORD Value, click to select Decimal in the Base box.
         4. In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.

            Note TimeInSeconds is a placeholder for a reasonable value, such as 1 hour (3600) or 30 minutes (1800). The value that you select will depend upon the poll interval, network condition, and external time source.
         5. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxNegPhaseCorrection
         6. In the right pane, right-click MaxNegPhaseCorrection, and then click Modify.
         7. In Edit DWORD Value, click to select Decimal in the Base box.
         8. In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.

            Note TimeInSeconds is a placeholder for a reasonable value, such as 1 hour (3600) or 30 minutes (1800). The value that you select will depend upon the poll interval, network condition, and external time source.
   7. Quit Registry Editor.
   8. At the command prompt, type the following command to restart the Windows Time service, and then press ENTER:
      net stop w32time && net start w32time
0
 
LVL 15

Expert Comment

by:DonConsolio
ID: 33572592
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33572709
Point the PDCe in the forest root to the cisco device, you can use w32tm and Matt outlines the command here:

http://tigermatt.wordpress.com/2009/08/01/windows-time-for-active-directory/

Thanks

Mike
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:vilasnair
ID: 33580148
Thanks for all the suggestions.

I tried all the changes that Matt suggested on a machine in the domain and then pointed the Cisco server to get the time from that server, But I am getting the same error, "An error occured while Windows was synchronizing with x.x.x.x

I guess I didnt understand mkline71's suggestion. "point the PDC in the forest root to the Cisco Device"??
It should be otherway, right?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33580208
ok so the PDC can't sync with the CISCO device.  (I was thinking of a hardware clock situation)

I'd have it sync with its internal clock then http://technet.microsoft.com/en-us/library/cc784882(WS.10).aspx

As long as the clients are within 5 minutes you are good to go

Thanks

Mike
0
 

Author Comment

by:vilasnair
ID: 33580706
Forgive my limited knowledge here. By PDC, we meant the primary domain controller. It is getting the time from pool.ntp.org and all the machines in the domain gets the time from this PDC.

But the Cisco server is out of the domain. I have set the time locally on this server. But at the end of every month there is a 4 minute difference between the real time and the time that shows on the Cisco server. So what I wanted to do is, make sure that the Cisco server gets the time from somwhere else. Only option I have got on the Cisco server GUI, is to set the time manually or give an NTP server name/IP. Since the Cisco server doesnt have the internet access, I cant point it to ntp.pool.org. So I need to point it to some other server available internally. I tried to point the Cisco server to grab the time from the PDC, but it throws an error saying that it cant retrive the time from the PDC. I assmued this might be becasue the PDC rejected the request as it came from a machien out of the domain.

So I went ahead and created a new server and made the changes suggested by matt and tried settign that IP as the NTP server in Cisco server GUI. But the Cisco server throws the error saying that it cant retriev the time from that server as well. I

I can assure that there is no firewall in between the Cisco servr and the domain, so the NTP traffic is not getting blocked anywhere.

Any ideas?
0
 
LVL 15

Accepted Solution

by:
DonConsolio earned 2000 total points
ID: 33592995
On your PCD:

>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NTPServer\Enabled
>Changing the ‘Enabled’ flag to the value 1 enables the NTP Server.
>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type
>Change the server type to NTP by specifying ‘NTP’ in the ‘Type’ registry entry.
if needed:
>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer
>The ‘NTP Server’ parameter is used to provide a list of IP addresses or DNS names, separated by
>a space, of NTP servers that the Windows 2003 machine can synchronise to.



On your Cisco Server(s) -
configure to use the (internal) IP of the PDC as NTP server
0
 

Author Comment

by:vilasnair
ID: 33697700
Thanks for the explanation Don. I will try it.

But i will accept it as a solution as it looks likes one. ;)
0

Featured Post

How Blockchain Is Impacting Every Industry

Blockchain expert Alex Tapscott talks to Acronis VP Frank Jablonski about this revolutionary technology and how it's making inroads into other industries and facets of everyday life.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question