howto://configure your 2008R2 PDCe to be an NTP server

by Ed Fisher on 2010-05-14

in Infrastructure

 

Ticking away the moments that make up a dull day, I found too many systems frittering and wasting the hours in an off-hand way, or at the very least, letting their clocks drift all over the place. Windows boxes that belonged to the domain were just fine, but other Windows hosts in workgroup mode, switches, and other network gear were all over the place. This looks like a job for <♫> dramatic ta-da-duh-dahh </♫> NTP!

The Windows time service does an adequate job of keeping all domain members in sync. As long as the root domain PDCe is set to sync with an external NTP source (or hardware device like a radio clock or GPS) domain members should never find themselves drifting more than a few seconds off true time. Kerberos, needing by default only a tolerance within five minutes (by default) is perfectly happy with this. In my experience, w32time is much better than this, but know your support boundaries and your specific requirements. If you must have accurate time to within fractions of a second, you want to set up an NTP server and use NTP client software to ensure accuracy to within your requirements. This post is not about that…but it is about setting up your domain controller to provide NTP services that are probably good enough for most of us.

 

A man’s got to know his (service’s) limitations

I know what you're thinking. "Did the clock drift six minutes or only five?" Well, to tell you the truth, in all this excitement I kind of lost track myself.

As much as I like Windows time, I have to recognise that it has it’s limits. W32time was designed to keep domain members in sync to within a FIVE MINUTE variance…that’s it. For Kerberos that is adequate. Frankly, I have never seen a case where Windows time (properly set up) drifted by more than a couple of seconds, but if you need absolute precision, that is outside the support scope for this service. Check out NTP server software for Linux, or the Windows application Tardis if you need that degree of precision.

If you follow MS best practices, the PDCe in your forest root domain will be the authoritative time server for your domain, and all domain members in the forest will get their time from him, either directly or indirectly. You can set your Windows boxes that do not belong to the domain to sync to the PDCe as well (net time /setsntp:fqdnofyourpdce [enter].) As long as you point your PDCe to a reliable external time source, you’re good to go. However, note from the command above that Windows Time is using SNTP, not NTP. This works out just fine for Windows hosts, but when it comes to Cisco gear, Linux or Unix boxes, SAN, and other stuff not born of Redmond…not so much. They want NTP, not SNTP. And yes, though the both use port 123, there is enough of a difference that this won’t just work.

So what can we do?

We'll be much more accurate than this, but no where near as attractive in the garden. We can set our PDCe up to act as an NTP server, and sync all our non-MS stuff against it. It will still act as our SNTP server, and the anchor of our forest’s time services, but now we can also use it for NTP services. Just remember, we’re doing this only in environments that can tolerate a little drift. We can tweak our variance and our polling intervals to get more precision, but it’s not worth the effort for something that we can’t guarantee. If keeping time within a couple of seconds either way of absolute precision (what I like to call wrist-watch tolerance) is good enough, we should get that without too much effort. The little effort required is detailed next.

This is how we do it.

  Remember kids, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click me to view an article in the Microsoft Knowledge Base on backing up and restoring the registry!

We’re going to change our timeserver type to NTP, configure it to advertise itself as such, enable the NTP service, specify an upstream server, and configure our adjustments. The steps required are taken from this KB article… http://support.microsoft.com/kb/816042. Remember, it is up to you to test this in your environment to ensure that it works for you and is suitable to your needs. We’re messing with the most important DC in your environment. Use common sense before proceeding…here be dragons. Still with me? Okay, log onto the PDCe in your root domain, launch regedit, and configure as follows.

Change the server type to NTP.

1. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type

2. In the right pane, right-click Type, and then click Modify.

3. In Edit Value, type NTP in the Value data box, and then click OK.

Set AnnounceFlags to 5.

4. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags

5. In the right pane, right-click AnnounceFlags, and then click Modify.

6. In Edit DWORD Value, type 5 in the Value data box, and then click OK.

Enable NTPServer.

7. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer

8. In the right pane, right-click Enabled, and then click Modify.

9. In Edit DWORD Value, type 1 in the Value data box, and then click OK.

Specify the time sources.

10. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

11. In the right pane, right-click NtpServer, and then click Modify.

12. In Edit Value, type Peers in the Value data box, and then click OK.
Note Peers is a placeholder for a space-delimited list of peers from which your computer obtains time stamps. Each DNS name that is listed must be unique. You must append ,0×1 to the end of each DNS name. If you do not append ,0×1 to the end of each DNS name, the changes made in step 5 will not take effect. I recommend you use pool.ntp.org,0×1 or consult this page for other stratum two servers in your area. Please read and follow the rules of engagement for these servers. If that’s too much work, stick with pool.ntp.org. That’s an alias for numerous open access NTP servers on the Internet, and since we’re just shooting for wrist-watch tolerance here, that’s good enough for what we need.

Select the poll interval.

13. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollInterval

14. In the right pane, right-click SpecialPollInterval, and then click Modify.

15. In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.
Note TimeInSeconds is a placeholder for the number of seconds that you want between each poll. A recommended value is 900 Decimal. This value configures the Time Server to poll every 15 minutes.

Configure the time correction settings.

16. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxPosPhaseCorrection

17. In the right pane, right-click MaxPosPhaseCorrection, and then click Modify.

18. In Edit DWORD Value, click to select Decimal in the Base box.

19. In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.
Note TimeInSeconds is a placeholder for a reasonable value, such as 1 hour (3600) or 30 minutes (1800). The value that you select will depend upon the poll interval, network condition, and external time source.

20. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxNegPhaseCorrection
In the right pane, right-click MaxNegPhaseCorrection, and then click Modify.

21. In Edit DWORD Value, click to select Decimal in the Base box.

22. In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.
Note TimeInSeconds is a placeholder for a reasonable value, such as 1 hour (3600) or 30 minutes (1800). The value that you select will depend upon the poll interval, network condition, and external time source.

23. Exit Registry Editor.

24. Open an administrative command prompt, type the following command to restart the Windows Time service

net stop w32time && net start w32time [enter]

25. Check your event logs for the following
image

And that is that. Now comes the fun stuff…configuring your network gear, Linux boxes, SAN, etc. to use your new NTP server. I recommend creating an alias in DNS for ntp.yourinternaldns.tld and using that in your NTP configurations. That way, if you ever have to move this, replace the server, or find that you really do want microsecond precision and set up a ‘real’ NTP server, you won’t have to touch these again. Just change the CNAME and call it a day.

What better song could close a post about time than Pink Floyd’s "Time," the fourth track from Pink Floyd‘s 1973 album, The Dark Side of the Moon, and the only song on the album credited to all four members of the band. It is noted for its long introductory passage of clocks chiming and alarms ringing, recorded as a quadrophonic test by Alan Parsons, not specifically for the album.

direct link for RSS and email subscribers…http://www.youtube.com/watch?v=ntm1YfehK7U

How do you manage time in your environment?

You might also enjoy:

  1. howto://Configure Splunk to accept syslog feeds
  2. howto://use TMG 2010 as the Exchange edge transport server
  3. howto://configure splunk> to monitor active directory
  4. howto://Installing MS Project Server 2007 on Windows 2008

Tagged as: active directory, howto

{ 1 comment… read it below or add one }

Anonymous 2012-03-06 at 16:02

Great post. Love the Floyd video

Reply

Leave a Comment

Previous post:

Next post: