Amy Babinchak’s ISA/SBS Series: How to Synchronize SBS2003 Premium with an External Time Source

Amy Babinchak’s ISA/SBS Series:
How to Synchronize SBS2003 Premium with an External Time Source
by
Amy Babinchak

 
 Harbor Computer Services
 Small Business Computer Specialists
 Office (248) 546-6056
 Mobile (248) 890-1794








Got Questions?
Discuss this article at
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=2;t=014031

Typically the need time synchronization is between your SBS server and the workstations. But, what happens when you need your SBS server to sync it’s time with an external time source? In this article we’ll show you how to configure SBS2003 Premium and ISA 2000 to synchronize with a public time server and provide the time for your workstations.

When working with Small Business Server we need to keep in mind all of things that SBS is. For this project we need to know that the Windows 2003 component of SBS2003 is the AD Forest Root and SBS2003 is also running ISA2000.

To begin, make sure the Windows Time service is running on your SBS server. To do this, open Server Management and in the right pane click Monitoring and Reporting. Next click the Services link. This will open up a new window called Services. Scroll down to the Windows Time service. Right click on the Windows Time service and select Properties. The Windows Time Properties dialog box will open. (fig. 1) Click the drop down Menu for Startup Type and select Automatic from the list. If the server is not already started, click the Start button to start the service. Click OK to close the Windows Time Properties dialog box. Close the Services window.

Figure 1


Now that the time service is running, the next step is to configure an ISA packet filter to allow the NTP packets through. To do this click on Start, Programs, Microsoft ISA Server and open the ISA Management console. Expand Servers and Arrays, <your server>, and Access Policy. Then click on the IP Packet Filters folder. In the right hand pane scroll down until you see the SBS NTP 123 Out CustomFilter item. Right click on this filter and choose Properties. The SBS NTP 123 Out CustomFilter Properties box will open. (fig. 2) Click on the Filter Type tab and make sure that your settings match those below in figure 2. Click OK to save your change and close the Properties box.

Figure 2:


Now we need to make sure that we have a corresponding Protocol Definition. To do this expand Policy Elements and click the Protocol Definitions folder. In the right hand pane scroll down to NTP (UDP). Right click on the NTP (UDP) protocol definition and select Properties. The NTP (UDP) Properties box will open. Check to make sure that you setting match those of Figure 3.

Figure 3:


Click OK to exit the NTP (UDP) Properties box and save your changes.

Close the ISA Server Manager console.

Your time service is now working but it doesn’t yet know where to find a public time server with which to synchronize. To determine which time server you would like to synchronize with, look on the Internet for free public time servers.

Microsoft Knowledgebase Article 262680 Titled: A List of the Simple Network Time Protocol Time Servers That Are Available on the Internet will be handy here. The KB article doesn’t explain it very well, but you will want to select a Level 1 time server because your SBS server will be providing time services for your entire domain. Selecting one close to you and notifying them that you will be synchronizing with their server is good practice. Additional information on publicly available time servers, how they operate and information on how to get permission to sync with them is available here: http://www.eecis.udel.edu/~mills/ntp/servers.html Scroll down to the bottom of the page for a listing of available Level 1 servers. When you have selected a time server make note of the IP address and name of the server (FQDN).

Now open Regedit. (usual disclaimer here – backup the registry, making mistakes in here can really mess up your server, don’t take my word for what you are about to do, be sure to verify what is written here with the Microsoft KB that it references.)

Have handy Microsoft Knowledgebase Article 816042 titled How to configure the Windows Time service on a Windows Server 2003-based forest root PDC master computer. Although the article doesn’t reference SBS in its list of products that this article applies to, it should. Scroll down to the section titled: Configuring the Windows Time service to use an external time source and follow this through item 7. Item 7 should read Quit Registry Editor. The relevant section of the article is below for your reference. Note that in step 4 that here you can enter either the IP address of the time server or the DNS name. I prefer to use the IP address because I’ve found the DNS name to be unreliable.

Configuring the Windows Time service to use an external time source

To configure an internal time server to synchronize with an external time source, follow these steps:


1. Change the server type to NTP. To do this, follow these steps:


a. Click Start, click Run, type regedit, and then click OK.

b. Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type

c. In the right pane, right-click Type, and then click Modify.

d. In Edit Value, type NTP in the Value data box, and then click OK.

2. Set AnnounceFlags to 5. To do this, follow these steps:


a. Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags

b. In the right pane, right-click AnnounceFlags, and then click Modify.

c. In Edit DWORD Value, type 5 in the Value data box, and then click OK.

3. Enable NTPServer. To do this, follow these steps:


a. Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer\Enabled

b. In the right pane, right-click Enabled, and then click Modify.

c. In Edit DWORD Value, type 1 in the Value data box, and then click OK.

4. Specify the time sources. To do this, follow these steps:


a. Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer

b. In the right pane, right-click NtpServer, and then click Modify.

c. In Edit Value, type Peers in the Value data box, and then click OK.

Note Peers is a placeholder for a space-delimited list of peers from which your computer obtains time stamps. Each DNS name that is listed must be unique. You must append ,0x1 to the end of each DNS name. If you do not append ,0x1 to the end of each DNS name, the changes made in step 5 will not take effect.

5. Select the poll interval. To do this, follow these steps:


a. Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollInterval

b. In the right pane, right-click SpecialPollInterval, and then click Modify.

c. In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.

Note TimeInSeconds is a placeholder for the number of seconds that you want between each poll. A recommended value is 384. This value configures the Time Server to poll every 15 minutes.

6. Configure the time correction settings. To do this, follow these steps:


a. Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxPosPhaseCorrection

b. In the right pane, right-click MaxPosPhaseCorrection, and then click Modify.

c. In Edit DWORD Value, select Decimal in the Base box.

d. In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.

Note TimeInSeconds is a placeholder for a reasonable value, such as 1 hour (3600) or 30 minutes (1800). The value that you select will depend upon the poll interval, network condition, and external time source.

e. Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxNegPhaseCorrection

f. In the right pane, right-click MaxNegPhaseCorrection, and then click Modify.

g. In Edit DWORD Value, select Decimal in the Basebox.

h. In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.

Note TimeInSeconds is a placeholder for a reasonable value, such as 1 hour (3600) or 30 minutes (1800). The value that you select will depend upon the poll interval, network condition, and external time source.

7. Quit Registry Editor.

Almost done. The only step left is to restart the Windows Time service. Once you have restarted the Windows Time service you should see the following happy time service events in the System Event log.

And

I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=2;t=014031 and post a message.

If you would like us to email you when Amy Babinchak releases another article on ISAserver.org, subscribe to our ‘Real-Time Article Update’ by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy.

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top