NTP default server. Installing NTP in Ubuntu

About configuring and managing NTP server in Windows Server

All Windows starting with Windows 2000 have time W32time. This service is designed to synchronize the system time within the boundaries of the organization. The W32Time service is responsible for the work and client and server part of the time service, while the same computer can be simultaneously both client and the NTP server (Network Time Protocol).

By default, the time service in Windows is configured as follows:

When installed operating system Windows launches NTP client and synchronized with an external time source;
When adding a computer to the domain, the synchronization type changes. All client computers and ordinary servers in the domain are used to synchronize the time a domain controller that checks their authenticity;
When an ordinary server is raised to the domain controller, a NTP server is launched on it, which is used as a controller with a PDC emulator role as a source of time;
The PDC emulator, located in the root domain of the forest, is the main server time for the entire organization. At the same time, it is also synchronized with an external source of time.

Such a scheme works in most cases and does not require intervention. However, the structure of the time service in Windows may not follow the domain hierarchy, and a reliable source of time can be assigned to any computer. As an example, I will describe the NTP server setting in Windows Server 2008 R2, although since the time of Windows 2000, the procedure is not particularly changed.

Starting NTP Server

Immediately, I note that the service of time in Windows Server (since 2000 and ending 2012) has no graphic interface and configured either from command lineor by direct editing system registry. Personally, I'm closer to the second way, so we go to the registry.

So, the first thing we need to start the NTP server. Open the registry branch
HKLM \\ SYSTEM \\ CURRENTCONTROLSET \\ SERVICES \\ W32Time \\ TimeProviders \\ NtServer.
Here to enable the NTP server parameter Enabled. It is necessary to set the value 1 .

After restarting the NTP service, the server is already active and can serve customers. We are convinced that you can use the W32TM / QUERY / CONFIGURATION command. This command displays a complete list of service parameters. If section NtServer. Contains a string Enabled: 1. That's all right, the time server works.

In order for the NTP server to serve customers, do not forget to open the UDP port 123 for incoming and outgoing traffic on the firewall (firewall).

Basic Settings NTP Server

NTP server turned on, now you need to configure it. Open the RESET RESETHKLM \\ SYSTEM \\ CURRENTCONLSET \\ SERVICES \\ W32Time \\ Parameters. Here, first of all, we are interested in the parameter Typewhich sets the type of synchronization. It can take the following values:

NOSYNC -The NTP server is not synchronized with any external source of time. The clock built into the server CMOS microcircuit is used;
NTP -The NTP server is synchronized with external time servers that are specified in the registry parameter. NtServer;
NT5DS - The NTP server performs synchronization according to the domain hierarchy;
AllSync - The NTP server uses all available sources to synchronize.

The default value for the computer included in the domain - NT5DS.For separately standing computer - NTP.

And parameter NtServer.which specifies the NTP servers with which the time will synchronize this server. By default, the Microsoft NTP server (Time.Windows.com, 0x1) is registered in this parameter, if necessary, you can add a few more NTP servers, entering their DNS names or IP addresses through a space. The list of available time servers can be viewed for example.

At the end of each name, you can add a flag (eg. 0x1) which determines the mode for synchronization with the time server. The following values \u200b\u200bare allowed:

0x1 - SpecialInterval, using a special survey interval;
0x2 - UseAsFallBackOnly mode;
0x4. - SymmetricActive, symmetric active mode;
0x8.- Client, sending a request in client mode.

When using the SpecialInterVal flag, the set value of the interval in the key is required. Specialpollinterval. When the USEASFallBackOnly flag is valid, the time service is reported that this server will be used as a backup and synchronization with it will be referred to other list servers. Symmetrical active mode is used by NTP-servers by default, and client mode can be used in case of synchronization problems. Microsoft recommends installing a parameter everywhere \u003d 0x1.

Important parameter Announceflags. Located in the HKLM \\ System \\ CurrentControlSet \\ Services \\ W32Time \\ Config registry section. He is responsible for saying an NTP server and can take the following values:

0x0 (Not a Time Server) - The server does not declare itself via Netlogon, as a source of time. It can respond to NTP requests, but the neighbors will not be able to recognize it as a source of time;
0x1 (Always Time Server) - the server will always declare itself regardless of the status;
0x2 (Automatic Time Server) - the server will declare itself only if he gets reliable time from another neighbor (NTP or NT5DS);
0x4. (Always Reliable Time Server) - the server will always state itself as a reliable source of time;
0x8. (Automatic Reliable Time Server) - The domain controller is automatically declared reliable if it is a PDC-emulator of the root domain of the forest. This flag allows the main PDC forest to declare itself as an authorized time source for the entire forest, even if there is no connection with higher NTP servers. No other controller or ordinary server (having default flag 0x2) Can not declare itself as a reliable source of time if he cannot find the source of time for himself.

Value Announceflags. Makes up the amount of the components of its flags, for example:

10 \u003d 2 + 8 - the NTP server declares itself as a reliable source of time, provided that it receives time from a reliable source or is a PDC root domain. Flag 10 is set by default for members of the domain and for separate servers.

5 \u003d 1 + 4 - the NTP server always declares itself as a reliable source of time. For example, to declare an ordinary server (not a domain controller) as a reliable source of time, you need a flag 5.

Well, we will configure the interval between updates. For him already mentioned above SpecialPollInterval,located in the HKLM \\ System \\ CurrentControlSet \\ SERVICES \\ W32Time \\ TimeProviders \\ Ntpclient registry branch. It is specified in seconds and by default its value is 604800, which is 1 week. This is a lot, so it is worth reduce the value of SpecialPollInterval to a reasonable value, say up to 1 hour (3600).

Time Service Management Commands W32Time:

w32TM / CONFIG / UPDATE - update service configuration.

w32TM / MONITOR - find out how future system time this computer It differs from the time to the domain controller or other computers. For example: w32tm / monitor /computers:time.nist.gov
W32TM / RESYNC - Forced synchronization with a time server used.
W32TM / STRIPCHART- shows the time difference between the current and remote computerAnd it can output the result in graphical form. For example, the w32tm / stripchart /computer:time.nist.gov / Samples: 5 / DataOnly command will produce 5 comparisons with the specified source and will output the result in text form.

w32TM / CONFIG - the command used to configure the NTP service. With it, you can set a list of time servers used, synchronization type and much more. For example, override the default values \u200b\u200band configure time synchronization with an external source, you can command W32TM / Config / SyncFromFlags: manual /manualpeerlist:time.nist.gov / Update
W32TM / QUERY - Shows the current service settings. For example, the W32TM / QUERY / SOURCE command will show the current source of time, and W32TM / QUERY / CONFIGURATION will display all service settings.
w32tm / unregister - deletes the time service from the computer
W32TM / Register - registers the service time on the PC, the entire branch of the parameters in the registry is being created.

