Tag Archives: ntp

Active Directory Mac OS X Mac OS X Server Windows Server

Configuring Windows 2008 As An NTP Server

When you’re configuring a Mac to leverage an existing Windows infrastructure, having the clocks in sync is an important task. Luckily, Windows Server has been able to act as an NTP server for a long time. In this article, we’ll look at configuring Server 2008 R2 to be an NTP server for Mac and Linux clients.

Note: Before you get started, or any time you’re hacking around in the registry, make sure to do a backup of your registry/SystemState!

To enable NTP on Windows Server, open your favorite registry editor and navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeTimeProvidersNtpServer. From here, enter a key called Enabled as a dword with a value of 00000001.

The NTP Server should look upstream at another NTP host. To configure this, go ahead and navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeTimeProvidersNtpClient and create Enabled as a dword with a value of 0000001 and SpecialPollInterval with a value of 300:

“Enabled”=dword:00000001
“SpecialPollInterval”=”300″

NTP would then need a source, so let’s go ahead and create that in the registry as well. To set that up, navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeParameters and then setup the Type key to contain NTP, the Period key to contain freq and the NtpServer key to obtain the IP address of the server followed by ,0×1, as follows (assuming an IP of 10.0.0.8 for the upstream NTP server:

“NtpServer”=10.0.0.8,0×1″
“Type”=”NTP”
“Period”=”freq”

The w32tm service doesn’t start unless your system is on a domain (and should be restarted if the system is already running as a DC). To starts the service automatically (if needed), use the sc command:

sc triggerinfo w32time start/networkon stop/networkoff

Windows systems can also use an NTP server. To configure the NTP client, navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeTimeProvidersNtpClient and create Enabled as a dword with a value of 0000001 and SpecialPollInterval with a value of 300:

“Enabled”=dword:00000001
“SpecialPollInterval”=”300″

NTP would then need a source, so let’s go ahead and create that in the registry as well. To set that up, navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeParameters and then setup the Type key to contain NTP, the Period key to contain freq and the NtpServer key to obtain the IP address of the server followed by ,0×1, as follows (assuming an IP of 10.0.0.8 for the upstream NTP server:

“NtpServer”=10.0.0.8,0×1″
“Type”=”NTP”
“Period”=”freq”

Finally, you can invoke the w32tm service directly to query peers and verify that no skew has occurred with the clocks:

w32tm /query /peers

Viola, you’ve now achieved what could be done using a checkbox on an OS X Server. Hope you’ve enjoyed noodling around in the registry!

Mac OS X Mac OS X Server Mac Security Mass Deployment

Configuring Time In OS X Mountain Lion & OS X Mountain Lion Server

Time is a very important aspect of OS X Server, as it has been since the early days. Time is so important that if you see network time server, NTP or 5 minutes as the answer on an Apple exam, you should just pick that one, as it’s invariably correct. The traditional way to configure time zones and Network Time Servers is to use systemsetup command. Before you set a time zone, run the following to see a list of all available time zones, use the -listtimezones option in systemsetup:

sudo systemsetup -listtimezones

To set the time zone, pick one and use the -settimezone option in systemsetup:

sudo systemsetup -settimezone "America/Chicago"

To check the current time, then run -gettime:

sudo systemsetup -gettime

The -settime option can then be used to set the time, although it’s invariably better to set the time zone automatically with a network time protocol (NTP) server, using the -setnetworktimeserver option:

sudo systemsetup -setnetworktimeserver time.krypted.com

You would then need to turn using NTP servers on, using -setusingnetworktime option and setting the value there to on

sudo systemsetup -setusingnetworktime on

Now let’s look at a different way to do this. Run the following, in OS X Server:

sudo serveradmin settings info:timeZone = "America/New_York"

That shouldn’t work. Now ya’ know, OS X Server isn’t fully matured yet, so they’ll get around to it… But what does work is setting the NTP server and enabling NTP services. To enable NTP:

sudo serveradmin settings info:ntpTimeServe = yes

To set the NTP server:

info:ntpServerName = "time.krypted.com"

Note: The NTP server must be accessible when set.

Mac OS X Mac OS X Server Mac Security Ubuntu Unix Windows XP

NTP, OS X, Windows, Cisco and You

At this point, most Mac admins know to how to enable ntp on a Mac OS X Server and set clients to the server. Most Mac admins also know how to use managed preferences to set ntp as well. We all know that time is pretty important and most are using ntp at this point.

