RE: SOLVED! RE: Time Sync Problem

• From: "Amy Babinchak" <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Wed, 29 Sep 2004 14:19:48 -0400

In addition to the packet filter that you have you will need to edit the
registry to be able to sync with an external source. 

An long excerpt from an even longer KB article:

Configuring the Windows Time service to use an external time source
To configure an internal time server to synchronize with an external
time source, follow these steps:
Change the server type to NTP. To do this, follow these steps:
Click Start, click Run, type regedit, and then click OK.
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\
Type

In the right pane, right-click Type, and then click Modify.
In Edit Value, type NTP in the Value data box, and then click OK.
Set AnnounceFlags to 5. To do this, follow these steps:
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\Anno
unceFlags

In the right pane, right-click AnnounceFlags, and then click Modify.
In Edit DWORD Value, type 5 in the Value data box, and then click OK.
Enable NTPServer. To do this, follow these steps:
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvide
rs\NtpServer\Enabled

In the right pane, right-click Enabled, and then click Modify.
In Edit DWORD Value, type 1 in the Value data box, and then click OK.
Specify the time sources. To do this, follow these steps:
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\
NtpServer

In the right pane, right-click NtpServer, and then click Modify.
In Edit Value, type Peers in the Value data box, and then click OK.

Note Peers is a placeholder for a space-delimited list of peers from
which your computer obtains time stamps. Each DNS name that is listed
must be unique. You must append ,0x1 to the end of each DNS name. If you
do not append ,0x1 to the end of each DNS name, the changes made in step
5 will not take effect.
Select the poll interval. To do this, follow these steps:
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvide
rs\NtpClient\SpecialPollInterval

In the right pane, right-click SpecialPollInterval, and then click
Modify.
In Edit DWORD Value, type TimeInSeconds in the Value data box, and then
click OK. 

Note TimeInSeconds is a placeholder for the number of seconds that you
want between each poll. A recommended value is 384. This value
configures the Time Server to poll every 15 minutes.
Configure the time correction settings. To do this, follow these steps:
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxP
osPhaseCorrection

In the right pane, right-click MaxPosPhaseCorrection, and then click
Modify.
In Edit DWORD Value, select Decimal in the Base box.
In Edit DWORD Value, type TimeInSeconds in the Value data box, and then
click OK. 

Note TimeInSeconds is a placeholder for a reasonable value, such as 1
hour (3600) or 30 minutes (1800). The value that you select will depend
upon the poll interval, network condition, and external time source. 
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxN
egPhaseCorrection

In the right pane, right-click MaxNegPhaseCorrection, and then click
Modify.
In Edit DWORD Value, select Decimal in the Basebox.
In Edit DWORD Value, type TimeInSeconds in the Value data box, and then
click OK. 

Note TimeInSeconds is a placeholder for a reasonable value, such as 1
hour (3600) or 30 minutes (1800). The value that you select will depend
upon the poll interval, network condition, and external time source.

Amy
 

-----Original Message-----
From: Peter W. Merner [mailto:pmerner@xxxxxxxxxxxxx] 
Sent: Wednesday, September 29, 2004 1:14 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SOLVED! RE: Time Sync Problem

http://www.ISAserver.org

Gather you have a working ntp now. Does it differ from mine, maybe I
should
copy whatever works for you.

-----Original Message-----
From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] 
Sent: Wednesday, September 29, 2004 1:54 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] SOLVED! RE: Time Sync Problem

http://www.ISAserver.org

Problem solved. The packet filter installed by the SBS/ISA wizard at set
up is wrong. Now, to whom do I report this error at Microsoft and is
there a prize?

Amy
 
 
 

-----Original Message-----
From: Peter W. Merner [mailto:pmerner@xxxxxxxxxxxxx] 
Sent: Wednesday, September 29, 2004 12:16 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Time Sync Problem

http://www.ISAserver.org

I have a custom filter as below

Filter Type: Custom
IP Protocol: UDP, protocol number 17
Direction: Send Receive
Local Port: Dynamic
Remote Port: Fixed, port 123
Filter Applies To Local: Default IP address(s) on external interfaces
Applies To Remote: All remote computers

I do not know what the proper method is to verify that the time service
is
working correctly other than by checking the event logs for failures. At
this time I am only receiving Warnings in the System Event log: w32time,
error 11, NTP server did not respond. This could be a timeout issue or a
problem. Not sure which. I have an unresolved open incident with
Microsoft
on this and will post further when and if it is resolved.

