[ntp:questions] Re: NTP sync on a standalone network (Windows 2k)

Danny Mayer mayer at ntp.isc.org
Fri Aug 18 03:30:11 UTC 2006


Alexandre Carrausse wrote:
> 
>>> 2. The command line option in the service properties is greyed? Is there 
>>> a
>>> way to specify any options?
>>>
>> I don't know what you mean by that. That option is always greyed when
>> the service is running and can be only used the one time to manually
>> start the service. What you need is the new version which can take
>> command-line options and is in the registry as part of the ImagePath in
>> Services.
>>
> No tested yet, but I guess that I could change the settings in the ntp.conf 
> file and the daemon would use these parameters when it starts?
> 

What options do you think you need? command-line options are almost
always othogonal to configuration file options.

> I can't really afford to install the new version because it would be a huge 
> task to migrate.
> 

For Windows you can probably use SMS. Most of the effort just requires
copying the files to the right place and maybe updating the registry.
You're not the first to have to do this, others have already worked out
the solutions.

> If the current version we have can provide the service by fine tuning, that 
> would be enough for me.
> 

We are still not sure of what your needs are. You need to provide that
in order for us to figure out what you need.

>>> 3. Any recommendations regarding the remote servers? Should we peer them
>>> with the Central Site?
>>>
>> The first question that you need to answer is what is the need for
>> synchronization? If it is in order to do active directory authentication
>> then each site could just get its time from publicly available NTP
>> servers. If you need to keep the time very close to each other you need
>> to consider a different scheme. We don't know your real requirements so
>> it's hard to say.
>>
> 
> In fact, because our system is isolated from the real world, we accept the 
> fact that it could drift from the real time.

You mean WILL drift.  Are you saying you have no access whatsoever to
the Internet?

> However we must ensure that all the machine in the system have the same 
> time, and that we will never have a machine left unsynchronised with the 
> others.
> 

And why is it that they need to be synchronized relative to each other?

>>> 4. Should we peer the server at the central site to keep them more on 
>>> time
>>> (9 minutes drift in one year, but the outside world time is not very
>>> important for us)
>>>
>> Peer the server to what?
> 
> 
> My idea was to peer 2 or 3 servers together in the main site, so if one of 
> the ntp service on the server drift too much the others will keep its time 
> correct.
> (same as having one client getting its time from the server and then become 
> a server and provide its time to the client isnt it?)
> 

You certainly don't want just 2. You need at least 3 and preferably 4
and you need all of the other systems point to all of them as servers.

>>> 5. What would happen if a silly user change the time by adding lets say 
>>> one
>>> hour to the main server... would this mistake be cascaded on all the 
>>> system?
>>> Is there any safety options? (our application would crash if the time
>>> between 2 servers is more than 3 minutes)
>>>
>> NTP would panic and exit. Luckily for you you can set the service to run
>> with the "Change the system time" privilege and not give it to anyone
>> else and then they couldn't do that unless they had privileges on the
>> system, in which case they could do what they want.
>>
> 
> That''s a good idea. Is it possible to forbid access clock to an windows 
> domain administrator? I am afraid not.
> 

Of course it's possible. Each system has it's own privilege list and you
can certainly not provide the domain administrator group with the change
system time privilege. Yes, they can add it back but then you have a
social engineering problem and not a technical problem. If you don't
trust your domain adminstrators you shouldn't let them be domain
administrators.

> What do you mean by "exit"? The daemon stops?
> 

Yes, because it cannot correct the error.

>>> 6. I have found a  lot of litteracy on
>>> http://www.eecis.udel.edu/~mills/ntp/, and nice tools on ntp.org, but 
>>> where
>>> can I find any specific information about the NTP 4.1.72 for W2K 
>>> software?
>>> What are the defaults settings compiled in this version?
>>>
>> We no longer support that version. Heiko is preparing a stable version
>> for Meinberg that you can install. What do you mean by default settings?
>> You really need to specify what it needs in the configuration file
>> (Meinberg's installer helps with that too).
>>
> 
> 
> I understand that this version may not be supported, but I would appreciate 
> if I could find some archive docs or old docs to help me configure it 
> nicely.
> 

You haven't said what you expect to be able to configure.

Danny



More information about the questions mailing list