|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
NTP time syncronizationHello
I have to sync the whole active directory infrastructure with a ntp source on internet. noone server can access on internet, because all of them are behind an isa server. I don't want to install firewall client on a pdc emulator and grant it the access on the web for security reason. I'm thinking about create a new server (eg. NTIMESRV) ; install the firewall client, create a protocol rule on the isa server, then sync it with the NTP source on internet. Then set into the pdc emulator the ntp source NTIMESRV. I'm asking if NTIMESRV will sync with the pdc emulator before get the right time from the NTP on internet or not. thanks in advance "Kati" <katalin.***@gmail.com> wrote in message The Key is to sync the PDC Emulator (for the Root Forest Domain)news:1161182372.602725.132620@h48g2000cwc.googlegroups.com... > Hello > > I have to sync the whole active directory infrastructure with a ntp > source on internet. > noone server can access on internet, because all of them are behind an > isa server. and then all other PDC Emulators for child or additional tree roots in the forest will sync from it, plus the DCs of each domain will sync from their (own) PDC Emulator. > I don't want to install firewall client on a pdc emulator and grant it Your idea of building a "time server" (below) is correct.> the access on the web for security reason. > I'm thinking about create a new server (eg. NTIMESRV) ; install the Yes, that is a good way.> firewall client, create a protocol rule on the isa server, then sync it > with the NTP source on internet. > Then set into the pdc emulator the ntp source NTIMESRV. You can disable that or just correct it from the time> > I'm asking if NTIMESRV will sync with the pdc emulator before get the > right time from the NTP on internet or not. service once it runs. And it is going to be correct anyway since you will syncing faster than the time can get off. Show quoteHide quote > > thanks in advance > it is not needed to install the firewall client on the PDC...
just open up a port for NTP (123 udp) between de PDC FSMO and the time server on the internet. Remember if you transfer the PDC FSMO role, the time sync settings ARE NOT transfered with the FSMO role!!! also see: http://blogs.dirteam.com/blogs/jorge/archive/2005/11/19/111.aspx -- Show quoteHide quoteCheers, (HOPEFULLY THIS INFORMATION HELPS YOU!) # Jorge de Almeida Pinto # MVP Windows Server - Directory Services BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx ------------------------------------------------------------------------------------------ * This posting is provided "AS IS" with no warranties and confers no rights! * Always test before implementing! ------------------------------------------------------------------------------------------ ################################################# ################################################# ------------------------------------------------------------------------------------------ "Kati" <katalin.***@gmail.com> wrote in message news:1161182372.602725.132620@h48g2000cwc.googlegroups.com... > Hello > > I have to sync the whole active directory infrastructure with a ntp > source on internet. > noone server can access on internet, because all of them are behind an > isa server. > I don't want to install firewall client on a pdc emulator and grant it > the access on the web for security reason. > > I'm thinking about create a new server (eg. NTIMESRV) ; install the > firewall client, create a protocol rule on the isa server, then sync it > with the NTP source on internet. > Then set into the pdc emulator the ntp source NTIMESRV. > > I'm asking if NTIMESRV will sync with the pdc emulator before get the > right time from the NTP on internet or not. > > thanks in advance > > it is not needed to install the firewall client on the PDC... It is if the firewall is ISA and the PDCe isn't a SNAT client. But yeah, you could just make it an indirect SNAT client. In fact, it's more than likely it already is a SNAT client. I'd configure ISA not to synchronise time with the domain heirarchy and instead pull the time from an external source, and would point the PDCe in the forest root at that. Or, build a time server as suggested and get a radio clock. Radio clock's pull accurate time from a local(ish) atomic clock. Note. You can have some issues getting a signal in the data centre though... ;-) -- Paul Williams Microsoft MVP - Windows Server - Directory Services http://www.msresource.net | http://forums.msresource.net >>>>> it is not needed to install the firewall client on the PDC... I have been playing with ISA at home and a PDC to sync time with a internet time server.... worked perfectly when just opening up a port (NTP/123)! -- Show quoteHide quoteCheers, (HOPEFULLY THIS INFORMATION HELPS YOU!) # Jorge de Almeida Pinto # MVP Windows Server - Directory Services BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx ------------------------------------------------------------------------------------------ * This posting is provided "AS IS" with no warranties and confers no rights! * Always test before implementing! ------------------------------------------------------------------------------------------ ################################################# ################################################# ------------------------------------------------------------------------------------------ "Paul Williams [MVP]" <ptw2***@hotmail.com> wrote in message news:ewZ3ERu8GHA.2268@TK2MSFTNGP05.phx.gbl... >> it is not needed to install the firewall client on the PDC... > > It is if the firewall is ISA and the PDCe isn't a SNAT client. But yeah, > you could just make it an indirect SNAT client. In fact, it's more than > likely it already is a SNAT client. > > I'd configure ISA not to synchronise time with the domain heirarchy and > instead pull the time from an external source, and would point the PDCe in > the forest root at that. > > Or, build a time server as suggested and get a radio clock. Radio clock's > pull accurate time from a local(ish) atomic clock. > > Note. You can have some issues getting a signal in the data centre > though... ;-) > > -- > Paul Williams > Microsoft MVP - Windows Server - Directory Services > http://www.msresource.net | http://forums.msresource.net > > > Due to it being a Secure NAT client (that was the terminology in 2k, I don't
know if it's changed). Basically, your gateway is ISA. If that is the case, then you can open simple port assignments as discussed. Some environments don't route from the routes to the ISA server though, which means you're not a SNAT client and therefore this won't work. I probably didn't need to clarify the point but was in the zone... ;-) -- Paul Williams Microsoft MVP - Windows Server - Directory Services http://www.msresource.net | http://forums.msresource.net 
Other interesting topics
Creating a Lab Environment Using Virtual Machine
Why domain logon is so slow for XP clients which are just rebooted SC.exe tool eventlog id 1168 Is there an easy way to delete old computer name from ADUC? Active Directory Site And Services Problem between 2 DC Delegation to create mail-enabled users Backup of Active Directory Integrated DNS zone The target principal name is incorrect Object Security |
|||||||||||||||||||||||