In contact with

Windows Time Service, despite the seeming simplicity, is one of the foundations required for the normal functioning of the domain Active Directory.. In a properly configured AD, the time service works as follows: user computers get the exact time from the nearest domain controller on which they registered. All domain controllers in turn receive exact time from DC with " PDC emulator", And the PDC controller synchronizes his time with some. One or more NTP servers can perform as an external time source, such as Time.Windows.com or NTP server of your Internet provider. It should also be noted that by default customers in the domain synchronize time using the Windows Time Service (Windows Time), and not using the NTP protocol.

If you encountered a situation when the time on customers and domain controllers varies, perhaps in your domain there are problems with time synchronization and this article will be useful to you.

First, select a suitable NTP server that you could use. The list of public NTP servers is available on the site http://ntp.org. In our example, we will use the NTP servers from the Pula Ru.Pool.ntp.org:

  • 0.ru.pool.ntp.org.
  • 1.Ru.pool.ntp.org.
  • 2.ru.pool.ntp.org.
  • 3.ru.pool.ntp.org.

Setting up time synchronization in the domain using group policies consists of two steps:

1) Creating a GPO for a domain controller with a PDC role
2) Creating GPO for customers (optional)

Setting NTP Synchronization Policy on PDC Domain Controller

This step involves setting up the domain controller with the PDC emulator role to synchronize time with an external NTP server. Because Theoretically, the role of the PDC emulator can move between domain controllers, we need to make a policy that would only be applied to the current owner of the PDC role. To do this in the Management Console Group Policy Management Console (Gpmc.msc), create a new one. To do this in the section WMI Filters. Create a filter and name PDC emulator and WMI request: Select * from Win32_ComputerSystem WHERE DOMAINROLE \u003d 5

Then create a new GPO and assign it to the Domain Controllers container.

Switch to policy editing mode and deploy the following policies: Computer Configuration-\u003e Administrative Templates-\u003e System-\u003e Windows Time Service-\u003e Time Providers

We are interested in three politicians:

  • Configure Windows NTP Client: Enabled (Policy settings are described below)
  • Enable Windows NTP Client: Enabled.
  • Enable Windows NTP Server: Enabled.


In policies settings Configure Windows NTP Client Specify the following parameters:

  • NtServer.: 0.ru.pool.ntp.org, 0x1 1.Ru.Pool.ntp.org, 0x1 2.ru.pool.ntp.org, 0x1 3.ru.pool.ntp.org, 0x1
  • Type: NTP.
  • CrossSitesyncflags.: 2
  • RESOLVEPEERBACKOFFMINUTS.: 15
  • RESOLVE PEER BackOffMAXTimes: 7
  • Specilalpoolinterval: 3600
  • EventLogflags.: 0

Council. Do not forget to customize firewall So that the PDC server can access external NTP servers via NTP (UDP port 123).

Note. Pay attention to the syntax in the field NtServer.The format of specifying multiple NTP servers is: ntsrv1.org, 0x1 ntpsrv2.org, 0x1(space separator). In the screenshot indicated erroneous data!

Apply the previously created filter PDC emulator to this policy.

Council. Find the name of the server with the PDC role you can use the command: Netdom Query FSMO

It remains to update politicians on the PDC controller:
GPUPDATE / FORCE

Manually run time synchronization:
W32TM / RESYNC.

Check the current NTP settings:
W32TM / QUERY / STATUS

Council. In the event that time is not synchronized, restart the Windows time service and reset the current settings:
NET STOP W32Time
w32tm.exe / unregister
w32tm.exe / register
net Start W32Time.

Configuring time synchronization on domain clients

In Active Directory, the default domain clients synchronize their time with the domain controllers (option NT5DS. - synchronize the time according to the domain hierarchy). As a rule, this scheme works and does not require reconfiguration. However, if there are problems with the synchronization of time on a domain clients, you can try forcibly assigning a time server for customers using GPO.

To do this, create a new GPO and assign it to containers (OU) with computers. In the GPO Editor, go to the section Computer Configuration -\u003e Administrative Templates -\u003e System -\u003e Windows Time Service -\u003e Time Providers and enable policies Configure Windows NTP Client.

As a NTP server, specify the name or IP address of PDC, such as MSK-DC1.Sype, 0x9, and as synchronization type - NT5DS

Update group policy settings on clients and verify that customers have successfully synchronized their time with PDC.

Council. This scheme is applicable only to small domains. For large distributed domains with large quantity DC and sites will have to create separate policies for each site so that customers synchronize their time with DCs on the site.

Setting up the NTP server in Windows

Starting with Windows 2000 all operational windows systems include the time service W32time. This service is designed to synchronize time within the organization. W32Time is responsible for the work of the client and server part of the time service, and the same computer can be simultaneously both by the client and NTP server (Network Time Protocol).

By default, the time service in Windows is configured as follows:

When installing the Windows operating system, launches the NTP client and synchronized with an external time source;
When adding a computer to the domain, the synchronization type changes. All client computers and ordinary servers in the domain are used to synchronize the time a domain controller that checks their authenticity;
When an ordinary server is raised to the domain controller, a NTP server is launched on it, which is used as a controller with a PDC emulator role as a source of time;
The PDC emulator, located in the root domain of the forest, is the main server time for the entire organization. At the same time, it is also synchronized with an external source of time.

Such a scheme works in most cases and does not require intervention. However, the structure of the time service in Windows may not follow the domain hierarchy, and a reliable source of time can be assigned to any computer. As an example, I will describe the NTP server setting in Windows Server 2008 R2, although since the time of Windows 2000, the procedure is not particularly changed.

Starting NTP Server

Immediately, I note that the time service in Windows Server (starting from 2000 and ending 2012) has no graphical interface and configures either from the command line, or by direct editing the system registry. Personally, I'm closer to the second way, so we go to the registry.

So, the first thing we need to start the NTP server. Open the registry branch
HKLM \\ SYSTEM \\ CURRENTCONTROLSET \\ SERVICES \\ W32Time \\ TimeProviders \\ NtServer.
Here to enable the NTP server parameter Enabled. It is necessary to set the value 1 .

Then restart the time service team net Stop W32Time && Net Start W32Time

After restarting the NTP service, the server is already active and can serve customers. You can make sure that you can use the W32TM / QUERY / CONFIGURATION command. This command displays a complete list of service parameters. If section NtServer. Contains a string Enabled: 1. That's all right, the time server works.

In order for the NTP server to serve customers, do not forget to open the UDP port 123 on the firewall for incoming and outgoing traffic.