-----Original Message-----
From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] 
Sent: Wednesday, September 29, 2004 12:51 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Time Sync Problem

http://www.ISAserver.org

ISA 2000 SP2, SBS2003 (windows 2003)

The packet that gets configured by default is detailed below in the
original email. I no longer have any client with SBS2000 installed so it
will be interesting to see what you have.

Amy
 
 

-----Original Message-----
From: Peter W. Merner [mailto:pmerner@xxxxxxxxxxxxx] 
Sent: Wednesday, September 29, 2004 11:50 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Time Sync Problem

http://www.ISAserver.org

Amy, I am working my way through the same problem in SBS2000 with ISA
sp2
(standard edition). You do have to set up a allow udp filter but how
depends
very likely on whether you are using ISA 2000 or ISA 2004 and possibly
also
on whether it is SBS2003 or SBS2000. Please come back with the details
and I
will give you the filter that I am using that may or may not be working
at
this time.

-----Original Message-----
From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] 
Sent: Wednesday, September 29, 2004 12:34 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Time Sync Problem

http://www.ISAserver.org

Since this is SBS that is essentially what I'm trying to do. Out of the
box the usually wonderful wizards of SBS setup certain packet filters.
It has done this for time however the wizard set it up using TCP. (see
filter details below) Either I don't fully understand how the time sync
works or the SBS wizard has it set up wrong. So is the packet filter
below wrong or is it just me? I've been looking at the problem too long
to trust myself. 

Amy
 
 
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Wednesday, September 29, 2004 11:22 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Time Sync Problem

http://www.ISAserver.org

Hi Amy,

How about creating a packet filter on the ISA firewall for NTP and
configure it as the time server?
http://support.microsoft.com/default.aspx?scid=kb;en-us;323621

HTH,

Tom
www.isaserver.org/shinder
Get the book!
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls



-----Original Message-----
From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] 
Sent: Wednesday, September 29, 2004 10:52 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Time Sync Problem


http://www.ISAserver.org


The situation is that the client has purchase time keeping software and
it will use the domain time to track when an employee punches in and
out. All client computers are sync'd with the server; that part is
working fine. The server is not able to sync with an external time
source. 

On the server, I get event 38
"The time provider NtpClient cannot reach or is currently receiving
invalid time data from harbor.ecn.purdue.edu
(ntp.m|0x1|192.168.1.100:123->128.46.154.76:123)."

ISA log shows
192.168.1.100   128.46.154.76   Udp     123     123     -       BLOCKED
192.168.1.100

192.168.1.100 is the external IP address of the SBS2003 server. A DSL
router does the NAT from our static IP.

The time service is supposed to be allowed in the default SBS setup. ISA
has a packet filter for TCP 123, receive only on all local ports, remote
port is fixed 123 on the external IP address. Shouldn't this be UDP?

There is a Protocol Definition for 123 UDP Send/Receive. 

I've been hunting everywhere except in ISA for the problem, so I've
already tried various time providers, FQDN and IP, modified registry
entries and applied a hot fix. 

Amy
 
 
 



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
pmerner@xxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
pmerner@xxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
pmerner@xxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » SOLVED! RE: Time Sync Problem
• » RE: SOLVED! RE: Time Sync Problem
• » RE: SOLVED! RE: Time Sync Problem
• » Re: SOLVED! RE: Time Sync Problem
• » RE: SOLVED! RE: Time Sync Problem
• » RE: SOLVED! RE: Time Sync Problem
• » Re: SOLVED! RE: Time Sync Problem
• » RE: SOLVED! RE: Time Sync Problem

1. Home
2. isalist
3. Archive
4. 09-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---