Win2k3 Server as NTP server?
Why Tea
within an organization? The info from Wikipedia seems
to suggest NO (http://en.wikipedia.org/wiki/Network_Time_Protocol).
Did anybody have any experience with running an NTP
server on a Windows server? Please share your
experience. Thanks.
/Why Tea
David J Taylor
news:e8c2bbf4-c637-4ea7...@z4g2000prh.googlegroups.com...
Please see:
http://www.satsignal.eu/ntp/NTP-on-Windows-serial-port.html
I haven't tested Windows Server 2003, just Windows Server 2000, Windows XP
and Windows-7.
Cheers,
David
Martin Burnicki
> Can Windows 2003 server be used as an NTP server
> within an organization? The info from Wikipedia seems
> to suggest NO (http://en.wikipedia.org/wiki/Network_Time_Protocol).
Hm, the Wikipedia article explicitely mentions that ntpd *can* be used under
Windows:
--- <quote from wikipedia> ---
The reference implementation of NTP can be used on Microsoft Windows
systems.
--- </quote> ---
There is no reason why ntpd should not work correcty on Windows Server 2003.
> Did anybody have any experience with running an NTP
> server on a Windows server? Please share your
> experience. Thanks.
IMO care must be taken if ntpd shall run on a domain controller. Some weeks
ago I've tried to start a discussion about possible problems if ntpd
replaces w32time. Unfortunately there've been only a few replies via the
NTP questions mailing list which never made it to the news group, even
though the questions mailing list should be gatewayed to the news group.
So please see the questions mailing list archive for details:
https://lists.ntp.org/pipermail/questions/2009-August/024061.html
Martin
--
Martin Burnicki
Meinberg Funkuhren
Bad Pyrmont
Germany
Richard B. Gilbert
Running NTPD on Windows *as* *a* *server* would be most people's LAST
choice unless there is no other! Windows "Vista" may have changed this
but, the last time I looked, Windows' clock "ticks" every 17
milliseconds. Using this as a server is like "measure with micrometer,
mark with chalk, cut with axe"!
unruh
I believe that ntp on windows maintains an internal clock in addition to
the timer clock, which keeps much better time than the timertick.
David Woolley
>
> Running NTPD on Windows *as* *a* *server* would be most people's LAST
> choice unless there is no other! Windows "Vista" may have changed this
> but, the last time I looked, Windows' clock "ticks" every 17
> milliseconds. Using this as a server is like "measure with micrometer,
> mark with chalk, cut with axe"!
Windows ticks at a variable rate, down to 500 microseconds, on recent
systems, when they have multimedia timers enabled.
ntpd interpolates using the TSC counter, however this interpolation is
vulnerable to scheduling delays. I don't know how well current versions
behave, but earlier versions performed poorly when the system was 100%
CPU, due to SETI@Home, but quite good when the load was lower.
David Woolley
> Can Windows 2003 server be used as an NTP server
I presume you mean w32time? Out of the box, it is very non-compliant,
however, I think it might be possible to configure it to be a compliant,
if rather poor, server.
The sensible approach to running on Windows is to the reference
implementation, although, this will perform better on even a low
specification Unix/Linux system.
Dave Baxter
martin....@meinberg.de says...
>
>
> So please see the questions mailing list archive for details:
> https://lists.ntp.org/pipermail/questions/2009-August/024061.html
>
> Martin
Martin..
Can you confirm the SSL cert on that site is OK? My browser etc here
has a total hissy fit if I try going there, even if I try to use plain
open http:
Dave Baxter.
Richard B. Gilbert
Certificates cost money! Apparently nobody is willing to pay the
freight for one. The NTP project is not, AFAIK, funded at anything like
the level required to purchase a certificate. That's why the "self
certification"!!!
Dave Baxter
@comcast.net says...
All understood (and agreed with) and noted.
Cheers.
Dave B.
Rob
> freight for one. The NTP project is not, AFAIK, funded at anything like
> the level required to purchase a certificate. That's why the "self
> certification"!!!
The money is not the only problem. When you self-sign a certificate
you make it to last 10 years and forget about it. When you buy an
official certificate (and don't pay hundreds of euro/dollar) it will
expire in a year and you need to go through the hassle of renewing
and reinstalling it every year :-(
Steve Kostecke
> martin....@meinberg.de says...
