Build NTP Windows Server for Network Devices (not Win32Time) - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Tuesday, January 20, 2015

Build NTP Windows Server for Network Devices (not Win32Time)

Based on Cisco Document (ID108076) Troubelshoot Network Time Protocol (NTP), Cisco devices are not able  to Sync NTP to W32 Based Time Service.

"Windows W32Time shows that it is an SNTP implementation inside (rather claiming itself NTP). Cisco IOS-NTP, which tries to sync with W32Time, gets its own root-dispersion value that it sends to the W32Time and this proves costly for Cisco IOS-NTP to synchronize. Because the root-dispersion value of Cisco IOS-NTP goes higher than 1000 ms, it unsynchronizes itself (clock-select procedure). Since the Cisco IOS based routers run the full RFC implementation of NTP they do not sync to an SNTP server. In this case the output of the show ntp associations detail command shows that the server is flagged as insane, invalid. The root dispersion value is in excess of 1000 ms, which causes the Cisco IOS NTP implementation to reject the association. Routers that run Cisco IOS can be unable to synchronize to an NTP server if it is a Windows system that runs the W32Time service. If the server is not synchronized, the routers are not able to transmit to and receive packets from the server."

From a Windows machine, you can use following command to very if your NTP server works.
NET TIME \\YourServer /SET /YES

C:\windows\system32>net time \\ /set /yes
Current time at \\ is 20/03/2019 2:42:45 PM

The command completed successfully.

Afroz Ahmad has a post in his blog show How to Setup Windows as NTP Server for Cisco Devices. Basically what you need is a 3rd party NTP software from Meinberg which helps us out.

Download from this link. ([email protected])

Installation procedure is quite straightforward.


 Unfortunately, I got some small problems while trying to create a new account to start this service:


What  I did is to use a existing account within administrators group to replace NTP service account configured in the Network Time Protocol Daemon.

Another thing I want to mention is how to enable a time server to synchronize in the configuration file (C:\Program Files\NTP\etc\ntp.conf) after the installation, which is basically to remove the # sign from server, and add one internal server from your environment, just like shows in the following configuration.
# NTP Network Time Protocol
# **** ATTENTION ****: *You have to restart the NTP service when you change this file to activate the changes*
# Configuration File created by Windows Binary Distribution Installer Rev.: 1.28  mbg
# please check for additional documentation and background information

# The following restrict statements prevent that someone can abuse NTP as a traffic amplification tool by
# ignoring mode 6 and mode 7 packets. Especially the monlist feature has a big potential to be abused for this.
# See for further information. 
restrict default nomodify notrap nopeer noquery
# But allow local tools like ntpq full access: 
# if you are not using IPv6 on this machine, please comment out the following line:
restrict -6 ::1

# Use drift file
driftfile "C:\Program Files\NTP\etc\ntp.drift"

# your local system clock, should be used as a backup
# (this is only useful if you need to distribute time no matter how good or bad it is)
# but it operates at a high stratum level to let the clients know and force them to
# use any other timesource they may have.
fudge stratum 12

# Use a NTP server from the ntp pool project (see
# Please note that you need at least four different servers to be at least protected against
# one falseticker. If you only rely on internet time, it is highly recommended to add
# additional servers here.
# The 'iburst' keyword speeds up initial synchronization, please check the documentation for more details!
 server iburst
 server iburst
 server iburst
 server iburst
 server iburst

# Use specific NTP servers
server iburst

# End of generated ntp.conf --- Please edit this to suite your needs


No comments:

Post a Comment