Questions

Windows Time Service

+
0 Votes
Locked

Windows Time Service

SgtPappy
I am trying to get my domain controller to synchronize it's time with the ntp pool of time servers and it is not working. When I use the "net time /querysntp" command it shows that the dc is pointing to the correct time sources but I keep getting these errors saying the time sources are unavailable and that the computer has no accurate source of time.

This used to work fine when I had my OpenBSD firewall. I had the OpenBSD firewall box sync it's time with the time servers and then I had the dc sync it's time with the OpenBSD box. Never had a problem with that setup.

I installed a new Cisco ASA 5510 a few weeks ago and I have it configured to sync time with the ntp pool of servers and that appears to be working fine. I tried to configure my dc to sync with the router but that didn't work. (I don't think the router has the ability to serve time). Then I tried having the dc sync directly with the ntp pool but that isn't working either.

I can successfully do a packet trace from the dc to the time servers using the NTP port but I'm not sure about the return path. Do I need to create a firewall rule to allow this to work? Any help would be greatly appreciated.
  • +
    0 Votes
    bart777

    would be to just point you PDC role holder to the outside time source.

    +
    0 Votes
    SgtPappy

    That's exactly what I'm trying to do. It is not working. When I had the OpenBSD firewall box I had the same problem. The PDC or any DC could not get time from a source outside the LAN. My solution at that time was to have the OpenBSD box get the time from outside sources and serve the time to the PDC. I pointed the PDC to the inside interface of the OpenBSD box to get it's time. It worked like a champ. Now I have this Cisco ASA 5510 and I'm back to the original problem. The DC or any computer on the internal LAN will not get time from an outside source.

    I configured the ASA to get it's time from a time server on the Internet and that seems to work just fine. But I can't seem to figure out how to make the ASA device be a time server for my internal DC's. I don't think it can be. In OpenBSD you had to actually configure it as a time server so other computers could sync their time with it.

    Since I can't seem to be able to configure the ASA as a Time Server, I need to be able to have my DC's sync their time with an outside source. I can't seem to get it to work the way it should.

    I can do a packet trace using the Cisco ASA software that shows that a UDP packet using the NTP port can originate from inside the firewall and go out to the Internet successfully but because this is UDP traffic I think I need to have a rule allowing the connection coming back from the time source to pass through the firewall to the internal DC that requested the time sync.

    Does anyone know a firewall rule that would allow this? Is it a firewall issue? I'm sure I have the DC configured to use an outside time source correctly, it is pretty straight forward and it did work right when it was pointing to the OpenBSD box as the time source.

    +
    0 Votes
    bart777

    Here is a link to the settings needed for getting the PDC Emulator to sync to an outside time source.

    http://support.microsoft.com/kb/816042

    I've seen many servers that are either misconfigured or were left with the default settings. In these cases the server may work at times but fail more often than not.

    Also point to some NTP server otehr than the time.microsoft.com. Use one of the universities or navy sites.

    If all of the settings of the DC are correct and it still doesn't work then there is something in the firewall that's blocking you that we haven't found yet.

    +
    0 Votes
    SgtPappy

    This is the article I used to configure the time service. I've tried pointing to several different single time servers, multiple time servers at the same time (listed individually) and I've used the pool.ntp.org servers. I've tried using DNS names and IP numbers.

    I'm beginning to believe Windows doesn't know how to sync time with the rest of the world. Like I said before, the only way I could do this before was to have it point to the internal interface of my NTP serving OpenBSD router. This is so frustrating. Right now I'm mad at Cisco for not making their ASA capable of serving NTP time to clients on the internal network. That just seems wrong. Thanks for your help though.

    +
    0 Votes
    bart777

    I've never seen this behavior myself.

    The only Cisco devices I've tried to go thru were PIX firewalls and they never presented me with any problems.

    The only idea I have left is to see if there is a new IOS image for the device that you have.

    Best of luck.
    Sorry I couldn't be of more help.

    +
    0 Votes
    SgtPappy

    I'll keep trying to figure this out.

  • +
    0 Votes
    bart777

    would be to just point you PDC role holder to the outside time source.

    +
    0 Votes
    SgtPappy

    That's exactly what I'm trying to do. It is not working. When I had the OpenBSD firewall box I had the same problem. The PDC or any DC could not get time from a source outside the LAN. My solution at that time was to have the OpenBSD box get the time from outside sources and serve the time to the PDC. I pointed the PDC to the inside interface of the OpenBSD box to get it's time. It worked like a champ. Now I have this Cisco ASA 5510 and I'm back to the original problem. The DC or any computer on the internal LAN will not get time from an outside source.

    I configured the ASA to get it's time from a time server on the Internet and that seems to work just fine. But I can't seem to figure out how to make the ASA device be a time server for my internal DC's. I don't think it can be. In OpenBSD you had to actually configure it as a time server so other computers could sync their time with it.

    Since I can't seem to be able to configure the ASA as a Time Server, I need to be able to have my DC's sync their time with an outside source. I can't seem to get it to work the way it should.

    I can do a packet trace using the Cisco ASA software that shows that a UDP packet using the NTP port can originate from inside the firewall and go out to the Internet successfully but because this is UDP traffic I think I need to have a rule allowing the connection coming back from the time source to pass through the firewall to the internal DC that requested the time sync.

    Does anyone know a firewall rule that would allow this? Is it a firewall issue? I'm sure I have the DC configured to use an outside time source correctly, it is pretty straight forward and it did work right when it was pointing to the OpenBSD box as the time source.

    +
    0 Votes
    bart777

    Here is a link to the settings needed for getting the PDC Emulator to sync to an outside time source.

    http://support.microsoft.com/kb/816042

    I've seen many servers that are either misconfigured or were left with the default settings. In these cases the server may work at times but fail more often than not.

    Also point to some NTP server otehr than the time.microsoft.com. Use one of the universities or navy sites.

    If all of the settings of the DC are correct and it still doesn't work then there is something in the firewall that's blocking you that we haven't found yet.

    +
    0 Votes
    SgtPappy

    This is the article I used to configure the time service. I've tried pointing to several different single time servers, multiple time servers at the same time (listed individually) and I've used the pool.ntp.org servers. I've tried using DNS names and IP numbers.

    I'm beginning to believe Windows doesn't know how to sync time with the rest of the world. Like I said before, the only way I could do this before was to have it point to the internal interface of my NTP serving OpenBSD router. This is so frustrating. Right now I'm mad at Cisco for not making their ASA capable of serving NTP time to clients on the internal network. That just seems wrong. Thanks for your help though.

    +
    0 Votes
    bart777

    I've never seen this behavior myself.

    The only Cisco devices I've tried to go thru were PIX firewalls and they never presented me with any problems.

    The only idea I have left is to see if there is a new IOS image for the device that you have.

    Best of luck.
    Sorry I couldn't be of more help.

    +
    0 Votes
    SgtPappy

    I'll keep trying to figure this out.