NTPD and Microsoft AD as NTP Server (ntpq / ntpversion defaults to "2" for Linux)
First-off, let me start off by saying I'm a long-time Unix (Recent Linux) admin, "stuck" as back-office admin in a Microsoft Windows shop (critical apps still rely on Unix / Linux, and I'm a DBA on both sides of the house...).
A few years ago, we switched our Microsoft world to Active Directory (AD). AD, as those of you who might have dealt with it know, is very "time" centric. It has it's own ntp services that all of it's machines need to stay in step with (or they fail if / when they fall too far out of synch).
We use Samba now for our NAS Windows shares, on Linux storage appliances (that use RedHat 7.3 base 2.4.21 kernel & SuSE version 9.3 base 2.6.11 kernel). Needs to stay in step with the AD time-stamp, but thus far, it hasn't done such a good job (cron jobs to restart ntpd once a day, scripts to check on, etc...).
Don't know if the problem(s) lie on the Windows side, or on Linux config (in past, always blamed Wintel), but I think now it has to center on Linux... (for the following reason):
A while back, one of my co-admin's here, who also ran the AD ntp server had to load some Microsoft Windows-based patches / updates that fixed some issues with Microsoft and ntp. In addition to my Linux servers / appliances that have the issue with time-synchronization, I have some of my older HP-UX Unix (version 11.0) boxes. Had to keep them in-step with the AD NTP servers too. Since those Windows updates, they now stay in synch with the Windows AD ntp server (but Linux still has a problem).
I recently did some more searching between the two environments (ntp on HP-UX and Linux)... Noticed that on all of my Linux boxes, if I go interactively into "ntpq", and check "ntpversion", the response in all of my Linux distros here (2.4 & 2.6 kernels) is "2". On the HP-UX, the response is "3" (where it's now working and synching).
Just for kicks, I manually altered "ntpq / ntpversion" to "3" on those Linux boxes. In the same "ntpq" session, the "as" (Associated Peers) argument suddenly returned "sys.peer" for the Microsoft AD ntp server (before, it always got rejected, after intial synch, and then fell back to "LOCAL" time-source as "sys.peer").
Posting here for help in trying to understand what "ntpversion" means to a sysadmin (there's gobs of ntp info out there..., people are writing books, and I'm just trying to authenticate to a server...), ..., how to statically set it on system (next time I go back into "ntpq" it reverts back to "2"), and if this might offer a clue as to why my Linux boxes (we have SuSE 9.3, RedHat ES 4.0, RedHat 7.3, Fedora (various versions), in addition to another vendor's internal Linux boxes whom I had to give them one of my HP-UX servers to use as their ntp server, as they too had the issue(s)) won't synch to the Windows AD ntp server (but HP-UX now will...)?
Thanks... signed "trying to stay alive on the dark side" ;-)
- Joe Pantera
Joseph F. Pantera Database, Network & Systems Administrator
Gibson Dunn & Crutcher LLP
phone: (213) 229-7673