>
>> So please see the questions mailing list archive for details:
>> https://lists.ntp.org/pipermail/questions/2009-August/024061.html
>
> Can you confirm the SSL cert on that site is OK? My browser etc here
> has a total hissy fit if I try going there, even if I try to use plain
> open http:
You should be able to visit
http://lists.ntp.org/pipermail/questions/2009-August/024061.html without
a problem. I just tried it in lynx and no SSL was used.
--
Steve Kostecke <kost...@ntp.org>
NTP Public Services Project - http://support.ntp.org/
Steve Kostecke
> rgilb...@comcast.net says...
>
>> Dave Baxter wrote:
>>
>> > Can you confirm the SSL cert on that site is OK? My browser etc
>> > here has a total hissy fit if I try going there, even if I try to
>> > use plain open http:
>>
>> Certificates cost money! Apparently nobody is willing to pay the
>> freight for one. The NTP project is not, AFAIK, funded at anything
>> like the level required to purchase a certificate. That's why the
>> "self certification"!!!
>
> All understood (and agreed with) and noted.
It's not a self-signed certificate.
Please visit http://www.cacert.org/index.php?id=3 to install our
Certficate Authority's root cert.
Why Tea
wrote:
Hi Martin, thanks for the info and reference to your previous
post. David and Richard have also highlighted issues with
Windows clock tick resolution and performance under load.
We are dealing with some old legacy systems which
consist of many proprietary HW and a Windows 2003 server.
Instead of a proprietary embedded ntpd, we would like to
have an alternative in order to cut cost. It looks like putting
an off-the-shelf ntpd on Windows 2003 is a good option. BTW,
the Windows 2003 server is NOT a PDC. But the question is
if Windows 2003 is up to the task to provide the accuracy and
resolution required for an ntp server? Here are my specific
questions:
1) Has anybody used Windows 2003 as an ntp server and
is happy/unhappy with it?
2) If I were to do a trial run of ntpd on Windows 2003, how do
I measure its ntpd performance in order to make a
judgment?
3) I've downloaded the Mienberg ntp package and installed
it. How I judge it's performance?
Thanks for all suggestions/advice.
/Why Tea
David J Taylor
news:42f094fd-c09f-4e4b...@k13g2000prh.googlegroups.com...
[]
> 1) Has anybody used Windows 2003 as an ntp server and
> is happy/unhappy with it?
I am happy with Windows 2000 and Windows XP - Windows Server 2003 is a
hybrid of those OSes and I would /expect/ it to be fine. I've been using
a serial GPS/PPS source as my primary reference. How many clients are you
expecting to serve?
> 2) If I were to do a trial run of ntpd on Windows 2003, how do
> I measure its ntpd performance in order to make a
> judgment?
I use MRTG, Meinberg's monitor, and my own NTP Plotter package.
> 3) I've downloaded the Mienberg ntp package and installed
> it. How I judge it's performance?
>
> Thanks for all suggestions/advice.
>
> /Why Tea
See:
NTP Plotter:
http://www.satsignal.eu/software/net.htm#NTPplotter
Meinberg Time Server Monitor:
http://www.meinberg.de/english/sw/time-server-monitor.htm
MRTG:
http://www.satsignal.eu/ntp/NTPandMRTG.html
Sample results:
http://www.satsignal.eu/mrtg/daily_ntp.html
Cheers,
David
David Woolley
> "Why Tea" <ytl...@gmail.com> wrote in message
>
>> 2) If I were to do a trial run of ntpd on Windows 2003, how do
>> I measure its ntpd performance in order to make a
>> judgment?
>
> I use MRTG, Meinberg's monitor, and my own NTP Plotter package.
>
I think he was really asking about the parameters that you log and how
you get them from ntpd.
He is using ntpq to fetch the "offset" value. If ntpd is working well,
this will be noise like and centred around zero. Under those
circumstances, its jitter should be several times worse than the true
jitter in the software clock. Windows applications' idea of th time
will be compromised by the limitations of Windows, in particular its
inability to interpolate between ticks, There may also be a systematic
error due to network limitations, etc.
If the offset is not noise like, the offset may be close to the actual
clock error, as ntpd has poor transient response to things like
temperature changes.
David J Taylor
news:hfiddi$qc4$1...@news.eternal-september.org...
[]
> I think he was really asking about the parameters that you log and how
> you get them from ntpd.
