Configuring Windows 2003 / XP SP2 to use IOS NTP server

In certain networks, it is difficult to get the time on your servers to be exactly the same as the NTP time on your network equipment. In this case, you want to force the Windows servers to use the same NTP Network time source as your routers and switches. But Microsoft Windows doesn’t understand NTP by default, it has its own ‘way’ of setting up NTP so you need a little tweak to make it compatible.

You should consider carefully the state of your servers before you do this. MS servers that are part of an AD tree really should get their time from the AD Master (or however the server folks have configured), if the clock varies you might find that some things don’t work well . I think this solution works best for Standalone server (workgroup mode) that are used as management or monitoring servers. YMMV.

To Work

Stop the Windows Time Service using the CLI.

C:Program FilesSupport Tools>net stop w32time
The Windows Time service is stopping.
The Windows Time service was stopped successfully.

Now wind the time forward a couple of hours so we can confirm that the NTP source is active and it works.

C:Program FilesSupport Tools>time
The current time is: 19:19:23.95
Enter the new time: 21:19

C:Program FilesSupport Tools>time
The current time is: 21:19:01.82
Enter the new time: (just press enter to do nothing here)

Here comes the magic part:

C:Program FilesSupport Tools>w32tm /config /manualpeerlist:"198.18.0.2,198.18.0.3",0x8 /syncfromflags:MANUAL
The command completed successfully.

The peer list must be enclosed
Use the 0×8 flag to force W32time to send normal client requests instead of symmetric active mode packets (a la the Microsoft way). The NTP server replies to these normal client requests as usual.

Restart the Windows Time Service and then force a sync.

C:Program FilesSupport Tools>net start w32time
The Windows Time service is starting.
The Windows Time service was started successfully.

C:Program FilesSupport Tools>w32tm /resync
Sending resync command to local computer...
The command completed successfully.

And, check the time

C:Program FilesSupport Tools>time
The current time is: 19:19:23.95
Enter the new time:

IOS configuration

Your IOS router will need to be configured as an NTP Master, should get its time from a suitable place. I also hook the NTP server on the Loopback interface so it works in HA networks designs. So the following configuration should be enough.

ntp source Loopback0
ntp update-calendar
ntp server xx.xx.xx.xx (see above for a valid time source)
ntp master

IOS NTP Debug looks like

242626: Jun  2 13:41:58.243 BST: NTP: rcv packet from 198.18.0.10 to 198.18.0.2 on Loopback0:
242627: Jun  2 13:41:58.243 BST:  leap 0, mode 3, version 3, stratum 4, ppoll 1024
242628: Jun  2 13:41:58.243 BST:  rtdel 0C42 (47.882), rtdsp 7D1D6 (7819.672), refid 0AD80002 (198.18.0.2)
242629: Jun  2 13:41:58.243 BST:  ref CBEE6523.AC125CF9 (13:25:07.672 BST Mon Jun 2 2008)
242630: Jun  2 13:41:58.243 BST:  org CBEE6516.27FF76BF (13:24:54.156 BST Mon Jun 2 2008)
242631: Jun  2 13:41:58.243 BST:  rec CBEE6516.28125CF9 (13:24:54.156 BST Mon Jun 2 2008)
242632: Jun  2 13:41:58.243 BST:  xmt CBEE6916.30125CF9 (13:41:58.187 BST Mon Jun 2 2008)
242633: Jun  2 13:41:58.243 BST:  inp CBEE6916.3F053E50 (13:41:58.246 BST Mon Jun 2 2008)
242634: Jun  2 13:41:58.243 BST: NTP: stateless xmit packet to 198.18.0.10:
242635: Jun  2 13:41:58.247 BST:  leap 0, mode 4, version 3, stratum 3, ppoll 1024
242636: Jun  2 13:41:58.247 BST:  rtdel 03D4 (14.954), rtdsp 0418 (15.991), refid 9E2BC042 (158.43.192.66)
242637: Jun  2 13:41:58.247 BST:  ref CBEE6908.3E268A0C (13:41:44.242 BST Mon Jun 2 2008)
242638: Jun  2 13:41:58.247 BST:  org CBEE6916.30125CF9 (13:41:58.187 BST Mon Jun 2 2008)
242639: Jun  2 13:41:58.247 BST:  rec CBEE6916.3F053E50 (13:41:58.246 BST Mon Jun 2 2008)
242640: Jun  2 13:41:58.247 BST:  xmt CBEE6916.3F38602F (13:41:58.246 BST Mon 

Configuration Mistake ?

If you need to change anything, or make a mistake it seems that the only way to change the settings:

w32tm [/? | /register | /unregister ]
? – this help screen.
register – register to run as a service and add default configuration to the registry.
unregister – unregister service and remove all configuration information from the registry.

I am not sure whether a reboot is mandatory to unregister, but I think that it is required. (please leave a comment if you know for sure)

Inspecting your Configuration

Open up regedit and navigate to:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeTimeProvidersNtpServer

W32TIME01.jpg

Reference

1) http://www.spectracomcorp.com/Support/Library/IntegrationGuides/SynchwithW32Time/Win2003domaincontroller/tabid/178/Default.aspx

2) How to configure an authoritative time server in Windows Server 2003

  • Michael

    why NTP master? i think you need NTP master on IOS only if you do not have a reference clock but you do if you use a ntp server…

    BTW you might want to point out everybody can sync to pool.ntp.org

    MGK

  • http://etherealmind.com Greg Ferro

    From a security perspective, you should always have an internal clock source for your network. Thus ‘ntp master’.

    Therefore I usually make the two ‘most’ core switches the NTP master for the entire network. Then sync these two against an external time source (ready for an atomic clock in the future). Thus ‘ntp server’.

    Firewall rules for pool.ntp.org are problematic in some companies since they may only allow IP addresses in firewall rules. Also, trusting an external clock is broadly regarded as insecure.

    Hard to find middle ground really.

  • BenG

    Greg -

    The “ntp master” command is only going to do something if you loose your external synchronization. By default, it has a stratum value of 7. Unless your external sources have a REALLY low stratum value, “ntp master” will never do anything. If you have two core devices, you may want to investigate “ntp peer” between the two. This will allow both to sync to each other should they loose their better valued upstream source.

  • Pingback: I-BLOG » Blog Archive » NTP Server on Cisco ASA 5500

  • http://www.ijans.com Ivan

    Thanks a lot for your input!!! My system is working great after following your document line by line.

    Thanks again!!
    Ivan

  • Tim Smith

    Hey Greg,

    FYI, some lines of content scroll out of the frame in your main content (see the line containing “w32tm /config /manualpeerlist…”). While there’s a horizontal scrollbar down the very bottom of the frame, it’s not immediately obvious. Especially if you’re copy and pasting (or manually typing) command-line examples…

    (This is with a browser maximized at 1440px horizontal resolution.)

    • http://etherealmind.com Greg Ferro

      I’ll see what I can do.

      • Peter Sprokkelenburg

        Yeah, I”m still seeing things cut of on the article… had to view it in source to get the full command…