From popdata
Jump to: navigation, search

Back to Services

NTP time service

  • We provide NTP time service
  • Unix and Windows machines cannot use because of a buggy interaction between Port Address Translation (NAT?PAT) on our Cisco firewall, and blocking of source addresses 1-1023 by IPTables firewall on Bluecat DNS appliances.
  • Virtual machines should use VMware tools to synchronize to their host server, not NTP
  • NTP on windows is done by service W32Time, required by Kerberos authentication protocol.
    • Strangely, it's cumbersome to synchronize a MS AD controller as NTP client. See
    • [...]HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type [...]
    • The fixit offered on that page did not work, but manual RegEdit did, followed by "net stop w32time && net start w32time".
  • Ubuntu ntp.conf default: [0-3] and
  • Debian default ntp.conf: [0-3]
  • for D in 0 1 2 3; do H=$; echo $H; for A in `dig +short $H`; do dig +noall +ans -x $A; done; done
  • Use for Gilbert ",0x1,,0x1" in ...\W32Time\Parameters\NtpServer
  • "How to synchronize the time with the Windows Time service in Windows X" suggests w32tm

NTP service / RedZone

  • RedZOne NTP server is mackenzie. It's configured to use UBC IT DNS servers via alternate configuration file /var/lib/ntp/ntp.conf.dhcp
  • Unfortunately all those get blocked because of Bluecat/Cisco PAT bug.
  • Unless we change Vancouver fw rules, only champlain is suitable.
  • Could consider allowing and using;;
  • Beare (Windows 2008) 2013-12-10 changes done (was slow -170s)
    • Parameters\Type old=NT5DS ; recommended=NTP
    • Config\AnnounceFlags old=0xa ; recommended = 0x5
    • TimeProviders\NtpServer\Enabled: old=0x1; recommended = 0x1
    • Parameters\NTPServer : old,0x9 ; new:,0x1
    • Config\MaxPosPhaseCorrection : old=172800 (48h); recommended=1800(30m)
    • Config\MaxNegPhaseCorrection : old=172800 (48h); recommended=1800(30m)