[ntp:questions] Running ntpd in a Windows domain

Martin Burnicki martin.burnicki at meinberg.de
Tue Aug 18 10:34:45 UTC 2009


Hi all,

running ntpd in a Windows domain has been discussed here quite some time. 

However, recent discussions of the NTP developers make me assume running
ntpd in a Windows domain may result in some ugly problems.

Summary:

Normally if w32time is running on the PDC it makes an entry in the active
directory which identifies that PDC as authoritative time source, so other
servers and workstations running w32time can identify that PDC as their
authoritative time source when they log in to the domain.

If ntpd is running instead of w32time on the PDC then there is no such entry
in the active directory, so other servers and workstations running w32time
are unable to detect the PDC as authoritative time source. Of course, if
all other servers and clients also run ntpd then you can submit an
appropriate ntp.conf file to those machines, with a server entry pointing
to the PDC.

There have been two proposals for workarounds if there are still client
machines running w32time:

1.) On the PDC, make w32time depending on ntpd and start it additionally to
ntpd. So w32time starts *after* ntpd. It has been reported that even though
w32time is unable to open NTP port 123 it continues to execute and makes
the relevant entry in the directory. However, ntpd will respond to network
requests. This may work or not depending on the version of w32time, i.e. it
won't work anymore if a version of w32time stops itself if it is unable to
open port 123 (just like ntpd would do).

2.) The time source on the clients could be configured manually or using
group policies, so they could be configured to use any upstream NTP server,
either the PDC or any other NTP server.


The reason for this posting is the following:

The development version of the NTP package contains code which can let the
Samba software running on the same Unnix machine append a MS-style
signature to the reply packets to be sent to w32time clients. This shall be
required if the Samba server on a Unix machine has been configured to take
the role of a Windows PDC. That MS-style signature is not compatible with
the autokey or MD5 signatures normally used by NTP.

This makes me assume recent w32time versions running on a PDC also append a
MS-style signature to the packets sent to its clients, and the w32time
clients expect reply packets with a valid MS-style signature from their
upstream server.

IIRC ntpd supports MS-style signatures only in cooperation with Samba, so
ntpd does *not* support that type of signature if running on a real Windows
PDC.

AFAICS this means recent w32time clients in a Windows domain would never
accept reply packets from the PDC if ntpd instead of w32time is running on
the PDC, even if either of the workarounds mentioned above is being used.
Of course you could run ntpd also on the clients, which would accept the
NTP daemon running on the server as their time source. 

However, the question is if other applications (e.g. databases) running on
workstations or secondary servers try to find out whether the time of the
machine they are running on is synchronized to the "network time", and
complain if this is not the case.

If they do, then how do they do it? Do w32time clients also provide a
registry setting or API to let other applications find out whether the
system time is synchronized? If this is the case then it would not even
help to install ntpd both on the PDC and on other servers and workstations.

Unfortunately I don't have access to a Windows domain, so I'd like to ask if
someone else in this group has experience with ntpd running in a domain of
recent Windows versions?

Thanks,

Martin
-- 
Martin Burnicki

Meinberg Funkuhren
Bad Pyrmont
Germany




More information about the questions mailing list