Appendix H: Configuring Time Services for a Heterogeneous UNIX and Windows Environment

Article
12/05/2007

Kerberos 5 authentication is dependent upon the synchronization of the internal clocks within the Kerberos domain. Before proceeding with building a security solution using Kerberos, it is necessary to set up a time service to ensure this required accuracy.

Microsoft® Windows Server™ 2003 time services are based upon the Simple Network Time Protocol (SNTP); this is a simplified version of the UNIX Network Time Protocol (NTP). The packet formats of both protocols are identical, and the servers and clients for each can be used interchangeably.

More information about the time service protocols can be found in the following RFCs for each protocol:

RFC 2030, "Simple Network Time Protocol (SNTP) Version 4 for IPv4, IPv6, and OSI"
RFC 1305, "Network Time Protocol (Version 3) Specification, Implementation, and Analysis"

Version 4 of NTP is currently in development and has yet to be released as an RFC.

More information on the specifics of implementing time services in the Active Directory® environment can be found in Windows Time Service at https://www.microsoft.com/technet/prodtechnol/Windows2000Pro/maintain/w2kmngd/16_2kwts.mspx.

The following sections address the most common configuration scenarios for setting up time servers and clients in a heterogeneous environment.

Time Services Scenarios in a Heterogeneous Environment

A range of possible scenarios exist for providing a time service in a heterogeneous environment. These scenarios include:

A Windows Server 2003 primary domain controller (PDC) emulator synchronized to an Internet time source.
A Windows Server 2003 PDC emulator providing the synchronization time.
A Windows Server 2003 PDC synchronizing to the domain source.
A UNIX server synchronized to an Internet time source.
A UNIX server providing the synchronization time.

UNIX and Windows clients in these scenarios need to be configured to synchronize their clocks with the server regularly and efficiently. Because SNTP and NTP protocols are interchangeable, the configuration of clients is the same regardless of the type of server being accessed.

Note This section will only cover the client/server time service architecture. Broadcast and multicast time services are beyond the scope of this document, as is the configuration of GPS systems as the ultimate source of time.

Before you begin to configure your time service, you must consider the following issues:

The choice of Internet time server. There are two tiers of time servers available on the Internet: Tier One and Tier Two. Tier One servers are the ultimate sources of time. They are usually linked to atomic clocks and are heavily loaded. Tier Two servers are those that synchronize to the Tier One servers. These are still very accurate, but they are many more in number and have much less load. You should choose the server or servers to which you are synchronizing after considering the servers' geographical location, reliability, and any access requirements imposed.
The configuration of firewalls and routers. NTP and SNTP run on port 123. This port needs to be opened on all firewalls and routers both internal and perimeter to ensure that the synchronization network traffic is available. It is also vital to consider the security of the time service because a malicious attacker could attempt to gain access through a poorly secured service.
The layout of your time service. SNTP and NTP are hierarchical protocols, with a single time source synchronizing many lower servers; these lower level servers then synchronize clients. You should choose your primary and secondary servers so as to maximize availability and to minimize cross-network traffic. In particular, the following recommendations are made by the authors of NTP:
- Do not use another peer in the same stratum to synchronize to unless it is receiving time from another, lower stratum server that the synchronizing server has no direct connection to.
- Do not synchronize more than one time server within a domain to a single source outside of that domain. This creates both a single point of failure and a potential source of misuse.

Configuring Time Services on Servers

This section describes how to configure time services on servers running the Windows Server 2003 and UNIX operating systems.

Configuring Time Services on Windows-based Servers

Warning: The following instructions contain details about modifying the registry. Before doing this, make sure you know how to back up, restore, and edit the registry. For more information, see the "Description of the Microsoft Windows Registry" Knowledge Base article at https://support.microsoft.com/default.aspx?scid=kb;en-us;256986.

As the preceding section shows, there are three scenarios for the configuration of the Windows Server 2003 time service. The recommended method is to synchronize with a GPS device; the configuration of which is beyond the scope of this document. The second best solution is to use synchronization with an Internet time server. The alternative of using the local server as the source of time should only be used where Internet connectivity is unavailable.

SNTP and NTP use Coordinated Universal Time (UTC). UTC is based on an atomic time scale and is independent of time zone. Therefore, it is essential that you have the correct time zone set on your clients so that the correct time for your time zone can be calculated.

The Windows Server 2003 Time service (W32Time) is administered through the use of the w32tm tool. This tool provides configuration and debugging facilities for all aspects of the functioning of the time service. It is a command-line tool and the options available are listed in Table H.1.