Network time should, almost by definition, be continuous, which allows ntpd in Mac OS X can update clocks in small denominations. Thus, managing corrections with little overhead or impact to the system enables ntp to be an inexpensive method for managing clocks. But ntp is also built to keep things running smoothly even when there are a lot of corrections. When there are a lot of corrections made by ntp, these are tracked and can be seen using the ntpdc command. The ntpdc is used to view and set the state of the ntp daemon and is interactive. To enter the interactive environment, simply type ntpdc at a terminal prompt:

ntpdc

Once you are in the ntpdc interactive environment you will need to use one of the many verbs provided for ntpdc. One such verb is looping, used to “display loop filter information:”

ntpdc> loopinfo

offset: 0.017866 s
frequency: -499.996 ppm
poll adjust: 13
watchdog timer: 209 s

The above output has four items of interest:

  • Offset: How far off the client is from the server (drift is natural, so all zeros in this category typically represent the server being offline).
  • Frequency: Frequency external signals can offset correction of the kernel clock
  • Poll adjust: Used to Increase or decrease the polling interval. The range is -30 to 30. 13 is an increase of 13 seconds whereas -30 would represent a decrease of 30 seconds.
  • Watchdog timer: The time since the last update to the system.

Note: To make it easier to parse, you can run looping with a online option, placing output into a single comma seperated line.

There are other verbs as well, which allow you to add servers (addserver), show peers (showpeer), set a password to use for password requests (passed), see various statistics (sysstats, sysinfo, stats, instates, ctlstats, clockstat, iostats) and set encryption keys (keyid, trustedkey, untrustedkey, etc). There’s a pretty good bit you can with these verbs; just run help to see a full list of supported verbs (my favorite verb other than looping is fudge).

You can also check ntp information on the fly using the ntpq command. Here, ntpq -p will show you the name, IP address and other information live:

ntpq -p

Returns:

remote refid st t when poll reach delay offset jitter
==============================================================================
*time.apple.com 17.72.133.55 2 u 181m 512 376 32.169 17.084 0.315

Windows clients using Active Directory domains automatically get time from domain controllers. If a client is part of an Open Directory or SMB-based domain, you can add a NTP server by clicking on the time in the system tray (bottom right corner of the Windows screen). Click on Internet Time. Click the check box for Automatically synchronize with an Internet time server. Enter the name or IP of the ntp server. Click the Update Now button.
When finished, you’ll see a note that Your time has been successfully synchronized.

For clients other than Windows, it makes little sense to set ntp settings with a GPO, given that systems not in Active Directory won’t really use them. And most environments that don’t have a directory service are pretty small. But this isn’t to say that you won’t want to deploy these settings en masse. Much as you can use the /etc/ntp.conf file or the systemsetup -setnetworktimeserver command to configure a time server in Mac OS X you can use the registry to do so in Windows. If you can use the registry to configure a setting you can then use regedit or regedit32 to set the keys programatically.

But if you choose to, the keys are in HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeParameters (most notably is the NtpServer key) or you can use w32tm with the /config option. Once configured, reset the time to that of the time server to test. This can be tested with w32tm:

w32tm /resync /rediscover

Mac OS X and Windows can use an ntp-based server, but given that ntp is so widely used, what else? Using ntp with appliances can help with authentication protocols and also assist with triangulating issues from within log files. So, how about a Cisco IOS device. SSH into one and let’s get started. First off, run the enable command and then provide a password:

enable

Then, go into config mode:

config t

Now we’re going to use the ntp command and issue and update calendar to tell IOS to update the hardware clock from the software clock:

ntp update-calendar

Then we’ll specify our ntp server(s):

ntp server 10.0.0.88

Note: Just run the ntp server command twice if you want to specify a second ntp server.

Then exit config mode:

exit

And write your new settings into memory:

wr mem

Ubuntu Unix

Install ntpd in Ubuntu Server 10

I’m sure you’re getting tired of seeing me regurgitate apt-get commands, but here’s another:

apt-get install ntp

This will install ntpd. Then a quick update to /etc/ntp.conf to configure who you get your updates from (I still like time.apple.com) and you’re now an ntp server. Once changed, restart the daemon:

/etc/init.d/ntp restart

Then, use ntpq to check your time against the server:

ntpq -np

Lucky us, ntp is easy, but we’re gonna’ need it for Kerberos now aren’t we…

Mac OS X Mac OS X Server Mass Deployment Unix Windows XP

DHCP Leases Expanded

DHCP provides IP addresses to clients. DHCP is critical to a number of Mac OS X Server technologies, most notably with NetBoot. In doing so, communications are comprised of 4 steps: Discovery, Offer, Acceptance, and Acknowledgment. In the Discovery step, a computer that needs an IP address sends a broadcast request to the environment. These typically remain local, although most routers will allow for configuring the gateway in such a way that UDP traffic is forwarded on to other subnets. The request also includes all of the options that the client will need, with options being anything beyond an IP address, each potential option with a numerical identifier per this list (defined in various RFPs).

In the second step, any DHCP servers that received the request will issue an offer, which includes a number of DHCP options, such as a subnet mask (option 1), a gateway (option 3), DNS servers (option 6), amount of time a lease is valid for (option 51), the IP of the DHCP server making the offer (option 54). For example, WINS is two options, 44 & 46 (server and type respectively) that can be provided to clients as is LDAP (option 95). Available options are determined based on any reservations that may have been filed. For example, if an IP address has been reserved for a specific MAC address then the IP will always be the IP reserved.

