This is a quick post to go over how to use a Windows Server as a NTP server for your network devices and then I’ll probably circle back and cover how to do it with a Linux server if I have the time.
In a Windows Domain, the Domain Controller with the PDC emulator role sets the time for everything in the domain, this is because Kerberos gets very upset if time is off by even a little bit.
The time synchronization is controlled by the W32Time service, this service also supports acting as a NTP server, this behavior is default in Windows 2012 and above but you need to add a registry key if you are running a lower version of Windows Server.
You can do this by adding the following key “Enabled”=dword:00000001 to your DC’s registry under
Now on your DC open an admin command prompt and use the following command to configure your external NTP peers, if you want to add multiple servers just put a space between in the quoted section.
w32tm /config /manualpeerlist:”<server1> <server2> <…>” /syncfromflags:MANUAL
C:\>w32tm /config /syncfromflags:manual /manualpeerlist:0.us.pool.ntp.org /reliable:yes The command completed successfully.
Then restart the w32time service
C:\>net stop w32time && net start w32time The Windows Time service is stopping. The Windows Time service was stopped successfully. The Windows Time service is starting. The Windows Time service was started successfully.
Give it a couple some time and then check the peer status.
The state should be Active and the stratum set.
C:\>w32tm /query /peers #Peers: 1 Peer: 0.us.pool.ntp.org State: Active Time Remaining: 39.8904914s Mode: 1 (Symmetric Active) Stratum: 2 (secondary reference - syncd by (S)NTP) PeerPoll Interval: 6 (64s) HostPoll Interval: 6 (64s) C:\>w32tm /query /status Leap Indicator: 0(no warning) Stratum: 3 (secondary reference - syncd by (S)NTP) Precision: -6 (15.625ms per tick) Root Delay: 0.0684391s Root Dispersion: 0.8315897s ReferenceId: 0xADE6906D (source IP: 173.230.144.109) Last Successful Sync Time: 2/13/2015 12:33:55 PM Source: 0.us.pool.ntp.org Poll Interval: 7 (128s)
Don’t forget to allow NTP through your firewall! (Your server firewall is enabled right guys???)
You can quickly do it with something like:
C:\>netsh advfirewall firewall add rule name="Allow NTP" dir=in action=allow protocol=udp localport=123 Ok.
Now hop on to your network device and setup NTP to point to your DC (My DC’s IP is 10.10.2.2)
Cisco-R01(config)#ntp server 10.10.2.2 Cisco-R01(config)#clock timezone MNT -7
Give it a few minutes to sync and then NTP should be happy!
Cisco-R01(config)#do sh ntp ass address ref clock st when poll reach delay offset disp *~10.10.2.2 173.230.144.109 3 0 64 1 1.000 -30.615 3949.9 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
On a Juniper the process is pretty much the same logic, set your timezone and define your NTP server
the-packet-thrower@Juniper-R01# set system time-zone America/Edmonton [edit] the-packet-thrower@Juniper-R01# set system ntp server 10.10.2.2 [edit] the-packet-thrower@Juniper-R01# commit
Then check your NTP association and time
the-packet-thrower@Juniper-R01# run show ntp associations remote refid st t when poll reach delay offset jitter ============================================================================== *10.10.2.2 108.61.56.35 3 - 1 64 17 5.184 -5.816 2.831 the-packet-thrower@Juniper-R01# run show system uptime Current time: 2015-03-25 10:23:38 MDT System booted: 2015-03-23 20:27:30 MDT (1d 13:56 ago) Protocols started: 2015-03-23 20:27:51 MDT (1d 13:55 ago) Last configured: 2015-03-25 10:20:50 MDT (00:02:48 ago) by the-packet-thrower 10:23AM up 1 day, 13:56, 1 user, load averages: 0.00, 0.01, 0.00