Basic Settings NTP Server

NTP server turned on, now you need to configure it. Open the HKLM \\ SYSTEM \\ CURRENTCONTROLSET \\ PARAMETER registry branch \\ w32time \\ parameters. Here, first of all, we are interested in the parameter Typewhich sets the type of synchronization. It can take the following values:

NOSYNC -The NTP server is not synchronized with any external source of time. The clock built into the server CMOS microcircuit is used;
NTP -The NTP server is synchronized with external time servers that are specified in the registry parameter. NtServer;
NT5DS - The NTP server performs synchronization according to the domain hierarchy;
AllSync - The NTP server uses all available sources to synchronize.

The default value for the computer included in the domain - NT5DS., for a separate computer - NTP.

And parameter NtServer.which specifies the NTP servers with which the time will synchronize the time. By default, the Microsoft NTP server (Time.Windows.com, 0x1) is registered in this parameter, if necessary, you can add a few more NTP servers, entering their DNS names or IP addresses through a space. The list of available time servers can be viewed for example.

At the end of each name, you can add a flag (eg. 0x1) which determines the mode for synchronization with the time server. The following values \u200b\u200bare allowed:

0x1 - SpecialInterval, using a special survey interval;
0x2 - UseAsFallBackOnly mode;
0x4. - SymmetricActive, symmetric active mode;
0x8.- Client, sending a request in client mode.

When using the SpecialInterVal flag, the set value of the interval in the key is required. Specialpollinterval. When the USEASFallBackOnly flag is valid, the time service is reported that this server will be used as a backup and synchronization with it will be referred to other list servers. Symmetrical active mode is used by NTP-servers by default, and client mode can be used in case of synchronization problems. Read more about synchronization modes, you can see, or do not fool and just put everywhere 0x1 (As advises Microsoft).

Another important parameter Announceflags. Located in the HKLM \\ System \\ CurrentControlSet \\ Services \\ W32Time \\ Config registry section. He is responsible for saying an NTP server and can take the following values:

0x0 (Not a Time Server) - The server does not declare itself via Netlogon, as a source of time. It can respond to NTP requests, but the neighbors will not be able to recognize it as a source of time;
0x1 (Always Time Server) - the server will always declare itself regardless of the status;
0x2 (Automatic Time Server) - the server will declare itself only if it receives a reliable time from another neighbor (NTP or NT5DS);
0x4. (Always Reliable Time Server) - the server will always state itself as a reliable source of time;
0x8. (Automatic Reliable Time Server) - The domain controller is automatically declared reliable if it is a PDC-emulator of the root domain of the forest. This flag allows the main PDC forest to declare itself as an authorized time source for the entire forest, even if there is no connection with higher NTP servers. No other controller or ordinary server (having default flag 0x2) Can not declare itself as a reliable source of time if he cannot find the source of time for himself.

Value Announceflags. Makes up the amount of the components of its flags, for example:

10 \u003d 2 + 8 - the NTP server declares itself as a reliable source of time, provided that it receives time from a reliable source or is a PDC root domain. Flag 10 is set by default for members of the domain and for separate servers.

5 \u003d 1 + 4 - the NTP server always declares itself as a reliable source of time. For example, to declare an ordinary server (not a domain controller) as a reliable source of time, you need a flag 5.

Well, we will configure the interval between updates. For him already mentioned above SpecialPollInterval,located in the HKLM \\ System \\ CurrentControlSet \\ SERVICES \\ W32Time \\ TimeProviders \\ Ntpclient registry branch. It is specified in seconds and by default its value is 604800, which is 1 week. This is a lot, so it is worth reduce the value of SpecialPollInterval to a reasonable value, say up to 1 hour (3600).

After configuration, you need to update the service configuration. You can make it using the W32TM / Config / Update command. And a few more commands for configuring, monitoring and diagnosing time service:

w32TM / MONITOR - With this option, you can find out how the system time of this computer differs from time to the domain controller or other computers. For example: w32tm / monitor /computers:time.nist.gov
w32TM / RESYNC - With this command, you can force the computer to synchronize with the time server you used.
w32TM / STRIPCHART - shows the time difference between the current and remote computer, and it can output the result in graphical form. For example, the team w32tm / stripchart /computer:time.nist.gov / SAMPLES: 5 / DataOnly Performs 5 comparisons with the specified source and will output the result in text form.

w32TM / CONFIG is the main command used to configure the NTP service. With it, you can set a list of time servers used, synchronization type and much more. For example, override the default values \u200b\u200band configure time synchronization with an external source, you can command W32TM / Config / SyncFromFlags: manual /manualpeerlist:time.nist.gov / Update
w32TM / QUERY - Shows the current service settings. For example, the W32TM / QUERY / SOURCE command will show the current source of time, and W32TM / QUERY / CONFIGURATION will display all service settings.

Well, in the extreme case 🙁
w32TM / Unregister - Deletes the time service from the computer.
w32TM / REGISTER - registers the time service on the computer. This creates the entire branch of the parameters in the registry.

Good day, guests and regular readers. Gradually overlook from the basics to a more in-depth study of Linux. Today I want to consider nTP protocol operation, as well as setting time Servers on Linux (NTP Server). So let's start with the theory.

NTP protocol

NETWORK TIME PROTOCOL (NTP) - network Protocol To synchronize the internal hours of the computer using variable latency (read the "width" / quality of the channel).

NTP uses for its work uDP protocol and port 123.

Current version of the Protocol - NTP 4.. NTP.uses the hierarchical system "Time Levels" (they are also called them Stratum). Level 0 (or Stratum 0) - This is usually devices that are atomic clocks (molecular, quantum), GPS clocks or radio frequencies. These devices are usually not published in the worldwide network, and they are connected directly to level time servers 1through the RS-232 protocol (on the illustrations are marked with yellow arrows). Level 1 synchronized with high-precision clock level 0., usually work as sources for servers level 2. Level 2. synchronized with one of the cars level 1, as well as synchronization with its level servers. Level 3. Works similarly to the second. Usually the network servers are published on the second and below. NTP protocol Supports up to 256 levels. I also want to note that the levels of levels 1 and2, and sometimes 3 are not always open for universal access. Sometimes, to synchronize with them, you must send a request by mail - domain administrators.

What is the restriction on access to servers? With the transition to each level, the error is slightly increasing primary Server, but increases the total number of servers And, therefore,.

NTP server assignment on LAN

Why can we need NTP Server? For example, there are services in operating systems that may depend on synchronized time. The most striking example of such services is the Kerberos authentication protocol. For his work, it is necessary that on computers, access to which is carried out using this protocol, the system time differed not more than 5 minutes. In addition, the exact time on all computers greatly facilitates the analysis of security logs when investigating incidents in local network.

