Difference between revisions of "Time Synchronisation"

m (Deleted doubled word)
m (YvanM moved page Time syncronisation to Time synchronisation: Corrects spelling of word "synchronisation" in page title.)
(No difference)

Revision as of 15:34, 13 February 2016

Introduction

In an Active Directory, an accurate time synchronisation is absolutely necessary. E. g. Kerberos relies on correct timestamps to prevent replay attacks and AD needs it for resolving replication conflicts. The maximum time tolerance in an Active Directory is 5 minutes per default. If e. g. your domain members (clients, Member Servers, DCs) clock differs more than that to your servers clock, accessing the server is denied. As the default time source in an Active Directory forest, is the Domain Controller with the PDC emulator FSMO role. See http://technet.microsoft.com/en-us/library/cc773013%28v=ws.10%29.aspx#w2k3tr_times_how_izcr for information about time synchronisation in an AD DS hierarchy.

ntpd from http://ntp.org allows time synchronisation with external sources and can also be configured to be a time source for others. Please note, that ntpd does not support authenticated time to Windows 2000 clients! This is due to these clients not behaving as the ntpd server expects. As these clients are now very old and unsupported, you may need to find another way to keep these clocks in sync.

See the server information used in documentation page for used paths, hostnames, etc.

Configuring time synchronisation on a DC

Requirements

  • ntpd >= 4.2.6 from ntp.org, with enabled signed ntp support ("--enable-ntp-signd"), installed via package or self compiled
  • Make sure, that the socket permissions are set correct. It must be readable by the account your ntpd uses and should not be accessible by other
# chown root:ntp /usr/local/samba/var/lib/ntp_signd/
# chmod 750 /usr/local/samba/var/lib/ntp_signd/

# ls -ld /usr/local/samba/var/lib/ntp_signd/
drwxr-x--- 2 root ntp 4096  1. May 09:30 /usr/local/samba/var/lib/ntp_signd/


Setup ntpd.conf

Typically ntpd's configuration file is /etc/ntpd.conf in most distributions. In the following, you see a working minimum ntpd.conf, that retrieves its time from an external NTP server and provides time via signed NTP for others.

# Local clock (Note: This is not the localhost address!)
server 127.127.1.0
fudge  127.127.1.0 stratum 10

# The source, where we are receiving the time from
server 0.pool.ntp.org     iburst prefer

driftfile       /var/lib/ntp/ntp.drift
logfile         /var/log/ntp
ntpsigndsocket  /usr/local/samba/var/lib/ntp_signd/

# Access control
# Default restriction: Only allow querying time (incl. ms-sntp) from this machine
restrict default kod nomodify notrap nopeer mssntp

# Allow everything from localhost
restrict 127.0.0.1

# Allow that our time source can only provide time and do nothing else
restrict 0.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery

For further information about ntpd access control, see http://support.ntp.org/bin/view/Support/AccessRestrictions. Examples about ntpd SELinux labeling and policy you will find here.



Configuring time synchronisation on Samba Domain Members

Requirements

  • ntpd from ntp.org, installed via package or self compiled


Setup ntpd.conf

Typically ntpd's configuration file is /etc/ntpd.conf in most distributions. In the following, you see a working minimum ntpd.conf, that retrieves its time from an Samba AD Domain Controller and doesn't provide NTP for others.

# Local clock (this is not the localhost address!)
server 127.127.1.0
fudge  127.127.1.0 stratum 10

# The source, where we are receiving the time from
server DC1.samdom.example.com     iburst prefer

driftfile /var/lib/ntp/ntp.drift
logfile   /var/log/ntp

# Access control
# Default restriction
restrict default ignore

# Allow everything from localhost
restrict 127.0.0.1

# Allow that our time source can only provide time and do nothing else
restrict DC1.samdom.example.com   mask 255.255.255.255    nomodify notrap nopeer noquery

For further information about ntpd access control, see http://support.ntp.org/bin/view/Support/AccessRestrictions



Configuring time synchronisation on Windows clients

Per default, Windows clients in an Active Directory, automatically synchronize their time with the DC, owning the PDC emulator role. If you don't want to use a different source or to configure multiple time server, etc. you don't have to take any action.


Setting user defined time source(s) and options

If you require your Windows clients to synchronize time with a different server than your DC owning the PDC role, you can configure this via Group Policies. Using the following way, you can define multiple time servers and adjust time synchronisation related options:

  • In the Group Policy Management Editor, go to "Computer Configuration" / "Administrative Templates" / "System" / "Windows Time Service" / "Time Providers".
  • Edit the "Configure Windows NTP Client" policy:
GPO Windows NTP Client Options.png
This example changes the NTP server setting to a DC that provides time, but is not owner of the PDC role. For further explanations on the possible options, see the description in the policy and, visit http://technet.microsoft.com/de-de/library/cc779145%28v=ws.10%29.aspx.
  • Save the GPO and link it to the desired OU.