>
> He is using ntpq to fetch the "offset" value. If ntpd is working well,
> this will be noise like and centred around zero. Under those
> circumstances, its jitter should be several times worse than the true
> jitter in the software clock. Windows applications' idea of th time
> will be compromised by the limitations of Windows, in particular its
> inability to interpolate between ticks, There may also be a systematic
> error due to network limitations, etc.
>
> If the offset is not noise like, the offset may be close to the actual
> clock error, as ntpd has poor transient response to things like
> temperature changes.
I hope the answer is covered in the Web pages to which I pointed, but if
not, I use ntpq to get offset and sometimes jitter, and I enable the
statistics logging with lines in the ntp.conf such as:
enable stats
statsdir "C:\Tools\NTP\etc\"
statistics loopstats
The files can be read by both Meinberg's and my own plotting programs.
I find that the offset is far from noise-like on some systems (Feenix and
Narvik, both running XP), reflecting the temperature or rate of change of
temperature. On other systems it is more noise-like (PCs Stamsund and
Hydra) and the loopstats averaged jitter on those systems is Hydra 1ms and
Stamsund 25us. Hydra is a Windows 7 system with LAN sync, and Stamsund a
Windows-7 system with a GPS/PPS local reference.
http://www.satsignal.eu/mrtg/daily_ntp.html
It puzzles me somewhat why the same ntpd.exe running on Windows-XP
(Feenix)
has a much worse /apparent/ offset than one running under Windows-7. Both
PCs have a GPS/PPS reference, 16s poll, and both behaved similarly under
Windows-XP. In Windows-7, the interpolation scheme is disabled, which
seems to result in a much lower average offset, but with an increased
noise on the plots. The Windows-XP machine shows an averaged jitter in
the loopstats of 2.5us, compared to 25us for the un-interpolated Windows-7
PC.
Cheers,
David
Martin Burnicki
> Hi Martin, thanks for the info and reference to your previous
> post. David and Richard have also highlighted issues with
> Windows clock tick resolution and performance under load.
> We are dealing with some old legacy systems which
> consist of many proprietary HW and a Windows 2003 server.
> Instead of a proprietary embedded ntpd, we would like to
> have an alternative in order to cut cost. It looks like putting
> an off-the-shelf ntpd on Windows 2003 is a good option. BTW,
> the Windows 2003 server is NOT a PDC. But the question is
> if Windows 2003 is up to the task to provide the accuracy and
> resolution required for an ntp server? Here are my specific
> questions:
>
> 1) Has anybody used Windows 2003 as an ntp server and
> is happy/unhappy with it?
We are running ntpd on a Win 2003 server without problems. However, that is
a standalone server and not a member of an Active Directory domain.
> 2) If I were to do a trial run of ntpd on Windows 2003, how do
> I measure its ntpd performance in order to make a
> judgment?
Except what I've written earlier regarding potential problems in an AD
domain, an additional problem can be the limited resolution of the Windows
system time (i.e. about 16 ms timer ticks).
Ntpd tries to interpolate the time between two timer ticks using the Windows
PerformanceCounter API. However, that API can be implementing using
different timers available in the computer, depending on the CPU type (e.g.
AMD vs. Intel), chipset, and exact Windows version/patch level.
This may fail if the CPU's TSC is used for the PerformanceCounter. If the
CPU's clock speed is reduced for power saving (e.g. Intel SpeedStep or AMD
Cool'n'Quiet) then the PerformanceCounter values are garbage and thus time
interpolation fails.
> 3) I've downloaded the Mienberg ntp package and installed
> it. How I judge it's performance?
If you run ntpd simply watch the offset and jitter displayed by the "ntpq
-p" command, or enable generation of the loopstats file. Also look at the
Windows event log. If the offset settles at a low value (e.g. a couple of
milliseconds or less) and there are not event log messages saying "time
reset" in certain intervals then ntpd works fine on your system.
Dave Hart
> Hi Danny,
>
> just stumbled across your email in one of my email folders, but I didn't see
> your reply on the news servers. So once again, looks likes emails to the
> questions list are not gatewayed to the news group.
As far as I know, this has been broken for most of the last 6 months.
Messages from the newsgroup are gatewayed to questions, but questions
traffic never makes it to the newsgroup.
> Danny Mayer wrote:
>> You can indeed run the reference implementation of NTP instead of
>> w32time on a Windows Domain Controller and I am in fact doing that (as I
>> mentioned in a previous message).
>
> Yes, but what about the domain members? If you install ntpd on them and
> configure them correctly I'd expect them to work properly.