Server / Client NTP Operation Modes

Client / server.

This mode is most often used on the Internet. Work diagram - classic. The client sends a request for which for some time the server sends the answer. Customer setup is performed using the Server Directive in the configuration file, where the DNS server name is specified.

Symmetrical Active / Passive Mode

This mode is used if time synchronization is performed between a large number of equal machines. In addition to the fact that each machine is synchronized with an external source, it also performs synchronization with its neighbors (PEER), speaking for them as a client and time server. Therefore, even if the car "will lose" an external source, it can still get the exact time from its neighbors. Neighbors can operate in two modes - active and passive. Working in active mode, the machine itself transmits its time to all the neighbors listed in the NTP.conf configuration file sections. If the neighbors are not specified in this section, it is believed that the machine works in passive mode. In order for an attacker to be unable to compromise other cars, introducing himself as an active source, it is necessary to use authentication.

Broadcast mode

This mode is recommended to use in cases where the small number of servers serves a large number of customers. Working in this mode, the server periodically sends packets using the subnet broadcast address. A client configured to synchronize in this way receives a broadcast server of the server and synchronizes the server. A feature of this mode is that time is delivered within the same subnet (Limit Broadcast-packets). In addition, it is necessary to use authentication to protect against intruders.

Multicast mode

This mode is largely similar to Broadcast. The difference is that the MultiCast address of the IP address spaces of IP addresses is used to deliver packets. For customers and servers, the Multicast group address is specified to synchronize time. This makes it possible to synchronize groups of machines located in various subnets, provided that the routers connecting their routers support the IGMP protocol and are configured to transmit group traffic.

Manycast mode

This mode is an innovation of the fourth version of the NTP protocol. It implies the search by the client among its network neighbors of the Manycast servers, obtaining from each of them samples of time (using cryptography) and selecting on the basis of this data of the three "best" Manycast servers with which the client will perform synchronization. In case of failure of one of the servers, the client automatically updates its list.

To transfer time samples, clients and servers running in Manycast mode use the Multicast Group addresses (class D networks). Clients and servers using the same address form one association. The number of associations is determined by the number of MultiCast addresses used.

Time in Linux

Briefly tell you what time it exists in Linux and how to ask it. In Linux, as in another OS, there are 2 times. First - hardware Sometimes called Real Time Clock., abbreviated ( RTC) (They are - the BIOS clock) is usually associated with a oscillating quartz crystal, which has accuracy of the course of up to a few seconds per day. Accuracy depends on various oscillations, for example, the ambient temperature. The second clock is internal softwear which go continuously, including during the interruptions of the system. They are subject to deviations associated with a large system load and interrupt delay. However, the system usually reads the readings of hardware clock when loading and then uses the system clock.

Date and time of the operating system Installed when loaded based on value hardware watch, as well as settings of the time zone. Settings of the time zone are taken from the file / etc / localtime. This file is a link (but more often - a copy) of one of the files in the directory structure / USR / Share / ZoneInfo /.

Linux hardware clock can store time in format UTC.(Analog GMT) or current territorial time. The general recommendation is what time to install (?) Next: if several OS installed on the computer and one of them is Windows, then you need to use the current time (because Windows takes time from BIOS / CMOS and considers it local). If only UNIX family systems are used, it is advisable to store time in the BIOS in UTC format.

After loading the operating system, the operating system clock and BIOS are completely independent. The core of the system once in 11 seconds synchronizes the system clock with hardware.

After some time, there may be a difference between the hardware and program clocks in a few seconds. What hours do the right time? Neither those nor others until we configure Time synchronization.

Note:

Linux kernel "and always keeps and calculates the time as the number of seconds of the past from midnight January 1, 1970 of the year, Independence, you are installed on your local or world time. Conversion to local time is made during the query process.

Since the number of seconds from January 1, 1970, the global time is saved as a sign 32-bit integer (this is true for Linux / Intel systems), your watch will stop working somewhere in 2038. Linux has no problem of the 2000th year, but has a problem of 2038. Fortunately, by that time, all Linux "s will be launched on 64-x discharge systems. The 64-bit integer will contain our clock to approximately 292271 millionth years.

NTP Server Linux

Introduction

There are a lot of implementations for synchronization of time for Linux OS. The most famous are XNTPD (NTP version 3), NTPD (NTP version 4), CRONY and CLOCKSPEED. In our example, we will use the NTP-server NTPD.

The NTPD daemon is both the time server and the client, depending on the configuration file settings /etc/ntpd.conf (sometimes /etc/ntp.conf), the daemon can and "take" time from the valid servers and "distribute" to other hosts time.

General time synchronization schemeon the local network as follows: you must have 1 or 2 servers with access to the global network that will receive time from the Internet. All Local Network Computers Sync with specified servers receiving time from the Internet.

Installing NTPD.

Actually, installing a daemon It comes down to installing the following packages: NTP. (Package includes the demone itself) ntpdate.(Utility for manual time synchronization - outdated), nTP-DOC. (package documentation), in some distributions you will need to install the same nTP-Utils. (Utilities for diagnostics), in some they are included in the NTP package. How to install programs in Linux, I described in. After installing the package, in most distributions, the daemon will be configured as as an NTP client (for example, Debian was so). Accordingly, the main configuration files were automatically created: /etc/ntp.conf and /var/lib/ntp/ntp.drift and the daemon was launched automatically.

Before setting up a demon to synchronization with the outside world, I would advise you to set the current system date on the value, as close as possible to real time. Setting date in Linux Manufactured by the team: date MmdDhhmccyy.ss,where MM - Month, DD - Day of the Month, HH - Watches, MM - Minutes, Ccyy - 4 Figures of the Year, SS - Seconds. At the same time, values Ccyy.ss. Not necessarily.

As you can see, the specified command will set the current date and time on December 27, 2010, 20:06:30. Date command Without parameters, output the current system time. This team has a bunch of parameters that can be found in MAN DATE.

Also, you must properly configure the hardware clock and time zone. As mentioned above, the time zone is configured by copying the required zone file from the catalog / USR / Share / ZoneInfo /to file. / etc / localtime:

NTP-Server: ~ # CP / USR / SHARE / ZoneInfo / Europe / Moscow / etc / localtime

Hardware i set up hours on UTC:

# Cat / etc / sysconfig / clock | Grep UTC # UTC \u003d TRUE INDICATES THAT THE CLOCK IS SET TO UTC; UTC \u003d True NTP2-Server: ~ # Cat / etc / Default / Rcs | Grep UTC UTC \u003d YES

In the first example, a configuration file is specified that defines the use of UTC for RH, the second - for DEB-distributions.

