1

Here is the setup: We have Windows Server 2008R2 servers at customer sites. For separation of trust reasons, those machines are not members of the Customers Domain. They are also not acting as a Domain host themselves, they are strictly stand alone instances. This setup can't be changed.

Windows Servers attached to the customer network receive NTP updates through "w32tm". These servers are also attached to a private Stub network with additional machines not on the customer network. I would like to provide NTP service to hosts on the stub to provide better log synchronization.

All of the documentation I can find online seems to assume that the Windows Servers are Domain Controllers.

I only want to provide the NTP Server service to the stub network if possible. It shouldn't be reachable from the customer network.

What is the best way to setup?

Rowan Hawkins
  • 620
  • 4
  • 18
  • Just a quick update, I haven't had a chance yet to work on this issue. As soon as I'm able to test on a system I will update. – Rowan Hawkins May 16 '17 at 22:18

3 Answers3

1

NTP Server is not a role of a Domain Controller and not even a feature of Windows Server alone.

Windows Time Service (w32time) has both client and server built-in on every Windows computer. The server side is disabled by default and automatically enabled on Windows Server during dcpromo.

The server state is controlled via registry key:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer]
"Enabled"=dword:00000001

Just Run cmd as Administrator and use commands:

reg add HKLM\system\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer \
    /v Enabled /t REG_DWORD /d 0x1 /f
w32tm /config /update

You'll instantly have a NTPv3 compliant Time Server on your Windows machine.

Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129
  • There was a second part to this question is how to limit it to the Stub network only. the host needs to be able to query out but only provide to the stub. – Rowan Hawkins May 05 '17 at 18:47
  • There is no ACL control on W32Time, so limitations must be done in a firewall or by network infrastructure. I'd say it is a bit irrelevant: there is no security concerns and certainly no possibilities for resource exhaustion as W32Time client polls very infrequently even if someone manually changes the time server used. – Esa Jokinen May 05 '17 at 18:59
  • This a management driven reason. If I am only making changes that only affect the stub network then I just need to meet our internal change control requirements. If I am making a change that opens *any* new services on the customer network then we have to have a software review with the customer and get approval. Like you say its a benign function. I'd like to avoid several hours of explaining to management at another company why this is a good idea. – Rowan Hawkins May 05 '17 at 20:53
  • It's still a component that is already installed and a service that is already provided, so I'd consider it as a minor configuration change instead of a new service / software. It's like negotiating over a single Windows Update, which actually may have more effect and may be less predictable. I'm truly sorry you have to work under those limitations. – Esa Jokinen May 05 '17 at 21:04
1

If you use a time server on the client network for time updates, you won't be able to block NTP service from being accessible from that machine as NTP is a bidirectional protocol using port 123/udp.

If you want to block any machine on the client network from accessing the NTP service on your server, you'll have to choose an external time server; e.g. uk.pool.ntp.org and configure the server firewall to block all access to port 123/udp from the client network.

(This would have been a comment on PaterSiul's answer, but my rep isn't high enough to comment!)

Pak
  • 919
  • 5
  • 10
  • This question is for windows, however you are partially incorrect. On *nix based NTP implementations you can set server to only respond to requests from specific ip's defined by a mask. NTP servers are not broadcast services. This isn't a firewall function, but a function of the NTP server itself. Where we have a *nix host on the client network I already use them for this functionality. I am looking for similar functionality for the client sites with only windows hosts on the customer network. – Rowan Hawkins Apr 11 '18 at 16:09
0

Try techrepublic or, for a bit more detail, this Microsoft blog post.

Update: Esa Jokinen has the main part of my links in his answer.

To answer the second part, which I first missed: I don't know of a way to restrict windows time service to an interface or an ip range directly. I'd solve that with a firewall rule:

netsh advfirewall firewall add rule name="NTP" dir=in action=allow protocol=UDP localport=123 remoteip=157.60.0.1,172.16.0.0/16 enable=yes

"remoteip=157.60.0.1,172.16.0.0/16" is just an example, the rest should work for what you wish, assuming you didn't change the default policy from blocking to accept.

PaterSiul
  • 246
  • 1
  • 6
  • 1
    Its preferred when linking content that you provide the link as a source and provide the content in case the link ever becomes inactive. Why didn't any of this come up before. Also how do you suggest restricting the server access to the Stub network only -- I can't have it accessible on the customer side. I still need to query the customer servers for the same. (http://support.ntp.org/bin/view/Support/WindowsTimeService) shows that it cant operate as a a high stratum, but that is fine since the stub network currently has NO time service and timing is not super critical for this need. – Rowan Hawkins May 05 '17 at 18:27
  • In the next month I'm finally getting a chance to look into this again. We are setting up another production equivalent test environment to validate some architecture changes around upgrade deployments. – Rowan Hawkins Apr 11 '18 at 16:18