>
> However, we have customers with a huge number of clients. In fact, I'd expect
> that especially installations with many clients run a domain, simply to
> reduce administrator efforts.
>
> I've often heard those guys don't want to install ntpd on every client simply
> because they do not want to touch each individual client.
My understanding is domain members' w32time service will synchronize
(using MS-SNTP A.K.A. [MSNTP] authenticated by a machine account
secret) to the domain controller holding the PDC emulator "flexible
single master operation" or FSMO role. So if you have any domain
members using w32time, you'll want to have at least one DC (the PDC
FSMO role holder) running w32time (A.K.A. Windows Time Service).
I run ntpd on all my domain's DCs except for the PDC emulator, and
have the PDC emulator's w32time sync to one of the DCs running ntpd.
Cheers,
Dave Hart
Martin Burnicki
> On Mon, Dec 14, 2009 at 14:11 UTC, Martin Burnicki wrote:
>>Hi Danny,
>>
>>just stumbled across your email in one of my email folders, but I didn't see
>>your reply on the news servers. So once again, looks likes emails to the
>>questions list are not gatewayed to the news group.
>
> As far as I know, this has been broken for most of the last 6 months.
> Messages from the newsgroup are gatewayed to questions, but questions
> traffic never makes it to the newsgroup.
Hm ... no way to get this working correctly again? Steve? Brad?
>>Danny Mayer wrote:
>>>You can indeed run the reference implementation of NTP instead of
>>>w32time on a Windows Domain Controller and I am in fact doing that (as I
>>>mentioned in a previous message).
>>Yes, but what about the domain members? If you install ntpd on them and
>>configure them correctly I'd expect them to work properly.
>>
>>However, we have customers with a huge number of clients. In fact, I'd expect
>>that especially installations with many clients run a domain, simply to
>>reduce administrator efforts.
>>
>>I've often heard those guys don't want to install ntpd on every client simply
>>because they do not want to touch each individual client.
>
> My understanding is domain members' w32time service will synchronize
> (using MS-SNTP A.K.A. [MSNTP] authenticated by a machine account
> secret) to the domain controller holding the PDC emulator "flexible
> single master operation" or FSMO role. So if you have any domain
> members using w32time, you'll want to have at least one DC (the PDC
> FSMO role holder) running w32time (A.K.A. Windows Time Service).
>
> I run ntpd on all my domain's DCs except for the PDC emulator, and
> have the PDC emulator's w32time sync to one of the DCs running ntpd.
That's basically also my understanding how this should be configured,
and that's what I'm telling customers if they ask me.
We still have a similar situation where customers buy e.g. one of our
GPS PCI cards to set up their own NTP server. They need to install our
driver software package to read the time from the card and discipline
the system time, plus w32time or ntpd to make the disciplined time
available on the network.
In any case w32time or ntpd must not touch the system time which is
disciplined by our own service. Doing so with ntpd is easy: simply
configure the "local" clock and that's it. Getting w32time to make the
system time available on the network without touching it is much harder.
Some time ago we had a 2003 set up as DC with w32time and a PCI card,
and w32time did serve the time for exactly 1 day, then suddenly didn't
provide the client with time anymore.
So also in this case we tell customers to set up a different server with
ntpd, and then simply point the PDC's w32time to it.
Thanks for the affirmation.
Martin Burnicki
just stumbled across your email in one of my email folders, but I didn't see
your reply on the news servers. So once again, looks likes emails to the
questions list are not gatewayed to the news group.
Danny Mayer wrote:
> You can indeed run the reference implementation of NTP instead of
> w32time on a Windows Domain Controller and I am in fact doing that (as I
> mentioned in a previous message).
Yes, but what about the domain members? If you install ntpd on them and
configure them correctly I'd expect them to work properly.
However, we have customers with a huge number of clients. In fact, I'd expect
that especially installations with many clients run a domain, simply to
reduce administrator efforts.
I've often heard those guys don't want to install ntpd on every client simply
because they do not want to touch each individual client.
> However the one issue you might have
> is that the reference implementation does not provide MSNTP
> authentication except on a Samba server which does not run on Windows
> and in fact the Samba authentication customization is not designed to
> run on Windows. As long as you don't care about that (I don't) then
> there's no problem.
Yes, that's even kind of funny: ntpd supports MS-style authentication, but
only on non-Windows systems ;-))