In addition to installing settings for use of time in UTC format, you must specify Hardware. (In most cases, this is not necessary, because the specified system time is inevitably synchronized with the hardware, core forces). But still, if you have a desire to do it ... Team hwclock Reads and installs hardware on the basis of parameters transferred to it. Available options are described in the Team Manual page. Here are some examples of using HWClock:

NTP-Server # hwclock # read time from NTP-Server # Hwclock --Systohc - UTC clock clock clocks setting clock clock clocks equal # UTC based on NTP-Server # hwclock --Systohc # setting clock time # equal to local Based on system time NTP-Server # Hwclock --Set --Date "22 Mar 2002 13:17" # Sets the hardware clock time # equal to the specified row

Another option to change the time in hardware clock is access to the BIOS when loading the system. Since OS time, regardless of hardware hours, any changes to the BIOS will be taken into account at the next load.

Now that everything has been prepared and installed, proceed to at the construction site.

NTPD Demon Management

Control NTPD demon No different demons differ from any other demons. Run or restart NTPD service:

# / etc / init.d / ntp start # / etc / init.d / NTP Restart

Stop:

# / etc / init.d / ntp stop

# / Bin / Kill `Cat / var / run / ntpd.pid`

The demon has the following launch parameters:

P - PID file,
-G - Allow the transition to big time jumps
-c - config file
-Q - Forced manual synchronization

Setting up the NTPD server

First of all, you will advise changing the parameters of the Demon startup in the following configuration file:

NTP-Server: ~ # Cat / etc / default / ntp ntpd_opts \u003d "- g"

# Cat / etc / sysconfig / ntpd # parameters for ntp daemon. # SEE NTPD (8) for more details. .... # Specifies Additional Parameters for NTPD. Ntpd_args \u003d "- G"

This parameter will allow you to synchronize the clock, even if a very big time difference was formed.

So, as I said, configuration information demon NTPD.lies in the file /etc/ntp.conf. The syntax of the file is standard, as in many other configs: empty strings and rows starting with the "#" symbol ignore. Here is a simple example:

NTP-Server: ~ # cat /etc/ntp.conf server ntplocal.example.com Prefer Server TimeServer.example.org Server NTP2A.Example.net driftfile /var/db/ntp.drift

Parameter serverspecifies which servers will be used for synchronization, one in each row. If the server is specified with the argument prefer., as ntplocal.example.com.This server is given preference to the rest. The answer from the preferred server will be discarded if it differs significantly from the responses of other servers, otherwise it will be used independently to other answers. Argument prefer.usually used for NTP servers, which are known that they are very accurate, those used by special accurate equipment.

Parameter driftfilespecifies the file that is used to store the system clock frequency offset. As far as I understood, this file constantly stores a value that is formed based on the analysis of the past time adjustments and if the external time sources become unavailable, the time adjustment occurs by value from the file drift. It should not change any other processes. And before indicating this file In the configuration, the file must be created.

By default, the NTP server will be available to all hosts on the Internet. Parameter rESTRICT.in file /etc/ntp.conf. Allows you to control which machines can access your server. If you want to Disable all machines to contact your NTP serveradd next line to file. /etc/ntp.conf.:

rESTRICT DEFAULT IGNORE.

If you want to allowsynchronize your clock with your server only machines on your network, but banthem customize server. Or be equal participants in time synchronization, then instead of the specified, add a line:

rESTRICT 192.168.1.0 Mask 255.255.255.0 Nomodify Notrap

where 192.168.1.0 is the IP address of your network, and 255.255.255.0 its network mask. /etc/ntp.conf. May contain several RESTRICT directives.

For the correct and more accurate work of the demon, it is desirable to choose a level server - from Stratum 2 (you can certainly Stratum1, but you have to kill the time to search for such a server) and from the selected Stratum 2, to which the minimum "distance". Usually such servers can be provided by your provider. The number of selected servers is preferably - more than 2 3, the more the better, but within reasonable limits. If you are too lazy to choose best serversYou can take a list of open second level servers from here: http://support.ntp.org/bin/view/servers/stratumtwotimeservers.

Select a list of reference NTP servers

We go specified address (http://support.ntp.org/bin/view/servers/stratumtwotimeservers) and select a list of initial servers. From this list, select the servers satisfying our requirements using the command output analysis ntpdate.. When executing the command, the following syntax is applied:

nTPDATE Servers_Tenere_Belates

In order for our request to make changes to the system, you must use the -Q parameter, which indicates the use of the request without making changes. It is also possible to use the -D key, indicating that the command will be executed in debug mode, with the output of additional information, without making real changes (when this key A bunch of another garbage is derived :), which we in this moment not needed). The remaining parameters can be viewed in MAN 8 NTPDATE. From the specified link, I chose all Open Access servers located in Russia (RU) + the one that provided the provider and launched the team, it turned out about the following:

NTP-Server: ~ # ntpdate -q ntp2.ntp-servers.net ntp1.vniiftri.ru ntp2.vniiftri.ru ntp4.vniiftri.ru ntp0.ntp-servers.net ntp1.ntp-servers.net NTP3.VNIIFTRI.ru ntp.corbina.net server 88.147.255.85, stratum 1, offset 0.006494, delay 0.09918 server 62.117.76.142, stratum 1, offset 0.002552, delay 0.06920 server 62.117.76.141, stratum 1, offset 0.003147, delay 0.06918 server 62.117.76.140, stratum 1, offset 0.004823, delay 0.07350 server 88.147.254.228, stratum 1, offset -0.002355, delay 0.12030 server 88.147.254.229, stratum 1, offset -0.000922, delay 0.10577 server 62.117.76.138, stratum 1, offset 0.005331, 0.07401 server delay 195.14 .40.141, Stratum 2, Offset 0.002846, Delay 0.07188 13 Jan 19:14:09 ntpdate: Adjust Time Server 62.117.76.141 Offset 0.003147 sec

In the example, our servers successfully gave out the Stratum1 level, which cannot but rejoice (except the provider server), Offset is a discrepancy in time with this server in seconds, Delay is a synchronization delay in seconds. Usually, B. ABOUTmore accuracy is obtained using servers that have a low packet transfer delay over the network. To identify this, it is possible to use. Accordingly, by selecting first those whose response time is less, and those that are less than hops. I am not to lose time, I will use all the specified servers and impart them into the configuration file. Total knowing all of the above, I will describe your resulting file /etc/ntp.conf.:

NTP-Server: ~ # cat /etc/ntp.conf # local network server (commented, not used - online one server) #serve 192.168.0.2 #Server 192.168.0.5 # Server NTP2.NTP-servers.net Server NTP1.VNIIFTRI.ru Server NTP2.VNIIFTRI.ru Server NTP4.VNIIFTRI.ru Server NTP0.NTP-Servers.net Server NTP1.NTP-Servers.net Server NTP3.VNIIFTRI.ru Server NTP3.VNIIFTRI.ru Server NTP.Corbina.net # DRIFTFILE Server Files /var/lib/ntp/ntp.drift logfile / var / log / ntpstats # Restricting access to the server: # By default, I ignore all restrict default ignore # Lockless without parameters - it means everything is allowed. Parameters go only on prohibitions. RESTRICT 127.0.0.1 # Next, the servers with which we are synchronized in the local network are described. # We allow them all except labels and queries to us Restrict 192.168.0.2 Noquery Notrap Restrict 192.168.0.5 Noquery Notrap # for LANs also allow everything except RESTRICT traps and modifications 192.168.0.1 Mask 255.255.25.0 Nomodify Notrap Nopeer # Allow external time sources Access: restrict ntp2.ntp-servers.net RESTRICT NTP1.VNIIFTRI.ru RESTRICT NTP2.VNIIFTRI.ru RESTRICT NTP4.VNIIFTRI.ru RESTRICT NTP0.NTP-SERVERS.NET Restrict NTP1.NTP-Servers.net Restrict NTP3.VNIIFTRI.ru restrict ntp.corbina.net # And this hack, which sets the level of confidence in the server (Strata) to itself equal to 3 # in a nutshell, the higher level level, the smaller the number. 0 is atomic clock, # 1 is synchronized with them, 2 - with the first, and so on. Server 127.127.1.1 FUDGE 127.127.1.1 Stratum 3

For a more in-depth understanding and configuration of the server, I will describe some NTPD configuration settings that did not mention ::

  • enable / disable aUTH / MONITOR / PLL / PPS / STATS - switch on switch off operating mode:
    • auth- with unauthorized neighbors to communicate only in authentication mode;
    • monitor- Allow query monitoring;
    • pLL- Allow setting the frequency of local clock on NTP;
    • stats.- Allow the collection of statistics;
  • statisticsloopstats.- With each modification of local clock, writes a line to a file loopstats.;
  • statisticspeerstats.- Each communication with the neighbor is written to the log stored in the file peerstats.;
  • statisticsclockStats.- Each message from the driver of the local clock is written to the log stored in the file clockStats.;
  • statsdir.(Catalog_name_Setatistics) - Specifies the name of the directory in which there will be files with server statistics;
  • fileGen. - Specifies the file generation algorithm, which consist of:
    • prefix- the permanent part of the file name is set either when compiling or special configuration commands;
    • file name - added to the prefix without a slash, two points are prohibited, it can be changed by the File key;
    • suffix- generated depending on TypeName;
  • rESTRICT.numeric-Address- Specifies access restriction: packets are sorted and masks, the initial address is taken and is consistently compared, flag is taken from the last successful comparison. access:
    • no flags - give access;
    • ignore.- ignore all packages;
    • noquery.- ignore NTP 6 and 7 packets (request and state modification);
    • nomodify- ignore NTP 6 and 7 packets (state modification);
    • limited- to serve only a limited number of customers from this network;
    • nopeer.- to serve the host, but not synchronize with it;
  • clientLimit.limit.- for flag limiteddetermines the maximum number of customers served (by default 3);

TOTAL, we got NTPD-Serverwhich is synchronized with the outside world, allows you to receive time for customers from the local area network 192.168.0.1 with a 255.255.255.0 mask, as well as can synchronize with a local server (if you rail multiple lines). We have left to customize customers and learn how to watch our server.

Observation of the NTPD server and synchronization

When you all are configured. NTP will keep time in a synchronized state. This process can be observed using the NTP Query command (NTPQ):

NTP-Server: ~ # NTPQ -P Remote Refid St T WHEN POLL REACH DELAY OFFSET JITTER \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d -N3. Time1.d6.hsd .pps. 1 U 34 64 177 70.162 2.375 8.618 + NTP1.VNIIFTRI.R .PPS. 1 U 33 64 177 43.479 -0.020 10.198 * NTP2.Vniiftri.r .pps. 1 U 6 64 177 43.616 -0.192 0.688 + NTP4.Vniiftri.r .PPS. 1 U 4 64 177 43.623 0.440 0.546 -n1.time1.d6.hsd .PPS. 1 U 53 64 77 92.865 -11.358 38.346 -NS1.hsdn.org .gps. 1 U 40 64 177 78.057 -3.292 35.083 -NTP3.Vniiftri.r .PPS. 1 U 44 64 77 47.667 2.292 2.611 -Scylla-L0.msk.c 192.43.244.18 2 U 62 64 77 41.565 -1.564 28.914

This command with the -p key displays a list of time sources with their characteristics (other command parameters in Man NTPQ). The value of each column as follows:

The name of the remote NTP server. If you specify the -N key, you will receive server IP addresses instead of names.

Indicates where each server gets the time at the moment. It can be a host name or something like .gps., Indicating the source global System Positioning (Global Posting System).

Stratum This number is from 1 to 16, indicating the accuracy of the server. Unit means the maximum accuracy, 16 - server is not available. Your level will be equal to the level of the least accurate remote server plus 1.

The interval between polls (in seconds). The value will be changed between the minimum and maximum frequency of polls. At the beginning, the interval will be small so that synchronization occurred quickly. After the clock is synchronized, the interval begins to increase to reduce traffic and load on popular time servers.

The octal representation of an array of 8 bits reflecting the results of the last eight attempts to connect to the server. Bit is set if the remote server responded.

The amount of time (in seconds) is required to receive an answer to the request "What time?".

The most important field. The difference between local and remote Servers. During the synchronization, this value should be reduced (approach to zero), indicating that the clock of the local machine is increasing more accurate.

Dispersion (Jitter) is a measure of statistical deviations from the offset value (Offset field) for several successful parameters request-response. A smaller dispersion value is preferable, as it makes it possible to more accurately synchronize the time.

Meaning of signs before server names

x is a fake source in the intersection algorithm;
. - excluded from the list of candidates due to the long distance;
- - removed from the list of candidates algorithm clustering;
+ - enters the final list of candidates;
# - selected for synchronization, but there are 6 best candidates;
* - selected for synchronization;
o - selected for synchronization, but used PPS;
Space - too big level, cycle or explicit error;

NTPD service"Smart" and sifts the sources of time too knocking out of the scope of reasonable. After some time, after launching NTPD, it will select the most reliable data sources and will be synchronized with them. The list of reference NTP servers submitted by us is regularly revised by the service.

