Results 1 to 8 of 8

Thread: Windows Server 2003 Net Time service & accessing it

  1. #1
    Senior Member
    Join Date
    Jul 2003
    Location
    Reading, Berkshire
    Posts
    1,229
    Thanks
    57
    Thanked
    53 times in 34 posts
    • tfboy's system
      • Motherboard:
      • MSI X470 Gaming Plus
      • CPU:
      • AMD Ryzen 7 2700
      • Memory:
      • 2x8GB Corsair Vengeance LPX)
      • Storage:
      • 512GB Crucial SSD
      • Graphics card(s):
      • 560 Ti
      • PSU:
      • Corsair RM 650W
      • Case:
      • CM Silencio 550
      • Operating System:
      • W10 Pro
      • Monitor(s):
      • HP LP2475w + Dell 2001FP
      • Internet:
      • VM 350Mb

    Windows Server 2003 Net Time service & accessing it

    A couple of questions:

    Does the Windows Net Time service available on WS2003 run as a basic NTP server, i.e use port 25 and abide by the ntp protocol?

    If so, how can I get a PC or other network device NOT on the AD domain to update it's clock from the WS2003 time server?

    If I try it on a workstation, I get a "System error 5 has occured. Access is denied". Is this configurable in a GPO or something?

    What I really want to be able to do is sync some other devices which aren't remotely W32 platforms (bespoke servers but which can have their internal clocks synced with a NTP server).

    Of course, I guess if the windows time service is a MS-specific protocol that isn't NTP-compatible, I'm not going to get anywhere.

    TIA

  2. #2
    Ex-MSFT Paul Adams's Avatar
    Join Date
    Jul 2003
    Location
    %systemroot%
    Posts
    1,926
    Thanks
    29
    Thanked
    77 times in 59 posts
    • Paul Adams's system
      • Motherboard:
      • Asus Maximus VIII
      • CPU:
      • Intel Core i7-6700K
      • Memory:
      • 16GB
      • Storage:
      • 2x250GB SSD / 500GB SSD / 2TB HDD
      • Graphics card(s):
      • nVidia GeForce GTX1080
      • Operating System:
      • Windows 10 x64 Pro
      • Monitor(s):
      • Philips 40" 4K
      • Internet:
      • 500Mbps fiber
    NTP (or SNTP) don't use (TCP) port 25 - that is SMTP.
    NTP updates are through UDP port 123 IIRC.

    Non-domain Windows machines with Internet access should be able to sync directly with time.windows.com which is the default, and as you probably know all domain members will automatically use their PDC for time syncs without any configuration required.

    Manually pointing non-domain Windows clients to DCs for time syncs is not really advisable as you would have to remember which clients have been configured by hand in the event of changes, which are inevitable in the future.

    Are the clients members of another domain, or just in a workgroup?

    Are you trying NET TIME commands, or W32TM commands?


    Edit:
    To address your question about Windows being a "normal" NTP server, it isn't and this is deliberate (not to be non-standard, though):
    One of the security measures in Windows is to authenticate time sources, as Kerberos relies heavily on accurate time - if your time servers got poisoned then you could DoS every single server and client in an entire domain.
    Windows can act as an NTP client but the Windows Time Service is not just a dumb, unauthenticated NTP server.

    I'm sure there are free 3rd party NTP server solutions out there which can run as a service, I recall setting one up a few years ago for some network devices to have a reliable local time source via SNTP.
    Last edited by Paul Adams; 30-04-2006 at 01:09 PM.
    ~ I have CDO. It's like OCD except the letters are in alphabetical order, as they should be. ~
    PC: Win10 x64 | Asus Maximus VIII | Core i7-6700K | 16GB DDR3 | 2x250GB SSD | 500GB SSD | 2TB SATA-300 | GeForce GTX1080
    Camera: Canon 60D | Sigma 10-20/4.0-5.6 | Canon 100/2.8 | Tamron 18-270/3.5-6.3

  3. #3
    Administrator Moby-Dick's Avatar
    Join Date
    Jul 2003
    Location
    There's no place like ::1 (IPv6 version)
    Posts
    10,664
    Thanks
    53
    Thanked
    385 times in 314 posts
    I'm pretty sure its accessable from non domain machines.
    the usual windows command would be "net time \\servername set"

    It doens't use TCP25 , its UDP123

    couple of useful llinks for you
    http://www.windowsnetworking.com/art...e-Service.html
    http://technet2.microsoft.com/Window...358c31033.mspx
    my Virtualisation Blog http://jfvi.co.uk Virtualisation Podcast http://vsoup.net

  4. #4
    Senior Member
    Join Date
    Jul 2003
    Location
    Reading, Berkshire
    Posts
    1,229
    Thanks
    57
    Thanked
    53 times in 34 posts
    • tfboy's system
      • Motherboard:
      • MSI X470 Gaming Plus
      • CPU:
      • AMD Ryzen 7 2700
      • Memory:
      • 2x8GB Corsair Vengeance LPX)
      • Storage:
      • 512GB Crucial SSD
      • Graphics card(s):
      • 560 Ti
      • PSU:
      • Corsair RM 650W
      • Case:
      • CM Silencio 550
      • Operating System:
      • W10 Pro
      • Monitor(s):
      • HP LP2475w + Dell 2001FP
      • Internet:
      • VM 350Mb
    Thanks for the links. And yes I didn't mean port 25, meant port 123...

    I've tried the "net time \\msdc1 set" but that just gives me the Access is Denied message.

    All clients on the domain can do it, clients not in the domain cannot.

    Ultimately though, I want to use the DC as a NTP source for devices which aren't even running windows, they're not even x86 devices so if it's only possible from non-domained workstations providing some form of authentication, then that's out of the window too.

