• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

W32Time

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> General >> W32Time Page: [1]
Login
Message << Older Topic   Newer Topic >>
W32Time - 3.Jan.2006 8:16:32 PM   
Rainman13

 

Posts: 19
Joined: 29.Apr.2005
Status: offline
I want my ISA 2004 (on Win2003) server to be the time server.  I used the command

net time /setsntp:isa.domain.com

to set it as the time server.  I have allowed NTP to internal on the system policy and even created a rule to allow port 123 to and from the isa server. 

On a server I can do run
net time \\isa.domain.com

and get a valid response.  However I still see errors in the system logs of the servers that there isn't an NTP server available.  How can I make these errors go away?



Post #: 1
RE: W32Time - 4.Jan.2006 3:51:53 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Netman,

There's a big difference between Net time and the Windows Time Service.

Make sure the clients are resolving the name of the ISA firewall correctly and that you have allowed NTP access to the ISA firewall's Local Host Network.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Rainman13)
Post #: 2
RE: W32Time - 4.Jan.2006 4:52:24 AM   
Rainman13

 

Posts: 19
Joined: 29.Apr.2005
Status: offline
Access Rule as follows

Allow
NTP (UDP)
From:  Internal, Local Host
To:  Internal, Local Host
All Users
Always
All Content Types



System Policy
NTP
Applies to traffic sent to Local Host, Internal



Other Servers can ping by NetBIOS name or FQDN

(in reply to Rainman13)
Post #: 3
RE: W32Time - 5.Jan.2006 12:49:38 AM   
carorieta

 

Posts: 102
Joined: 15.Dec.2005
Status: offline
Hi rainman,
On a Windwos 2000/2003 environment all clients synchronize from the Active Directory Domain controller holding the PDC Emulator Role (the first server you promoted to AD domain controller) on a domain with multiple DCs.
By default the PDC Emulator get his time from his own CMOS clock.
In your case you should setup your DC to synchronize its time from the Firewall, and the Firewall should synchronize its time from an outside source such as tick.usno.navy.mil (192.5.41.40).
In addition you will create two access rules:
1. Local Host (Firewall) accessing the external time server 
2. PDC Emulator accessing the Firewall
Of course as you know you need to create a user defined protocol
Name:SNTP Time
Primary Connections: Port Range: 123  Protocol Type: UDP  Direction: SendReceive
Secondary Connections: Port Range: 123  Protocol Type: UDP  Direction: Receive
Your Access Rules:
1. Allow Protocol SNTP Time From Local Host to tick Condition All Users
2. Allow Protocol SNTP Time From PDCEmulator to Local Host Condition All Users
Remember to create two computer sets, one for the PDC and one for tick (192.5.41.40)
To change the default behavior of the Windows client (they get time from PDC) you need to make changes to the registry on both the Firewall and the PDC Emulator, this article by Mitch Tulloch explain about the time hierarchy on W2K/W2K3 and how to make the registry changes:
http://www.windowsnetworking.com/articles_tutorials/Configuring-Windows-Time-Service.html
Good luck

_____________________________

carorieta

(in reply to Rainman13)
Post #: 4
RE: W32Time - 1.Feb.2006 10:43:24 PM   
Rainman13

 

Posts: 19
Joined: 29.Apr.2005
Status: offline
Got side tracked for a while... but this still doesn't work.

For a moment, I'll forget about syncing the ISA server to an external source.

I have the system policy to allow NTP to "Internal" and "MyServers" of which the PDC Emulator is a part of.  I also created a rule that NTP is allowed to and from both the ISA server and the MyServers group.

You mentioned creating a protocol for SNTP... that protocol is the same as NTP, so I just used it.


(in reply to carorieta)
Post #: 5
RE: W32Time - 10.Feb.2006 2:57:32 PM   
hantahipi

 

Posts: 84
Joined: 26.Jan.2006
From: Kenya
Status: offline
Hi RM,

This article by Microsoft is step-by-step straightfwd http://support.microsoft.com/kb/816042

You do not want to skip external source configuration, coz the way the service is set up, it is meant to validate time accuracy with either hardware clock or external server, otherwise expect a system error log that's full of invalid time stamp and time update errors. The above article is perfect

(in reply to Rainman13)
Post #: 6
RE: W32Time - 10.Feb.2006 3:02:54 PM   
hantahipi

 

Posts: 84
Joined: 26.Jan.2006
From: Kenya
Status: offline
Rainman,

Jus one more note, as mentioned earlier by carorieta, time update is all about the internal network, therefore if you have properly defined your internal network and and allowed direct access to your domain (assuming that your AD is humming), you need not then have any other rules and custom protocols; time update will happen for all you domain clients at log on.

thanks

(in reply to hantahipi)
Post #: 7
RE: W32Time - 15.Jun.2006 5:03:02 PM   
tdsm

 

Posts: 1
Joined: 15.Jun.2006
Status: offline
Hello,

Some more questions. I managed our ISA 2004 server to sync with an external ntp server. And apparently the client pc's sync with the domain (W2000 DC).
But I can't seem to get my domaincontrollers sync with ISA.
I've opened NTP from internal to localhost.
And on DC: net time /setsntp:isaserver

Unfortunately, if I stop the w32time service on the DC and try 'w32tm -once', I read 'NTP didn't receive datagram' in the output and an error (ntp server didn't respond) in event log.

Any ideas?

(in reply to hantahipi)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> General >> W32Time Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts