Re: 2003 Server NTP time issue
From: Jeff Berner (JBerner_at_INFINITYCOMP.COM)
Date: 09/24/04
- Previous message: Jeffrey Thomas: "SANS has release a GDI scanning tool"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 24 Sep 2004 12:00:12 -0400 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Thank you to everyone who responded to me directly on the NTP issue. A
few of you referenced MS article q830092 which relates to a problem with
w32time on 2003 server. My circumstance does not fit the hotfix so MS
won't release it to me. No big deal. I also choose not to open a paid
call on this incident as there are plenty of work-arounds that work
fine. If MS would comp the call I would happily work with them to fix
this.
Dave Hart wrote "As far as I know Windows clients never have used and do
not use the DHCP option(s) for (S)NTP server addresses. Instead,
Windows 2000/XP/2003 AD domain members use the domain hierarchy to form
an automatic time synchronization tree rooted with one of the FSMO role
holders in to root domain of the AD forest. In other words, a Windows
AD domain member will always synchronize its Windows Time service to its
domain's DCs, which themselves will be synchronized to any parent
domains' DCs in the AD forest.
So even if the DHCP server provides (S)NTP server addresses, Windows
will not use then. Domain members will use the domain as a time source.
This also holds true for domain members with a time source configured
via "net time /setsntp:" which is ignored on every domain
controller/member in a forest with the exception of the single Windows
Time hierarchy root holding one of the FSMO roles (I'd have to look up
which one) in the root domain of the forest."
While I profess to not know much about NTP or how MS distributes time to
it's members I would have to agree on this statement. The only
remaining issue is why 2003 NTP is ignoring the request of a non-AD
device.
Martin Maher found a link that ultimately went to (long link, you may
have to cut and paste to follow it):
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/de
ployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/200
3/all/deployguide/en-us/242310.asp
This link describes a registry key that appears to open MS SNTP to
respond to "unusual" NTP requests if it can understand them. If I had a
non-production 2k3 DC server I would have liked to tried that but I am
not sure that improperly crafted requests are the issue here as the
affected devices can query outside NTP servers. The link he provided at
http://www.salfordsoftware.co.uk/kb/SKB114 shows that someone had some
success with this. If anyone else tries this I would be interested in
their experience.
I would also like to thank Thomas Bianco for providing the following
link to a free fully functional NTP server that does work on 2003
servers: http://www.ntp.org/links.html. I implemented that this morning
and the IP phones do sync properly now which tells me that it overrides
or replaces the servers SNTP listener on the 2k3 server. While this
doesn't fix the issue it is a nice internal and *free* time server that
does sync with external servers of your choosing.
Thanks again to everyone who responded.
Jeff Berner
Infinity Computers
www.designapc.com <http://www.designapc.com/>
-----
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
-----
- Previous message: Jeffrey Thomas: "SANS has release a GDI scanning tool"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