Table H.1. w32tm Command-Line Tool Options

Option	Description
/register	Register to run as a service and add the default configuration to the registry.
/unregister	Unregister as a service and remove all configuration information from the registry.
/monitor [/domain:<domain name>] [/computers:<name> , [<name>...]] [/threads:<num>]	Returns monitoring data on the specified domain or list of computers. The threads option specifies how many computers may be analyzed simultaneously—the default value is 3; the allowed range is 1–50.
/ntte	Converts Windows system time to a human-readable format.
/ntpte	Converts an NTP time to a human-readable format.
/resync [/computer:<name>][/nowait] [/rediscover][/soft]	Tells a computer to resynchronize its clock as soon as possible. The computer option specifies the computer that should be resynchronized. The nowait option exits the tool immediately instead of waiting for the resynchronization to complete. The rediscover option reanalyzes the network and rediscovers sources and then resynchronizes. The soft option resynchronizes using the existing error statistics—this is only provided for compatibility.
/stripchart /computer:<name>[/period:<refresh>] [/dataonly][/samples:<count>]	Displays a stripchart showing the offset between this and another computer. The period is the time between samples; it defaults to 2 seconds. The dataonly option does not draw a graph; it just reports the data. Samples specifies how many samples to collect before stopping—if not defined, the tool will continue until Ctrl-C is pressed.
/config [/computer:<name>][/update] [/manualpeerlist::<peers>] [/syncfromflags:<source>] [/LocalClockDispersion:<seconds>] [/reliable:(YES\|NO)] [/largephaseoffset::<milliseconds>]	Configures the time service on the specified computer. The update option forces the changes to take place. The anualpeerlist option specifies the NTP peers for the computer. The syncfromflags option specifies the NTP server that the computer should query for authoritative time. The LocalClockDispersion option sets the dispersion (in seconds) for the local clock when the only time source is the built-in complementary metal oxide semiconductor (CMOS) clock. The value of this entry is the number of seconds by which the Windows Time service estimates the local CMOS clock will be off from the estimated true time. The reliable option sets if this computer is to be considered a reliable source of time for others. The largephaseoffset option sets the threshold value that the local computer will consider differences in time to be a spike.
/tz	Displays the current time zone settings.
/dumpreg [/subkey:<key>][/computer:<name>]	Displays the values associated with a given key. The default key shown is HKLM\System\CurrentControlSet\Services\W32Time. The subkey option specifies which subkey to display. The computer option specifies which computer to query.

The following procedures show how you should use w32tm to configure time services on Windows Server 2003 for each of the time service scenarios depicted earlier in this section.

To configure Windows Server 2003 PDC emulator with an external time source

Open a command prompt. Click Start, Click Run, enter cmd, and click OK.
At the command prompt, enter the following command:

w32tm /config /syncfromflags:manual /manualpeerlist: PeerList

Where PeerList is a comma-separated list of DNS names or IP addresses of the desired time sources.
At the command prompt, enter the following command:

w32tm /config /reliable:YES

This command configures the Windows Time service to announce itself as a reliable source of time so that other computers can synchronize to it.
At the command prompt, enter the following command:

w32tm /config /update

This command notifies the time service of the changes to the configuration, causing the changes to take effect.

To configure Windows Server 2003 PDC emulator to provide synchronization time

Start the Registry Editor. Click Start, click Run, type regedit, and then click OK.
Locate the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient
In the right pane, right-click Enabled, and then click Modify.
In the Edit DWORD Value dialog box, type 0 under Value data, and then click OK.
Exit the Registry Editor.
Open a command prompt. Click Start, click Run, enter cmd, and click OK.
At the command prompt, type the following command:

w32tm /config /reliable:YES

This command configures the Windows Time service to announce itself as a reliable source of time so that other computers can synchronize to it.
At the command prompt, type the following command:

net stop w32time && net start w32time

This command restarts the Windows Time service as a server only.

Note The Windows Time service must not point to itself. If it is configured to do so, the following entries will be visible in the System event log:
```
The time provider NtpClient cannot reach or is currently receiving 
```

invalid time data from 192.168.1.1 (ntp.m|0x0|192.168.1.1:123->192.168.1.1:123) No response has been received from Manual peer 192.168.1.1 after 8 attempts to contact it. This peer will be discarded as a time source and NtpClient will attempt to discover a new peer from which to synchronize. The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 960 minutes. NtpClient has no source of accurate time.