Check the synchronization feature locally on the server is possible by the command:

NTP-Server: ~ # NTPDATE -Q Localhost Server 127.0.0.1, Stratum 2, Offset -0.000053, Delay 0.02573 Server :: 1, Stratum 2, Offset -0.000048, Delay 0.02571 14 Jan 14:49:57 NTPDate: Adjust Time Server :: 1 Offset -0.000048 sec

From the output of the command it can be seen that our server has already become the level of Stratum 2. To achieve of this level, it is necessary for a while. Perhaps in the first 10-15 minutes the server level will be higher.

On the correct operation of the NTP server, you can also judge the logs of the NTPD daemon:

NTP-Server: ~ # Cat / Var / Log / Ntpstats / NTP 13 Jan 20:13:16 NTPD: Listening on Interface # 5 Eth0, Fe80 :: A00: 27FF: FEC1: 8059 # 123 Enabled 13 Jan 20:13: 16 NTPD: Listening On Interface # 6 Eth0, 192.168.0.8 # 123 Enabled 14 Jan 14:31:00 NTPD: Synchronized to 62.117.76.142, Stratum 1 14 Jan 14:31:10 NTPD: Time Reset +10.291312 s 14 Jan 14 : 31: 10 NTPD: Kernel Time Sync Status Change 0001 14 Jan 14:34:31 NTPD: Synchronized to 88.147.255.85, Stratum 1 14 Jan 14:36:04 NTPD: Synchronized to 62.117.76.141, Stratum 1 14 Jan 15: 04:36 NTPD: Synchronized to 62.117.76.142, Stratum 1 14 Jan 15:10:58 NTPD: Synchronized to 62.117.76.140, Stratum 1 14 Jan 15:17:54 NTPD: No Servers Reachable 14 Jan 15:31:49 NTPD : Synchronized to 62.117.76.140, Stratum 1 14 Jan 15:32:14 NTPD: TIME RESET +13.139105 S

Setting NetFilter (IPTables) for NTP Server

Configuring the server work, it would be nice to protect it. We know that the server works on a 123 / UDP port, while requests are also sent from port 123 / UDP. After reading the article, and familiar with the practical, you can create rules for filtering network traffic:

NTP ~ # iptables-save # typical IPTABLES rules for DNS * FILTER: INPUT DROP: FORWARD DROP: OUTPUT DROP -A INPUT -I LO -J ACCEPT -A INPUT -M CONNTRACK --CTSTATE RELATED, ESTABLISHED -J ACCEPT -A INPUT -m ConnTrack - CCTSTATE INVALID -J DROP # Allow local network access to NTP server: -a input -s 192.168.1.1/24 -D 192.168.1.1/32 -P UDP -M UDP --DPORT 123 -M Conntrack - -CTState NEW -J Accept -a Output -o Lo -J Accept -a Output -p ICMP -J Accept -a Output -p UDP -M UDP --Sport 32768: 61000 -J Accept -a Output -p TCP -M TCP --Sport 32768: 61000 -J Accept -A Output -m ConnTrack --ctate Related, Established -J Accept # Allow access NTP server to make outgoing requests -a Output -p UDP -M UDP --Sport 123 --DPORT 123 -m Conntrack --ctState New -J Accept Commit

This is a typical example! To set the IPTables rules for your tasks and network configuration, you need to understand the principle of work NetFilter in Linux, reading the above articles.

Setting up client machines

To synchronize time on UNIX machines The local network is advisable to use the NTPDATE utility, launching it several times a day, for example, every hour. To do this, you need to add the following line:

0 * * * * / usr / sbin / ntpdate -s

The key -s sends the command output. If the client machines have a pair of unnecessary megabytes of RAM, you can run the NTPD daemon, as in the server with the following config:

Server RESTRICT DEFAULT IGNORE RESTRICT Noquery Notrap Restrict 127.0.0.1 Nomodify Notrap

I think in this config, everything is clear: the source of time (Server) is a local NTPD server, to disable everything, allow only the local NTPD server.

Also, on clients, you must correctly specify in which format to store time and choose the correct time zone ,.

To configure Windows client NTPThe following commands must be executed in the console:

C: \\\u003e NET TIME / SetSNTP: The Command Completed SuccessFully. C: \\\u003e NET STOP W32Time The Windows Time Service Is Stopping. The Windows Time Service Was Stopped SuccessFully. C: \\\u003e NET START W32Time The Windows Time Service Is Starting. The Windows Time Service Was Started SuccessFully. C: \\\u003e NET TIME / QUERYSNTP THE CURRENT SNTP VALUE IS: The Command Completed SuccessFully.

Conclusion

Well, it seems to be everything! The volume of the article turned out to be enormous ... I did not even expect. Let's bring a small result outlined. In this article, we hope it became clear what is and how the NTP server works. Learned to customize the server and clients on UNIX and Windows machines. In a few words, the time synchronization structure in the local network is as follows: there are 1.2 or more accurate time servers on the local network, they synchronize their time with external sources in the global network. Server and Customer Settings are based on files /etc/NTP.conf (Main Configuration File of the NTPD Demon), / etc / localtime (current time zone file), as well as / etc / sysconfig / ntp (for RH) and / ETC / DEFAULT / NTP (for DEB) - Demon start parameter files. For a local NTP server in a configuration file, external servers are specified for time to get time and access for these servers is allowed by the RESTRICT parameter, as well as for the local network computers, the client indicates the time source - local servers On the local network, as well as access to all, except the time source on the local network. Everything. Thank you all for your attention! I will be glad to comments!

  • (Article Archive) describes how to connect GPS to the server to organize its exact time server Stratum1.
  • Described how to configure authorization on the NTP server.

Good day Dear readers and guests blog site, as many people talk about the time that it is quick or slowly running, and everyone understands that it is invaluable and important. So in the infrastructure of Active Directory, it is one of of essential factors, proper functioning of the domain. In the domain, everyone trusted each other, and once logged in and having received all the tickets from Kerberos, the user walks anywhere, limited to its available rights. So if you do not have the exact time on your workstations to the domain controller, you can assume that you start serious problems that we will talk about and consider how to eliminate them with settings NTP Server in Windows.

Synchronization of time in Active Directory

Among the computers participating in Active Directory, the following time synchronization scheme works.

  • The root domain controller in the AD forest to which the FSMo role of the PDC emulator belongs (call it the root PDC), is a time source for all other controllers of this domain.
  • Controllers of subsidiaries synchronize the time with the topology of the AD domain controllers.
  • Right members of the domain (server and workstations) synchronize their time with an affordable domain controller to them, observing the AD topology.

The root PDC can synchronize his time as with an external source and with itself, the last default configuration is the absurd, which periodically hints errors in the system log.

Synchronization of root PDC clients can be carried out both from its internal hours and from an external source. In the first case, the Root PDC time server declares itself as "reliable" (Reliable).

