GPO NTP
hello,
I set ntp-server for win7 pro over gpo: Enable Windows ntp client and configure ntp client with dns name and sync all.
After gpupdate /force or even reboot the new config is not applied to the time settings if I check them.
The timeserver is still "time.windows.com".
Somehow the new ntp-server is not used.
Can someone help?
Thx, hugo
April 13th, 2011 11:16am
HugoWin7 wrote:
hello,
I set ntp-server for win7 pro over gpo: Enable Windows ntp client and
configure ntp client with dns name and sync all.
After gpupdate /force or even reboot the new config is not applied to
the time settings if I check them.
The timeserver is still "time.windows.com".
Somehow the new ntp-server is not used.
Can someone help?
Thx, hugo
Can you please elaborate your exact GPO settings for the Windows NTP
client? There is more to configure than just the DNS name of your
timeserver.
And are the settings applied? Did you check the RSOP for a given PC?
Wolfgang
Free Windows Admin Tool Kit Click here and download it now
April 14th, 2011 3:16pm
computer configuration -> admin templates -> system -> windows time service -> time providers
Enable Windows NTP Client: Enabled
Configure Windows NTP Client:
Enabled
ntpserver: ntp.certum.pl
type: ntp
rest is default
-- Restart
Going to Date and Time -> Internet Time
The computer is still "set to automatically synchronize with 'times.windows.com'"
April 14th, 2011 4:48pm
HugoWin7 wrote:
computer configuration -> admin templates -> system -> windows time
service -> time providers
Enable Windows NTP Client: Enabled
Configure Windows NTP Client:
Enabled
ntpserver: ntp.certum.pl
type: ntp
rest is default
-- Restart
Going to Date and Time -> Internet Time
The computer is still "set to automatically synchronize with
'times.windows.com'"
And what does the rsop tool show? Enter rsop.msc into the search field
over the start buttton - this should start the Resulting Set Of
Policies mmc.snapin, which shows you which policies are applied.
Wolfgang
Free Windows Admin Tool Kit Click here and download it now
April 15th, 2011 11:28am
hello,
attached the nowhere documented 0x09 flags to the dns. don't know what that means... .
the gpo is definitely applied. also checking with rsop.
The problem is that if you set the ntp over gpo it always shows "set to automatically synchronize with 'times.windows.com'", even if the pc syncronizes with some other ntp-server.
Nice!!!
This means that I my gpos are actually working, only that the time display is nonsense.
thx,
hugo
April 17th, 2011 7:25pm
HugoWin7 wrote:
hello,
attached the nowhere documented 0x09 flags to the dns. don't know
what that means... .
the gpo is definitely applied. also checking with rsop.
The problem is that if you set the ntp over gpo it always shows "set
to automatically synchronize with 'times.windows.com'", even if the
pc syncronizes with some other ntp-server.
Nice!!!
This means that I my gpos are actually working, only that the time
display is nonsense.
thx,
hugo
Yes, this seems to be a bug - probably after applying SP1 because I
never saw this before, but just now discovered it on my non
domain-member PCs, too. But you should see, with which server the last
successful sync happened, too and the time when the next sync is going
to happen, just below the wrong reference to time.windows.com.
The 0x9 flag is a combination of 0x1 for DNS entries instead of
IP-addresses (and sticking to the special poll interval defined in the
NTP-Client section of the registry)) and 0x8 for using standard
NTP-client mode requests instead of symmetric active mode packets
(which are set via 0x4 instead of 0x8 and should -if ever - only be
used on servers).
Wolfgang
Free Windows Admin Tool Kit Click here and download it now
April 18th, 2011 12:57pm
hello,
thx for the bug info.
Do I have to open incoming/outgoing ports for the firewall on ntp?
there are contradicting blogs on this issue.
hugo
April 18th, 2011 3:29pm
HugoWin7 wrote:
hello,
thx for the bug info.
Do I have to open incoming/outgoing ports for the firewall on ntp?
there are contradicting blogs on this issue.
hugo
Of course you need an outgoing stateful exemption for NTP, but if you
have the Windows Firewall configured in standard mode (i.e. outgoing
connections are always allowed, if initiated by allowed programs and
services on the PC) there is no need for an explicit rule - only if the
firewall is set to block all outgoing traffic it not specifically
allowed, you will need an exemption for NTP outgoing (utp port 123).
Wolfgang
Free Windows Admin Tool Kit Click here and download it now
April 18th, 2011 5:00pm