Configuring Windows 2003 / XP SP2 to Use IOS NTP Server
June 10, 2008 by Greg Ferro · 5 Comments
In certain networks, it is difficult to get the time on your servers to be exactly the same as the NTP time on your network equipment. In this case, you want to force the Windows servers to use the same NTP Network time source as your routers and switches. But Microsoft Windows doesn’t understand NTP by default, it has its own ‘way’ of setting up NTP so you need a little tweak to make it compatible.
You should consider carefully the state of your servers before you do this. MS servers that are part of an AD tree really should get their time from the AD Master (or however the server folks have configured), if the clock varies you might find that some things don’t work well . I think this solution works best for Standalone server (workgroup mode) that are used as management or monitoring servers. YMMV.
To Work
Stop the Windows Time Service using the CLI.
C:\Program Files\Support Tools>net stop w32time The Windows Time service is stopping. The Windows Time service was stopped successfully.
Now wind the time forward a couple of hours so we can confirm that the NTP source is active and it works.
C:\Program Files\Support Tools>time The current time is: 19:19:23.95 Enter the new time: 21:19 C:\Program Files\Support Tools>time The current time is: 21:19:01.82 Enter the new time: (just press enter to do nothing here)
Here comes the magic part:
C:\Program Files\Support Tools>w32tm /config /manualpeerlist:"198.18.0.2,198.18.0.3",0x8 /syncfromflags:MANUAL The command completed successfully.
The peer list must be enclosed
Use the 0×8 flag to force W32time to send normal client requests instead of symmetric active mode packets (a la the Microsoft way). The NTP server replies to these normal client requests as usual.
Restart the Windows Time Service and then force a sync.
C:\Program Files\Support Tools>net start w32time The Windows Time service is starting. The Windows Time service was started successfully. C:\Program Files\Support Tools>w32tm /resync Sending resync command to local computer... The command completed successfully.
And, check the time
C:\Program Files\Support Tools>time The current time is: 19:19:23.95 Enter the new time:
IOS configuration
Your IOS router will need to be configured as an NTP Master, should get its time from a suitable place. I also hook the NTP server on the Loopback interface so it works in HA networks designs. So the following configuration should be enough.
ntp source Loopback0 ntp update-calendar ntp server xx.xx.xx.xx (see above for a valid time source) ntp master
IOS NTP Debug looks like
242626: Jun 2 13:41:58.243 BST: NTP: rcv packet from 198.18.0.10 to 198.18.0.2 on Loopback0: 242627: Jun 2 13:41:58.243 BST: leap 0, mode 3, version 3, stratum 4, ppoll 1024 242628: Jun 2 13:41:58.243 BST: rtdel 0C42 (47.882), rtdsp 7D1D6 (7819.672), refid 0AD80002 (198.18.0.2) 242629: Jun 2 13:41:58.243 BST: ref CBEE6523.AC125CF9 (13:25:07.672 BST Mon Jun 2 2008) 242630: Jun 2 13:41:58.243 BST: org CBEE6516.27FF76BF (13:24:54.156 BST Mon Jun 2 2008) 242631: Jun 2 13:41:58.243 BST: rec CBEE6516.28125CF9 (13:24:54.156 BST Mon Jun 2 2008) 242632: Jun 2 13:41:58.243 BST: xmt CBEE6916.30125CF9 (13:41:58.187 BST Mon Jun 2 2008) 242633: Jun 2 13:41:58.243 BST: inp CBEE6916.3F053E50 (13:41:58.246 BST Mon Jun 2 2008) 242634: Jun 2 13:41:58.243 BST: NTP: stateless xmit packet to 198.18.0.10: 242635: Jun 2 13:41:58.247 BST: leap 0, mode 4, version 3, stratum 3, ppoll 1024 242636: Jun 2 13:41:58.247 BST: rtdel 03D4 (14.954), rtdsp 0418 (15.991), refid 9E2BC042 (158.43.192.66) 242637: Jun 2 13:41:58.247 BST: ref CBEE6908.3E268A0C (13:41:44.242 BST Mon Jun 2 2008) 242638: Jun 2 13:41:58.247 BST: org CBEE6916.30125CF9 (13:41:58.187 BST Mon Jun 2 2008) 242639: Jun 2 13:41:58.247 BST: rec CBEE6916.3F053E50 (13:41:58.246 BST Mon Jun 2 2008) 242640: Jun 2 13:41:58.247 BST: xmt CBEE6916.3F38602F (13:41:58.246 BST Mon
Configuration Mistake ?
If you need to change anything, or make a mistake it seems that the only way to change the settings:
w32tm [/? | /register | /unregister ]
? — this help screen.
register — register to run as a service and add default configuration to the registry.
unregister — unregister service and remove all configuration information from the registry.
I am not sure whether a reboot is mandatory to unregister, but I think that it is required. (please leave a comment if you know for sure)
Inspecting your Configuration
Open up regedit and navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer
Reference
2) How to configure an authoritative time server in Windows Server 2003
Please rate this post:
Why Rate Posts?
(No Ratings Yet)
Loading ...
why NTP master? i think you need NTP master on IOS only if you do not have a reference clock but you do if you use a ntp server…
BTW you might want to point out everybody can sync to pool.ntp.org
MGK
From a security perspective, you should always have an internal clock source for your network. Thus ‘ntp master’.
Therefore I usually make the two ‘most’ core switches the NTP master for the entire network. Then sync these two against an external time source (ready for an atomic clock in the future). Thus ‘ntp server’.
Firewall rules for pool.ntp.org are problematic in some companies since they may only allow IP addresses in firewall rules. Also, trusting an external clock is broadly regarded as insecure.
Hard to find middle ground really.
Greg -
The “ntp master” command is only going to do something if you loose your external synchronization. By default, it has a stratum value of 7. Unless your external sources have a REALLY low stratum value, “ntp master” will never do anything. If you have two core devices, you may want to investigate “ntp peer” between the two. This will allow both to sync to each other should they loose their better valued upstream source.
Thanks a lot for your input!!! My system is working great after following your document line by line.
Thanks again!!
Ivan