To configure Windows Server 2003 domain controller to synchronize to the domain source

Open a command prompt. Click Start, click Run, enter cmd, and click OK.
At the command prompt, type the following command:

w32tm /config /syncfromflags:DOMHIER

This command sets the source of time to be a domain controller in the domain hierarchy.
At the command prompt, type the following command:

w32tm /config /reliable:YES

This command configures the Windows Time service to announce itself as a reliable source of time so that other computers can synchronize to it.
At the command prompt, type the following command:

w32tm /config /update

This command notifies the time service of the changes to the configuration, causing the changes to take effect.

Configuring Time Services on UNIX-based Servers

On UNIX, the time services are provided by the NTP daemon. This daemon (ntpd on Red Hat Linux 9 and xntpd on Solaris 9) constantly updates the system clock in comparison with the clock on the NTP server.

Configuring Time Services on Red Hat Linux 9

The configuration information of the NTP daemon is contained within the ntp.conf file, which is read when the daemon is started. The typical location of the ntp.conf file on Red Hat Linux 9 is in the /etc directory.

To verify the running of the NTP daemon

You can check that an NTP daemon is running by entering the following at a shell prompt:
```
# ps –ef | grep ntpd
```
The following shows what you would see if the daemon is running; if the daemon is not running, you would not see this process line:
```
root     3647    1  0  17:46 ?    00:00:00 ntpd
```

Configure Red Hat Linux 9 to Synchronize to an Internet Time Source

The permissions on the ntp.conf file should be set so as to prevent unauthorized changes being made to the configuration. This means that the following operations should be carried out by a user who has write permission to the ntp.conf file or root.

The following lines are required in a server configuration.

# ntp.conf – ntpd configuration file
server time.nist.gov
server time-a.nist.gov
server time-b.nist.gov
driftfile /etc/ntp.drift

Note As with most UNIX configuration files, lines preceded by the number symbol (#) in ntp.conf are comments.

This is the simplest form that the ntp.conf file can take. The server lines specify which higher-level NTP servers are queried for the accurate time. These can be specified as dotted IP addresses, but the use of DNS names is a good practice because they are less prone to change.

The

driftfile

declaration allows the NTP daemon to record information regarding the accuracy of the local clock in the file specified. This reduces the problem of keeping the clock correct should the servers become unavailable. This file contains details of the usual rate of change of the local clock from the accurate time. The value is calculated during the first day of operation of the daemon and is constantly updated.

After any changes have been made to the configuration files, the NTP daemon needs to be restarted to reread them.

To restart the NTP daemon on Red Hat Linux 9

To restart the NTP daemon, ntpd, enter the following command:
```
/etc/init.d/ntpd restart
```

Configuring Time Services on Solaris 9

The configuration information of the NTP daemon is contained within the ntp.conf file, which is read when the daemon is started. The typical location of the ntp.conf file on Solaris 9 is in the /etc/inet/ directory.

To verify the running of the NTP daemon

You can check that an NTP daemon is running by entering the following command at a shell prompt:
```
# ps –ef | grep xntpd
```
The following shows what you would see if the daemon is running; if the daemon is not running, you would not see this process line:
```
root    425   1  1      14:51:01  ?    0:00    /usr/lib/inet/xntpd
```

Configuring Solaris 9 to Synchronize to an Internet Time Source

The following lines are required in a server configuration.

# ntp.conf – ntpd configuration file
server time.nist.gov
server time-a.nist.gov
server time-b.nist.gov
driftfile /etc/ntp.drift

Note As with most UNIX configuration files, lines preceded by a number symbol (#) in ntp.conf are comments.

The

driftfile

After any changes have been made to the configuration files, the NTP daemon needs to be restarted to reread them.

To restart the NTP daemon on Solaris 9

To restart the NTP daemon, xntpd, enter the following commands:
```
/etc/init.d/xntpd stop
```

/etc/init.d/xntpd start

For further information, see Chapter 3, “Time-Related Services,” System Administration Guide: Resource Management and Network Services at https://docs.sun.com/app/docs/doc/806-4076/6jd6amqpl?a=view.

Configuring UNIX Clients to Synchronize with Time Service

The configuration of UNIX clients is identical to that of servers; the ntp.conf file needs to contain the name of the server to which the computer is synchronizing. The NTP daemon on both Red Hat and Solaris will automatically respond to client requests.

Note If there is no local time service for your UNIX hosts, it is recommended that you create one. This local computer should synchronize to the external time source, and all the other local computers should synchronize to it. This is both more efficient and more respectful of the higher tier providers who will not be inundated with synchronization requests.

If you are building multiple new computers, then it is recommended that you include NTP configuration information as part of the automated build process. Red Hat, HP, and Sun provide tools for the easy configuration of multiple computers, and more information about these tools is available from the manufacturers.