Next, I will give an optimal configuration of the root PDC time server from my point of view, in which the root PDC itself periodically synchronizes its time from a reliable source on the Internet, and the time of clients contacting it synchronizes with their internal clocks.

We enter netdom Query Fsmo.In my example, the role of PDC and NTP server belongs to the DC7 controller

NTP server configuration on the root PDC

Configuring the time server in Windows (NTP server) can be carried out as using the command line utility. w32tmand through the registry. Where possible, I will give both options. But at the beginning, look at your settings on your computer, this is done by the team:

w32TM / QUERY / CONFIGURATION

EventLogFlags: 2 (locally)
Announceflags: 10 (locally)
TimeJumpauditoffset: 28800 (locally)
MinpollInterval: 6 (locally)
MaxPollInterval: 10 (locally)
MaxnegphaSecorrection: 172800 (locally)
MaxposphaseCorrection: 172800 (locally)
MaxallowedPhaseoffset: 300 (locally)

FrequencyCorRectrate: 4 (locally)
POLLADJUSTFACTOR: 5 (locally)
LARGEPHASEOFFSET: 50000000 (locally)
SpikeWatchPeriod: 900 (locally)
LocalclockDispersion: 10 (locally)
HoldPeriod: 5 (locally)
PhaseCorRectrate: 7 (locally)
UpdateInterval: 100 (locally)

NTPClient (locally)

Enabled: 1 (locally)
INPUTPROVIDER: 1 (locally)
CrossSitesYncflags: 2 (locally)

RESOLVEPEERBACKOFFMINUTS: 15 (locally)
RESOLVEPEERBACKOFFMAXTimes: 7 (locally)
COMPATILITYFLAGS: 2147483648 (locally)
EventLogflags: 1 (locally)
LargesAMPLESKEW: 3 (locally)
SpecialPollInterval: 3600 (locally)
Type: NT5DS (locally)

NtServer (locally)
DLLNAME: C: \\ Windows \\ System32 \\ w32time.dll (locally)
Enabled: 1 (locally)
INPUTPROVIDER: 0 (locally)
ALLOWNONSTANDMODECOMBINATIONS: 1 (locally)

VMICTimeProvider (locally)
DLLNAME: C: \\ Windows \\ System32 \\ vmictimeProvider.dll (locally)
Enabled: 1 (locally)
INPUTPROVIDER: 1 (locally)

Enabling internal clock synchronization with an external source


Enabling NTP server

The default NTP server is enabled on all domain controllers, but you can enable it on the rank servers.


Setting the list of external sources for synchronization


The 0 × 8 flag at the end means that synchronization should occur in the NTP client mode, through the time intervals proposed by this server. In order to set your synchronization interval, you must use the 0 × 1 flag.

Setting the sync interval with an external source

Time in seconds between the synchronization source surveys, the default 900c \u003d 15min. It works only for sources labeled 0 × 1 flag.


  • "SpecialPollInterval" \u003d DWORD: 00000384

Setting the minimum positive and negative correction

The maximum positive and negative correction of time (the difference between the internal clock and the synchronization source) in seconds, when the synchronization is exceeded, does not occur. I recommend 0xFFFFFFFFFFFFFFFF, in which the correction can always be performed.


"MaxposphaseCorrection" \u003d DWORD: FFFFFFFFF
"Maxnegphasecorrection" \u003d DWORD: FFFFFFFFF

All the necessary one line

w32tm.exe / config /manualpeerlist_"time.nist.gov.0x8 ntp1.imvp.ru, 0x8 ntp2.imvp.ru, 0x8 time.windows.com, 0x8 pool.ntp.org, 0x8 "/ SyncFromFlags: Manual / Reliable: YES / UPDATE

Useful teams

  • Application of changes made to the configuration
    W32TM / CONFIG / UPDATE
  • Forced synchronization from the source
    W32TM / RESYNC / REDISCOVER
  • Displaying the domain controller synchronization status in the domain
    W32TM / MONITOR.
  • Display current sources of synchronization and their status
    W32TM / QUERY / PEERS

Setting up the NTP server and client Group Policy

If you have a domain Active Directory domain, it is stupid not to use group policies, for mass configuration of servers and workstations, I will show how to configure your NTP server in Windows and client. Open the "Group Policy Editor" tool. Before you configure our NTP server in Windows, we need to create a WMI filter that will apply policies only to the PDC wizard server.

We enter the name of the query, the namespace will have the value "root \\ CIMV2" and request "SELECT * from WIN32_COMPUTERSYSTEM WHERE DOMAINROLE \u003d 5". Keep it.

Then you create a policy on the Domain Controllers container.

At the bottom of the policy, you apply your WMI filter created.

Go to the branch: Computer Configuration\u003e Policies\u003e Administrative Templates\u003e System\u003e Windows Time Service\u003e Time Suppliers.

Here you open the "Configure NTP Client Windows" policy. Set the parameters

  • NtServer: 0.ru.pool.ntp.org.0x1, 1.ru.pool.ntp.org.0x1, 2.ru.pool.ntp.org.0x1, 3.ru.pool.ntp.org.0x1
  • Type: NTP.
  • CrossSitesyncflags: 2. Two means if this parameter is 2 (all), you can use any synchronization participant. This value is ignored if NT5DS is not specified. Default value: 2 (decimal) (0x02 (hexadecimal))
  • RESOLVEPEERBACKOFFMINUTES: 15. This value expressed in minutes, defines the W32Time service expectation interval before attempting the DNS name permission in case of failure. Default value: 15 minutes
  • RESOLVE PEER BackOFFMAXTimes: 7. This value determines the number of attempts to resolve the DNS names undertaken by the W32Time service before restarting the detection process. With each unsuccessful resolution of the DNS name, the expectation interval before the next attempt is doubled. Default value: seven attempts.
  • SPECILALPOOLINTERVAL: 3600. This value of the NTP client parameter, expressed in seconds, determines the frequency of the polling of a configured manual time source that uses a special interval interval. If the NTPCERVER parameter is set to the SpecialInterval flag, the client uses the value specified as specialPollInterval, instead of MinPollInterval and MaxPollInterVal values \u200b\u200bto determine the frequency of the time source survey. Default value: 3600 seconds (1 hour).
  • EventLogFlags: 0.

We do separate group Policy For client workers, here with such parameters.

  • NtServer: address of your domain controller with PDC role.
  • Type: NT5DS.
  • CrossSitesYncFlags: 2.
  • RESOLVEPEERBACKOFFMINUTS: 15.
  • RESOLVE PEER BackOffMAXTimes: 7
  • SpecilalPoolInterval: 3600.
  • EventLogFlags: 0.

Similar articles