    It sounds like I'm better off using another workstation which is on the domain which can therefore sync its clock from the DC and set up that specific workstation with some dedicated open-source / free / proper-NTP-protocol server program so that my bespoke device can obtain time from it directly without trying to get it working with some MS DC which doesn't want to play ball...

    I'll google for some free NTP servers. Any suggestions though? Sounds like it will be less hassle.

    BTW, the whole network is NOT connected to the internet, it's a highly secure network which has to be locked down. NTP on the DC is provided by GPS satellite receiver, not some other NTP server on the internet.

  5. #5
    Administrator Moby-Dick's Avatar
    Join Date
    Jul 2003
    Location
    There's no place like ::1 (IPv6 version)
    Posts
    10,664
    Thanks
    53
    Thanked
    385 times in 314 posts
    my Virtualisation Blog http://jfvi.co.uk Virtualisation Podcast http://vsoup.net

  6. #6
    Ex-MSFT Paul Adams's Avatar
    Join Date
    Jul 2003
    Location
    %systemroot%
    Posts
    1,926
    Thanks
    29
    Thanked
    77 times in 59 posts
    • Paul Adams's system
      • Motherboard:
      • Asus Maximus VIII
      • CPU:
      • Intel Core i7-6700K
      • Memory:
      • 16GB
      • Storage:
      • 2x250GB SSD / 500GB SSD / 2TB HDD
      • Graphics card(s):
      • nVidia GeForce GTX1080
      • Operating System:
      • Windows 10 x64 Pro
      • Monitor(s):
      • Philips 40" 4K
      • Internet:
      • 500Mbps fiber
    I would recommend setting up a virtual name in DNS which will be your internal NTP service server, then make one of the member servers in your domain run the service and have the DNS name resolve to its IP address.

    That way, there is still a single authoritative time source internally (your PDC) and if you need to change the server on which the NTP service runs then it's a simple DNS change.
    Don't use the server name in the client NTP configuration, use the virtual name.
    ~ I have CDO. It's like OCD except the letters are in alphabetical order, as they should be. ~
    PC: Win10 x64 | Asus Maximus VIII | Core i7-6700K | 16GB DDR3 | 2x250GB SSD | 500GB SSD | 2TB SATA-300 | GeForce GTX1080
    Camera: Canon 60D | Sigma 10-20/4.0-5.6 | Canon 100/2.8 | Tamron 18-270/3.5-6.3

  7. #7
    Senior Member
    Join Date
    Jul 2003
    Location
    Reading, Berkshire
    Posts
    1,229
    Thanks
    57
    Thanked
    53 times in 34 posts
    • tfboy's system
      • Motherboard:
      • MSI X470 Gaming Plus
      • CPU:
      • AMD Ryzen 7 2700
      • Memory:
      • 2x8GB Corsair Vengeance LPX)
      • Storage:
      • 512GB Crucial SSD
      • Graphics card(s):
      • 560 Ti
      • PSU:
      • Corsair RM 650W
      • Case:
      • CM Silencio 550
      • Operating System:
      • W10 Pro
      • Monitor(s):
      • HP LP2475w + Dell 2001FP
      • Internet:
      • VM 350Mb
    Right, it appears that the WS2003 time service is in fact a standard SNTP server, running on UDP port 123.

    So any device with a correct implementation of NTP/SNTP should be able to synchronise from it.

    So I'm back where I started - it's a security permissions thing. I've looked into the group policies for it, but there aren't any setting that I can find that relate to the Serving of NTP, only settings for the Client (where by default it goes to time.windows.com using NTD5 or whatever it is).

    So how the heck to I allow ANY device, whether on the domain or not to sync its time with the NTP Server service running on the DC. Grrrr!

  8. #8
    Senior Member
    Join Date
    Jan 2004
    Location
    Leicestershire
    Posts
    1,211
    Thanks
    6
    Thanked
    31 times in 30 posts
    • madman045's system
      • Motherboard:
      • P9X79 Pro
      • CPU:
      • I7-3820
      • Memory:
      • 32GB
      • Storage:
      • Not enough!
      • Graphics card(s):
      • HD7970
      • PSU:
      • 850w Corsair
      • Case:
      • Corsair Carbide 300R
      • Operating System:
      • Win 7 Ultimate X64
      • Monitor(s):
      • Dell U2713HM & 2007WFP
      • Internet:
      • Plusnet FTTC - 30mbit/7mbit
    This article on experts exchange asks a similar question

    http://www.experts-exchange.com/Oper...rTAFilter=true

    on the domain, you can set a group policy via

    Group Policy -> Machine Policy -> Administrative Templates -> System -> Windows Time Service.

    As for machines not on the domain, you would need to configure them with gpedit.msc locally on every machine not in the domain and do the settings there.

    Administrative Templates -> System -> Windows Time Service -> Time Provider configure:

    Enable Windows NTP client (Enabled)
    Configure NTP Client -> Set your NTP server here

    Give it a go, but as always, please make sure you have a good backup before making changes as i take no responsibility for your actions!

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. 2003 Server with 2000 TS server - Licensing
    By madman045 in forum Software
    Replies: 0
    Last Post: 08-03-2006, 09:04 PM
  2. How do I restore "Show Desktop" icon in the Quick Launch bar of Windows?
    By davidstone28 in forum Help! Quick Relief From Tech Headaches
    Replies: 7
    Last Post: 09-01-2006, 01:02 PM
  3. Windows Server 2003 SP1 RTM
    By Paul Adams in forum Software
    Replies: 0
    Last Post: 31-03-2005, 09:28 AM
  4. Windows XP Email?
    By joshwa in forum Software
    Replies: 9
    Last Post: 18-01-2004, 09:38 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •