configuring w32time

[JinNjuicE]

Hello all.

No computer from our network has internet access except for one computer, our web server(behind firewall). We need to sync our time with NIST.

Do you guys think I can manually configure my web server to get time from NIST, and make my DC to sync the time with my webserver? Then all domain clients should have a correct time...right?

Settings #1:
Web Server
net time /setsntp:time.nist.gov (or IP address)

Domain Controller
net time /setsntp:webserver

---------------------------------------
Settings #2:
Web Server
net tmie /setsntp:time.nist.gov (or IP address)

Domain Controller (via registry)
HKLM\SYSTEM\CurrentControlSet\Services\W32time\Parameters
LocalNTP: webserver

---------------------------------------
Please give me some suggestions...

 

[Jpoandl]

Is your Web server outside of your Active Directory domain? If so, I think your idea is good.

Joseph L. Poandl
MCSE 2003

If your company is in need of experts to examine technical problems/solutions, please check out

http://www.NJCOMPUTERNETWORKS.com

(Sales@njcomputernetworks.com)

 

[JinNjuicE]

Thanks Jpoandl for the reply. I wish our web server was not part of the domain, but that's not the case.

I think I just figured out the whole thing.

Let's assume the following:
Web Server: 'WEBSERV'
Domain Ctrl (Primary): 'DC1'
Domain Ctrl (Secondary): 'DC2', 'DC3', and etc.

-WEBSERV-
Regedit to HKLM\System\CurrentControlSet\Services\W32Time\Parameters\ and set the following:
"LocalNTP" to '1' (always start NTP server)
"Type" to 'NTP'
add "NtpServer" key and set it to some NIST server or use NET TIME /setsntp:someNISTserver (if you are scared of using regedit)

Stop and restart W32Time services via NET STOP & START.

-DC1-
Regedit to HKLM\....\W32Time\Parameters\ and
Add "NtpServer" key and set it to WEBSERV
Add "ReliableTimeSource" key and set it to 1
"Type" to 'NTP'

Stop and restart W32Time services via NET STOP & START.

Since DC1 and DC2 will be replicating, their times will be synchronized automatically. For the clients, they will be synchronized with their DCs.

Since our network is so small, it never takes 5 minutes (default kerberos time skew setting) to authenticate users. To increase the security, I will set it down to 2 minutes by using domain security policy -> account policy -> kerberos policy.

Of course I will have to test this first.
Please post a reply if you think I need to change something.

 

[Jpoandl]

This looks good to me (assuming that DC1 hold the PDC Emulator role). The PDC Emulator is the default time source for your domain. Therefore, this is the server that you want to configure to "look" to you web server for the time.

but looks good to me...

Joseph L. Poandl
MCSE 2003

If your company is in need of experts to examine technical problems/solutions, please check out

http://www.NJCOMPUTERNETWORKS.com

(Sales@njcomputernetworks.com)

 

[Jpoandl]

http://support.microsoft.com/default.aspx?scid=kb;en-us;816042&Product=winsvr2003

Joseph L. Poandl
MCSE 2003

If your company is in need of experts to examine technical problems/solutions, please check out

http://www.NJCOMPUTERNETWORKS.com

(Sales@njcomputernetworks.com)

 

[wallst32]

I would just allow a DC outbound access to the NTP server(s); no other outbound allowed. Don't know if that violates a security policy that you have.

You cannot set WEBSERV as the NTP source for the DCs because WEBSERV is not running the NTP service. You'll have to sync it with net time.