NTP server for windows domain

[NetWareHead]

Does anybody have a need to keep time synchonized in a windows 2000 or higher domain? Any recommendations? I'd like to run a program on a member server or workstation and let my domain controllers synchronize to it. From their my workstations will get the proper time from the DCs. I'd rather not run this software on my domain controllers. I have some software lined up for testing next week, but just wanted to get a few more recommendation from the crowd. Thanks.

 

[stash]

There is time synchornization built into AD. No additional software is necessary. The PDC emulator in your domain needs to be configured to sync with a time source. Then all other domain members (DCs, servers, clients) will use a built in time hierarchy to sync.

Messing around with time in AD can have a negative impact, since Kerberos is dependant on time. By default if a member's time differs from the domain by more than five minutes, it will not authenticate.

Here's more info about time on 2000: http://www.microsoft.com/windows2000/te...fo/howitworks/security/wintimeserv.asp

 

[NetWareHead]

Right about the AD synchronization, but I need a time source that the DCs can synchronize to. I'd like to run an NTP time server in house that will periodically query an atomic clock or other accurate time source on the internet. Any recommendations?

 

[stash]

I wouldn't worry about setting up your own time server. Just use one of the many public ones. I like to use time.nist.gov.

On your 2000 PDCe, run the following commands:

'net time /setsntp:time.nist.gov'
'net stop w32time & net start w32time'

Do this ONLY on the PDCe. If your PDCe happens to be 2003, run this instead:

'w32tm /configure /manualpeerlist:time.nist.gov /syncfromflags:manual /update'

 

[NetWareHead]

STaSh: While your posts are pretty helpful and on the money; they still don't answer my questions. I need an in house NTP time source. I won't be syncing just a windows domain, but a number of network camers, UPS, and various other devices. And I'd rather not let any of my DCs talk directly to hosts on the internet, hence the need for an in house NTP time server. Any recommendation for an NTP server that runs on windows and can synchronize to a source (or preferably more than one source) on the internet and then make this time available for distribution?

 

[spyordie007]

If you dont want to give your DC access to the internet you can use another windows server and set it up as an NTP server, than have your PDCe and other non-windows devices synch time from it.

-Erik

 

[stash]

I'm wth Erik. NTP is NTP, and your non-windows devices will sync just fine to your PDCe. And I also agree that setting up a standalone Windows box configured as an NTP server is a good idea. If you want to go third-party, a google search for 'ntp server software' or something similar should find you plenty of options.

 

[SUOrangeman]

I use the real stuff for my 50+ host lab. 🙂

http://www.ntp.org/ --->

http://ntp.isc.org/bin/view/Main/SoftwareDownloads

To clarify a it more, I actually run ntpd on all of my systems. Only two unique IP addresses are set to go out to a "real" NTP source outside of my lab. All but one of the remaining hosts point to those two "outgoing" IPs. The last host is set to sync to all of my machines. I have a perl script that runs every five minutes and produces a web page indicating if a specific system is not even running ntpd (possible off/dead) or if it is slightly out-of-sync. To be honest, I didn't design this nor write any of the supporting code, but I kinda rely on it now. We went with ntpd over what's built into Windows (as well as just using NTP clients) as those allowed the time to be off by more than 10ms.

-SUO, my time is important ... apparently