[ntp:questions] Re: NTP sync on a standalone network (Windows 2k)

Alexandre Carrausse alex_s_p_a_m at carrausse.com
Thu Aug 17 21:31:05 UTC 2006


THanks for your feedback, my comments below



"Danny Mayer" <mayer at ntp.isc.org> wrote in message 
news:44E3D24A.9020402 at ntp.isc.org...
> Alexandre Carrausse wrote:
>> Hello,
>>
>> I want to keep the time sync'd on about 90 machines spreaded on 11 
>> different
>> sites (one central site with the main servers and 10 remote sites with
>> secondary domain controlers and workstations).
>>
>> All the servers are W2K server and all the workstation are W2K Pro SP4.
>>
>> It is important to note that all the links between the sites are running 
>> a
>> 64 kbps, through a dedicated WAN.
>>
>> We are currently using NTP 4.1.72 which is running as a service
>
> Upgrade, that's positively ancient. Meinberg has a freely available
> binary kit with installer that makes it easy to install.
>
>  and has the
>> minimal configuration, ie all clients getting their time from the "main
>> central server". The server is getting its time from itself, ie 
>> 127.127.1.0.
>>
>
> That means that all your clients will drift away from reality, it's not
> really getting time from itself, it's just saying that it will hand out
> it's time to all who ask even those it's synchronized to nothing. Why
> didn't you set up your central server to get it's time from a bunch of
> publicly available ntp servers?
>
>> But we are not sure that we are having a good "state of the art"
>> configuration and we are unsure about the time accuracy on our system.
>>
>
> You don't. You have no time accuracy at all if the central server is not
> synchronized to anything.
>
>> 1. 1st question : Is this basic configuration enough?
>>
>
> No.


OK


>
>> 2. The command line option in the service properties is greyed? Is there 
>> a
>> way to specify any options?
>>
>
> I don't know what you mean by that. That option is always greyed when
> the service is running and can be only used the one time to manually
> start the service. What you need is the new version which can take
> command-line options and is in the registry as part of the ImagePath in
> Services.
>



No tested yet, but I guess that I could change the settings in the ntp.conf 
file and the daemon would use these parameters when it starts?

I can't really afford to install the new version because it would be a huge 
task to migrate.

If the current version we have can provide the service by fine tuning, that 
would be enough for me.

>> 3. Any recommendations regarding the remote servers? Should we peer them
>> with the Central Site?
>>
>
> The first question that you need to answer is what is the need for
> synchronization? If it is in order to do active directory authentication
> then each site could just get its time from publicly available NTP
> servers. If you need to keep the time very close to each other you need
> to consider a different scheme. We don't know your real requirements so
> it's hard to say.
>

In fact, because our system is isolated from the real world, we accept the 
fact that it could drift from the real time.
However we must ensure that all the machine in the system have the same 
time, and that we will never have a machine left unsynchronised with the 
others.



>> 4. Should we peer the server at the central site to keep them more on 
>> time
>> (9 minutes drift in one year, but the outside world time is not very
>> important for us)
>>
>
> Peer the server to what?


My idea was to peer 2 or 3 servers together in the main site, so if one of 
the ntp service on the server drift too much the others will keep its time 
correct.
(same as having one client getting its time from the server and then become 
a server and provide its time to the client isnt it?)

>> 5. What would happen if a silly user change the time by adding lets say 
>> one
>> hour to the main server... would this mistake be cascaded on all the 
>> system?
>> Is there any safety options? (our application would crash if the time
>> between 2 servers is more than 3 minutes)
>>
>
> NTP would panic and exit. Luckily for you you can set the service to run
> with the "Change the system time" privilege and not give it to anyone
> else and then they couldn't do that unless they had privileges on the
> system, in which case they could do what they want.
>

That''s a good idea. Is it possible to forbid access clock to an windows 
domain administrator? I am afraid not.

What do you mean by "exit"? The daemon stops?

>> 6. I have found a  lot of litteracy on
>> http://www.eecis.udel.edu/~mills/ntp/, and nice tools on ntp.org, but 
>> where
>> can I find any specific information about the NTP 4.1.72 for W2K 
>> software?
>> What are the defaults settings compiled in this version?
>>
>
> We no longer support that version. Heiko is preparing a stable version
> for Meinberg that you can install. What do you mean by default settings?
> You really need to specify what it needs in the configuration file
> (Meinberg's installer helps with that too).
>


I understand that this version may not be supported, but I would appreciate 
if I could find some archive docs or old docs to help me configure it 
nicely.


>> 7. What is the purpose of the ntp.drift file? What is the meaning of the
>> value contained in this file?
>
> It keeps track of how far off your clock has gotten so that on restart
> it can use it as a baseline on what it should use.
>
> Danny
> _______________________________________________
> questions mailing list
> questions at lists.ntp.isc.org
> https://lists.ntp.isc.org/mailman/listinfo/questions
> 





More information about the questions mailing list