[154311] in North American Network Operators' Group
Re: [c-nsp] NTP Servers
daemon@ATHENA.MIT.EDU (PC)
Sun Jul 1 15:04:06 2012
In-Reply-To: <CAAAwwbUJVX0jY0ZOSwQTcqaZB6-ihvr13CaL0fnTwsKZdMFbxA@mail.gmail.com>
Date: Sun, 1 Jul 2012 13:03:13 -0600
From: PC <paul4004@gmail.com>
To: Jimmy Hess <mysidia@gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Many folks have more than just windows desktop PCs syncing their time.
If your application requires sub-5 second accuracy, (such as end of a
banking day), then Windows NTP is unsuitable for the purpose.
If your only objective is to sync the times on a bunch of user laptops so
they can get Kerbeos tickets within the 5 minute tolerance, it works fine.
For me, even a few seconds apart can be frustrating for comparing log files
between busy devices.
Your reason would be whether or not you fall inside or outside the
Microsoft guidelines below:
From Microsoft:
http://support.microsoft.com/kb/939322
We do not guarantee and we do not support the accuracy of the W32Time
service between nodes on a network. The W32Time service is not a
full-featured NTP solution that meets time-sensitive application needs. The
W32Time service is primarily designed to do the following:
- Make the Kerberos version 5 authentication protocol work.
- Provide loose sync time for client computers.
The W32Time service cannot reliably maintain sync time to the range of 1 to
2 seconds. Such tolerances are outside the design specification of the
W32Time service.
On Sat, Jun 30, 2012 at 5:23 PM, Jimmy Hess <mysidia@gmail.com> wrote:
> On 6/30/12, Grant Ridder <shortdudey123@gmail.com> wrote:
> > I don't understand why anyone would use windows server for anything that
> > needed precision like time.
>
> Probably because they realize that in a Windows domain, their domain
> controllers already provide a SNTP service with the Windows NT PDC
> Emulator providing authoritative time for windows time service, and
> all those windows servers can be enabled as a NTP server with a small
> configuration change, and Windows Domain clients are required to
> be synchronized with this using the Windows time service, as a
> condition for Kerberos authentication and domain logon, for the
> configuration to be a supported one.
>
> So, given you already have those capabilities and those constraints...
> how do you justify deploying another server for providing a separate
> time service, running a new OS, instead of just using the same one
> for all hosts?
>
> In many cases it's not "Why use a windows time server" that has to
> be justified;
> the burden of proof is to answer the question "What can you say that
> indicates you should definitely not use a windows time server for the
> application?" :)
>
> --
> -JH
>
>
