NTP Server? 1

[TheLad]

Guys

I have a workgroup server in a DMZ that gets its time from an external Internet source. I want to use this server as a timesync source for my DCs as I cannot give my DCs direct access to an external Internet timesync source. Can I do this natively or do I have to run an NTP application on the workgroup server?

If I need an NTP sever, can anyone recommend one please?

Thanks

--------------------------------------
"Insert funny comment in here!"
--------------------------------------

 

[pagy]

You can do it natively - on your DC that holds the PDC Emulator fsmo role;

w32tm /config /manualpeerlist:<timesource> /syncfromflags:manual
/reliable:yes /update

That command is all one line

then
net stop w32time
net start w32time

More here if you need it;

http://technet.microsoft.com/en-us/library/cc786897.aspx

Paul
MCSE 2003
MCSA 2003
MCITP Enterprise Administrator

If there are no stupid questions, then what kind of questions do stupid people ask? Do they get smart just in time to ask questions?
Scott Adams

 

[TheLad]

Thanks for the reply.

But will I be able to point the PDCe server to the workgroup server as a time source and will the workgroup server respond to the UDP123 request? Will the workgroup server act as a NTP time source server to the PDCe server?

--------------------------------------
"Insert funny comment in here!"
--------------------------------------

 

[pagy]

Ah, sorry looks like I misunderstood your question.

Yes, I believe your pdce can use the server in the dmz as it's time source.

I'll do some checking just to be sure though

Paul
MCSE 2003
MCSA 2003
MCITP Enterprise Administrator

If there are no stupid questions, then what kind of questions do stupid people ask? Do they get smart just in time to ask questions?
Scott Adams

 

[pagy]

No ignore me completely, sorry. :-> You'll need to put some ntp server software on the machine in the workgroup.

I used to use something called nettime a long time ago

http://nettime.sourceforge.net/

Paul
MCSE 2003
MCSA 2003
MCITP Enterprise Administrator

If there are no stupid questions, then what kind of questions do stupid people ask? Do they get smart just in time to ask questions?
Scott Adams

 

[TheLad]

Exactly what I was looking for, thanks

--------------------------------------
"Insert funny comment in here!"
--------------------------------------

 

[jbarelds]

Beware of large time offsets.

Kerberos will not accept authentication if the time delta between a client and a DC is larger the 5 minutes (by default). So if you were to instantly change the time on your PDC with a big timeleap, you might run into authentication issues untill the time has been synchronized to all you clients/servers.

If you do have a large time offset you might want to define the "Maximum tolerance for computer clock synchronization" GPO option to something larger then your offset. Policy can be found in your "Default Domain Controllers Policy":
Computer Configuration > Windows Settings > Security Settings > Account Policies > Kerberos Policy

 

[pagy]

yep, decent point to raise.

Paul
MCSE 2003
MCSA 2003
MCITP Enterprise Administrator

If there are no stupid questions, then what kind of questions do stupid people ask? Do they get smart just in time to ask questions?
Scott Adams