Because environments can have multiple DHCP servers the Transaction ID will determine which offer to accept. The servers that issued an offer will hold the IP address from the offer until they receive the response that another offer is being accepted and then move those back into their pool of available IP addresses. In step 3, Acceptance, the DHCP client will notify the server whose lease it accepts in the form of a DHCP Request, and those whose lease it will pass on. The Acceptance is actually a request for the IP address that is being held for the MAC address in question.

Based on the Acceptance, the options are then applied in an acknowledgement sent back to the client from the server that it indeed has the IP address and all of the pertinent options required. All of this typically happens in under a second and therefore, you plug in your computer and it gets an IP address; unless you’re running wireshark to look at what’s happening beneath the scene you typically just assume that that’s all there is to it… The most powerful part of DHCP though is in the options, which shows that great thought was given to the protocol when it was conceived. These extensions provide for anything from NTP servers to SMTP servers provided that the client and the server support the implementation.

Mac OS X Mac OS X Server Mac Security

Automating NTP Setup on Mac OS X

The two primary aspects of time setup are typically setting the time zone and setting the Network Time Protocol (NTP) server.  The systemsetup command can be used to set both of these date and time options for Mac OS X computers.  To see a listing of the available time zones in Mac OS X use the systemsetup with the -listtimezones option as follows:

systemsetup -listtimezones

Once you have the time zones you can then use systemsetup with the -settimezone option to configure the time zone on your system.  It is often easiest to simply paste the time zone into the command.  So to set the time zone to Detroit for example, you would use the following command:

systemsetup -settimezone  America/Detroit

Once the time zone has been set then you’ll need to setup the time server.  Prior to setting an NTP server, first enable network time.  This can be done by using the systemsetup command with the -setusingnetworktime option followed by on or off (according to whether it is being enabled or disabled, in this case enabled):
systemsetup -setusingnetworktime on
Finally, set the actual NTP server.  To set an NTP server use the -setnetworktimeserver option with systemsetup, followed by the name or IP address of the server.  For example, to set the NTP server to ntp.krypted.com you would use the following command:
systemsetup -setnetworktimeserver ntp.krypted.com
Finally, you need to verify the time is correct.  To do so you can use the date command.  Or you can use the systemsetup command with the -gettime option as follows:
systemsetup -gettime
If you’re not using an NTP server then you’ll need to use the -settime and -setdate options to set the time and date respectively with systemsetup.  Each is separated by a : character.  The date is set using mm:dd:yy, so to set the date to July 12th, 2009 use the following command:
systemsetup -setdate 07:12:09
To then set the time to 11:30pm with no seconds use the following command:
systemsetup -settime 11:30:00
America/Detroi
Unix

NetApp Failovers

Each controller of a NetApp FAS will typically have two network interfaces. Provided I have two storage controllers (and I usually do) I typically prefer to setup a NetApp in an automated failover scenario. A NetApp active/active configuration consists of two storage nodes) whose controllers are connected to each other either directly or through switches. The nodes are connected through a cluster adapter or an NVRAM adapter, which allows one node to serve data to the disks of its failed partner node. Each node continually monitors its partner, mirroring the data for each other’s nonvolatile RAM (NVRAM).

Before configuring the filers for an active/active clustered failover, first verify that the dates are in sync between the nodes (if you’re using multiple nodes) using the date command. If they are not, then configure NTP using the options command. For example to following uses 192.168.55.98 as an NTP host and time.apple.com as another, setting the time.servers option:

options timed.servers time.nist.gov,10.0.0.44

Other timed options include timed.sched, which sets the schedule for when times are updated in the case of time skews. There is also timed.proto, which allows you to use ntp or rtc.

Once verified then you will move on to setting up the cf engine. When configuring clustering on the filers, you will use the cf command. The following command will give you a status as to the configuration as well as the status of the cf engine:

cf status

Provided that cf is currently disabled, the following command will go ahead and enable it:

cf enable

In order to initiate a failover event you can use the following command (or start unplugging some cables;):

cf takeover

If you are testing by unplugging cables then it is worth mentioning that the takeover and giveback processes are initiated after 30 seconds of not hearing from the partner interface. Older releases of the firmware can require an additional 45 seconds to complete the takeover/giveback. If you see an error that an interface “cannot be configured: address does not match any partner interface” then you might have a problem with the IP configuration of one of the controllers, for example a missing partner IP address. The easiest way to remedy that is to simply rerun the setup command and zip through the wizard, defining the partner IP in the process.

Once a failover event occurs you can fail the controllers back to the original configuration using the cf command with the giveback option, as follows:

cf giveback

At some point you may choose to turn off clustering, to do so use the following command:

cf disable