We recently ran into a situation that required our time be very close to everyone else in the world so we began to work on a solution to make sure all our equipment was using current ntp sources. We have two basic items to consider, windows servers and cisco asa appliances. Both are discussed below.
Windows Servers (verifed on 2003 and 2008R2)
There are two variations (part of a domain and stand alone) in servers we looked at but they both have basically the same answer. Internal servers joined to a domain will get their time from one of the domain controllers so if the domain controllers are correct all the other servers will be as well. Non domain servers will all have to be configured to an authoritative source individually.
Step 1 - Find The Domain Controller All the Other Domain Controllers are Referencing
According How the Windows Time Service Works.aspx) the head of the time tree should be the PDC emulator. In our case it was and if you want to be sure you can run the following command which will produce something similar to the output below, depending on the number of domain controllers you have in your domain. This example contains four domain controllers.
w32tm /monitor
maindomaincontroller.company.com PDC [10.10.0.10:123]:
ICMP: 0ms delay
NTP: +0.0000000s offset from maindomaincontroller.company.com
RefID: maindomaincontroller.company.com [10.10.0.10]
Stratum: 1
secondarydomaincontroller1.company.com PDC [10.11.0.20:123]:
ICMP: 46ms delay
NTP: -0.0102363s offset from maindomaincontroller.company.com
RefID: maindomaincontroller.company.com [10.10.0.10]
Stratum: 2
secondarydomaincontroller2.company.com PDC [10.12.0.12:123]:
ICMP: 46ms delay
NTP: +0.0249849s offset from maindomaincontroller.company.com
RefID: maindomaincontroller.company.com [10.10.0.10]
Stratum: 2
secondarydomaincontroller3.company.com PDC [10.10.0.11:123]:
ICMP: 0ms delay
NTP: -0.0057875s offset from maindomaincontroller.company.com
RefID: maindomaincontroller.company.com [10.10.0.10]
Stratum: 2
If you notice on line five this domain controller is referencing its self for time. This means you are not using an external time source and the listed domain controller is the one you need to modify.
Step 2 - Finding an External Time Source
We found two options for this and actually ended up using both.
Option 1 is the ntp.org pool. This project allows people to donate server time to serve as ntp servers all over the world. This gives you access to server geographically located near you so you can cut down on network lag which can affect your abilty to keep your time correct. Since this project has many redudant nodes we decided it would be our first choice for an NTP source. See the “use” page for determining the DNS names you should use.
Option 2 is the time servers provided by NIST. These servers are considered reliable since they use the U.S. naval atomic clock to keep time but have a much smaller number of servers avalible as compared to the ntp.org pool. The names and IP addresses are here.
Step 3 - Configure Your Server to Use the New Time Source
Changing domain controllers and stand alone servers requires the same command. We used the one below which works on Server 2003 and 2008. The first command we found on the ntp.org pool site only worked on Server 2003. Also, please make sure you select appropitate DNS records, the ones in this command are best suited for use in the United States.
w32tm /config /syncfromflags:manual /manualpeerlist:”0.us.pool.ntp.org 1.us.pool.ntp.org 2.us.pool.ntp.org 3.us.pool.ntp.org” /reliable:YES
After running this command you should be able to run the command from step 1 and see the updated time server. You may also note your statums have changed denoting how many levels away from the root source you are.
w32tm /monitor
maindomaincontroller.company.com PDC [10.10.0.10:123]:
ICMP: 0ms delay
NTP: +0.0000000s offset from maindomaincontroller.company.com
RefID: externaltimesource.com [171.10.10.10]
Stratum: 3
secondarydomaincontroller1.company.com PDC [10.11.0.20:123]:
ICMP: 46ms delay
NTP: -0.0102363s offset from maindomaincontroller.company.com
RefID: maindomaincontroller.company.com [10.10.0.10]
Stratum: 4
secondarydomaincontroller2.company.com PDC [10.12.0.12:123]:
ICMP: 46ms delay
NTP: +0.0249849s offset from maindomaincontroller.company.com
RefID: maindomaincontroller.company.com [10.10.0.10]
Stratum: 4
secondarydomaincontroller3.company.com PDC [10.10.0.11:123]:
ICMP: 0ms delay
NTP: -0.0057875s offset from maindomaincontroller.company.com
RefID: maindomaincontroller.company.com [10.10.0.10]
Stratum: 4
Step 4 - Verify Your New Time Source Is Working
If you like you can wait for your time to sync by itsself but if you restart the windows time service it should sync immediatly. If you do not get the correct time make sure your timezone is correct and your clock is not more than a few minutes off from the time the external server has. If its too far out of sync the windows time service will not change the time.
Cisco ASA Appliances
After doing all the leg work on the windows server front we thought it would be easy to set the NTP setting on the ASA. The only snag we ran into was the firewall will not take a DNS name as its NTP server. Since we had to use an IP address we elected to go with servers from the NIST list as people participating in the ntp.org pool can choose to leave at anytime and the current IP address being served by the DNS name may not always be a time server. Screen shots of the config will have to wait for a later post.
Other Reading:
- http://www.pool.ntp.org/
- Go to your Command Prompt and run this: “w32tm /?”
- How the Windows Time Service Works http://technet.microsoft.com/en-us/library/cc773013(WS.10).aspx.aspx)