Windows Server 2003 Net Time service & accessing it

[tfboy]

A couple of questions:

Does the Windows Net Time service available on WS2003 run as a basic NTP server, i.e use port 25 and abide by the ntp protocol?

If so, how can I get a PC or other network device NOT on the AD domain to update it's clock from the WS2003 time server?

If I try it on a workstation, I get a "System error 5 has occured. Access is denied". Is this configurable in a GPO or something?

What I really want to be able to do is sync some other devices which aren't remotely W32 platforms (bespoke servers but which can have their internal clocks synced with a NTP server).

Of course, I guess if the windows time service is a MS-specific protocol that isn't NTP-compatible, I'm not going to get anywhere.

TIA

[Paul Adams]

NTP (or SNTP) don't use (TCP) port 25 - that is SMTP.
NTP updates are through UDP port 123 IIRC.

Non-domain Windows machines with Internet access should be able to sync directly with time.windows.com which is the default, and as you probably know all domain members will automatically use their PDC for time syncs without any configuration required.

Manually pointing non-domain Windows clients to DCs for time syncs is not really advisable as you would have to remember which clients have been configured by hand in the event of changes, which are inevitable in the future.

Are the clients members of another domain, or just in a workgroup?

Are you trying NET TIME commands, or W32TM commands?


Edit:
To address your question about Windows being a "normal" NTP server, it isn't and this is deliberate (not to be non-standard, though):
One of the security measures in Windows is to authenticate time sources, as Kerberos relies heavily on accurate time - if your time servers got poisoned then you could DoS every single server and client in an entire domain.
Windows can act as an NTP client but the Windows Time Service is not just a dumb, unauthenticated NTP server.

I'm sure there are free 3rd party NTP server solutions out there which can run as a service, I recall setting one up a few years ago for some network devices to have a reliable local time source via SNTP.

[Moby-Dick]

I'm pretty sure its accessable from non domain machines.
the usual windows command would be "net time \\servername set"

It doens't use TCP25 , its UDP123

couple of useful llinks for you
http://www.windowsnetworking.com/art...e-Service.html
http://technet2.microsoft.com/Window...358c31033.mspx

[tfboy]

Thanks for the links. And yes I didn't mean port 25, meant port 123...

I've tried the "net time \\msdc1 set" but that just gives me the Access is Denied message.

All clients on the domain can do it, clients not in the domain cannot.

Ultimately though, I want to use the DC as a NTP source for devices which aren't even running windows, they're not even x86 devices so if it's only possible from non-domained workstations providing some form of authentication, then that's out of the window too.

It sounds like I'm better off using another workstation which is on the domain which can therefore sync its clock from the DC and set up that specific workstation with some dedicated open-source / free / proper-NTP-protocol server program so that my bespoke device can obtain time from it directly without trying to get it working with some MS DC which doesn't want to play ball...

I'll google for some free NTP servers. Any suggestions though? Sounds like it will be less hassle.

BTW, the whole network is NOT connected to the internet, it's a highly secure network which has to be locked down. NTP on the DC is provided by GPS satellite receiver, not some other NTP server on the internet.

[Moby-Dick]

http://www.sharewareconnection.com/n...ent-system.htm

[Paul Adams]

I would recommend setting up a virtual name in DNS which will be your internal NTP service server, then make one of the member servers in your domain run the service and have the DNS name resolve to its IP address.

That way, there is still a single authoritative time source internally (your PDC) and if you need to change the server on which the NTP service runs then it's a simple DNS change.
Don't use the server name in the client NTP configuration, use the virtual name.

[tfboy]

Right, it appears that the WS2003 time service is in fact a standard SNTP server, running on UDP port 123.

So any device with a correct implementation of NTP/SNTP should be able to synchronise from it.

So I'm back where I started - it's a security permissions thing. I've looked into the group policies for it, but there aren't any setting that I can find that relate to the Serving of NTP, only settings for the Client (where by default it goes to time.windows.com using NTD5 or whatever it is).

So how the heck to I allow ANY device, whether on the domain or not to sync its time with the NTP Server service running on the DC. Grrrr!

[madman045]

This article on experts exchange asks a similar question

http://www.experts-exchange.com/Oper...rTAFilter=true

on the domain, you can set a group policy via

Group Policy -> Machine Policy -> Administrative Templates -> System -> Windows Time Service.

As for machines not on the domain, you would need to configure them with gpedit.msc locally on every machine not in the domain and do the settings there.

Administrative Templates -> System -> Windows Time Service -> Time Provider configure:

Enable Windows NTP client (Enabled)
Configure NTP Client -> Set your NTP server here

Give it a go, but as always, please make sure you have a good backup before making changes as i take no responsibility for your actions!