Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

FreeBSD use the packet-switched, variable-latency data networks, computer systems, clock synchronization, network time protocol (NTP). NTP uses UDP port 123. If you have a computer or a single server, then you can easily synchronize with other NTP server time. All you need is an NTP client called ntpdate This is good. It uses to set the date and time of the NTP server.

[quote="wnbv85"]hi
I have a question concerning AD Time sync. We block NTP on our firewalls so
our main DC cannot get out to a tick and tock server to grab time. At this
point we are getting some w32time warnings (Event ID: 31) in our system
logs. We are debating two options one is to open NTP on our firewalls. 2 to
use a 3rd party app to go grab time from a server over http then point our
main dc to that machine for ntp. My question is has anyone used anything
third party apps for that and if not does any one have any best practices
for time sync? I do understand how important time sync is in AD for
replication purposes so any help would be appreciated...[/quote]

Hi wnbv85,

Some firewalls can be set up to act as ntp servers for your network. For example, Juniper SRX firewalls:
[code]
user@host# set system ntp server 78.46.194.186 version 4 prefer
user@host# set system ntp server 88.198.34.114 version 4
[/code]
I'm sure Cisco supports it, too.

Or if you're using FreeBSD/PF or Linux, it's very simple to set it up on your firewall.

hi
I have a question concerning AD Time sync. We block NTP on our firewalls so
our main DC cannot get out to a tick and tock server to grab time. At this
point we are getting some w32time warnings (Event ID: 31) in our system
logs. We are debating two options one is to open NTP on our firewalls. 2 to
use a 3rd party app to go grab time from a server over http then point our
main dc to that machine for ntp. My question is has anyone used anything
third party apps for that and if not does any one have any best practices
for time sync? I do understand how important time sync is in AD for
replication purposes so any help would be appreciated...

Indication of the character to the left of the host:
[quote]<sp> discarded due to high stratum and/or failed sanity checks;
"x" designated falsticker by the intersection algorithm;
"." culled from the end of the candidate list;
"-" discarded by the clustering algorithm;
"+" included in the final selection set;
"#" selected for synchronization but distance exceeds maximum;
"*" selected for synchronization;
and
"o" selected for synchronization, PPS signal in use.[/quote]

Giving that a system has [i]ntpd[/i] up&running, [i]ntpq[/i] utility can be used to check system time synchronization:
[code]# ntpq -pn
remote refid st t when poll reach delay offset jitter
==============================================================================
+80.96.120.251 .PPS. 1 u 984 1024 377 10.723 -0.909 1.437
+80.96.120.252 .PPS. 1 u 851 1024 377 10.800 -0.503 0.476
*80.96.120.253 .PPS. 1 u 1019 1024 377 10.611 -0.698 0.669
[/code]

Man ntpq quote:
[quote]
NTPQ(8) FreeBSD System Manager's Manual NTPQ(8)

NAME
ntpq -- standard NTP query program

SYNOPSIS
ntpq [-inp] [-c command] [host] [...]

DESCRIPTION
The ntpq utility is used to monitor NTP daemon ntpd(8) operations and
determine performance. It uses the standard NTP mode 6 control message
formats defined in Appendix B of the NTPv3 specification RFC1305. The
same formats are used in NTPv4, although some of the variables have
changed and new ones added. The description on this page is for the
NTPv4 variables.
...
-n Output all host addresses in dotted-quad numeric format rather
than converting to the canonical host names.

-p Print a list of the peers known to the server as well as a sum-
mary of their state. This is equivalent to the peers interactive
command.

[/quote]