Home / server / Questions / 848520
Accepted
Rowan Hawkins
Asked: 2017-05-06 10:00:42 +0800 CST

How to Configure Server 2008r2 as a NTP server when it is neither on a domain or a DC

  • 772

Here is the setup: We have Windows Server 2008R2 servers at customer sites. For separation of trust reasons, those machines are not members of the Customers Domain. They are also not acting as a Domain host themselves, they are strictly stand alone instances. This setup can't be changed.

Windows Servers attached to the customer network receive NTP updates through "w32tm". These servers are also attached to a private Stub network with additional machines not on the customer network. I would like to provide NTP service to hosts on the stub to provide better log synchronization.

All of the documentation I can find online seems to assume that the Windows Servers are Domain Controllers.

I only want to provide the NTP Server service to the stub network if possible. It shouldn't be reachable from the customer network.

What is the best way to setup?

windows-server-2008-r2

3 Answers

  1. Best Answer

    NTP Server is not a role of a Domain Controller and not even a feature of Windows Server alone.

    Windows Time Service (w32time) has both client and server built-in on every Windows computer. The server side is disabled by default and automatically enabled on Windows Server during dcpromo.

    The server state is controlled via registry key:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer]
"Enabled"=dword:00000001

    Just Run cmd as Administrator and use commands:

    reg add HKLM\system\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer \
    /v Enabled /t REG_DWORD /d 0x1 /f
w32tm /config /update

    You'll instantly have a NTPv3 compliant Time Server on your Windows machine.

    • 1

  2. If you use a time server on the client network for time updates, you won't be able to block NTP service from being accessible from that machine as NTP is a bidirectional protocol using port 123/udp.

    If you want to block any machine on the client network from accessing the NTP service on your server, you'll have to choose an external time server; e.g. uk.pool.ntp.org and configure the server firewall to block all access to port 123/udp from the client network.

    (This would have been a comment on PaterSiul's answer, but my rep isn't high enough to comment!)

    • 1

  3. Try techrepublic or, for a bit more detail, this Microsoft blog post.

    Update: Esa Jokinen has the main part of my links in his answer.

    To answer the second part, which I first missed: I don't know of a way to restrict windows time service to an interface or an ip range directly. I'd solve that with a firewall rule:

    netsh advfirewall firewall add rule name="NTP" dir=in action=allow protocol=UDP localport=123 remoteip=157.60.0.1,172.16.0.0/16 enable=yes

    "remoteip=157.60.0.1,172.16.0.0/16" is just an example, the rest should work for what you wish, assuming you didn't change the default policy from blocking to accept.

    • 0