2 PDC + Time Sync (ntp) problem

Fri Dec 19 02:00:20 MST 2014

Hi Michał,

On gio, 2014-12-18 at 11:38 +0100, Michał Półrolniczak wrote:
> I added reverse DNS;
> I added the broadcast for ntp
> I remove any gpo related to Windows Time Client, because it should sync 
> with PDC as I readed on wiki.
> Now is there a specific command line (like w32tm /monitor ) to check if 
> windows client sync with server and if it dose which one he use ?
> 
> using w32tm /resync give "The computer did not resync because no time 
> data was available "
> 
> I followed: http://support2.microsoft.com/kb/929276/ didnt helped
> 
> Resynching to the domain controller via:
> w32tm /config /syncfromflags:domhier /update
> net stop w32time
> net start w32time
> 
> Windows got open port UDP 123 and the server too.
> 
> Using this:
> w32tm /debug /enable /file:c:/temp/test.txt /entries:0-300 /size:10000
> I was manage to capture this error:
> Logging error: NtpClient has been configured to acquire time from one or 
> more time sources, however none of the sources are currently accessible 
> and no attempt to contact a source will be made for 1 minutes. NTPCLIENT 
> HAS NO SOURCE OF ACCURATE TIME.
> 
> Ntp client is trying to sync with melanippe (backup domain controler) 
> mayby the problem is that melanippe sync with arne, and arne use ntp.org 
> for sync ? (which is accurate?)
> 
> 
> W dniu 2014-12-12 o 16:07, Daniele Dario pisze:
> > Hi Michai
> >
> > On ven, 2014-12-12 at 14:28 +0100, Michał Półrolniczak wrote:
> >> im using samba 4.1.6-Ubuntu from repo (14.04.01)
> >> arne is PDC with SYSVOL (192.168.0.4)
> >> melanippe is Backup PDC with rsync (from wiki) replication of SYSVOL
> >> (192.168.0.5)
> >> any modification to AD is made by arne
> >> domain is: domain.local
> >>
> >> Windows Clients dosn't sync time from PDC (arne)
> >> when runing: w32tm /resync im getting "Access Denied. (0x80070005)
> >> w32tm /monitor im getting MELANIPPE.domain.local *** PDC
> >> ***[192.168.0.5:123]:
> >> ICMP: 0ms delay
> >> NTP: error ERROR_TIMEOUT - no respond from server for 1000ms
> >> arne.domain.local *** PDC ***[192.168.0.4:123]:
> >> ICMP: 0ms delay
> >> NTP: +9.2623479s shift from MELANIPPE.domain.local
> >> RefID: (here is some strange host name with ip not from my pool)
> >> Layer: 3
> >> Warning:
> >> Reverse dns it optimal for the solution. (sorry im using translator to
> >> give you english messages)
> >>
> >> So looking into the problem I:
> >> nslookup arne.domain.local
> >> (root) ??? unnow type 41 ???
> >> Server: UnKnow
> >> Address: 192.168.0.4
> >> Name: arne.domain.local
> >> Address: 192.168.0.4
> >>
> >> nslookup 192.168.0.4
> >> (root) ??? unnow type 41 ???
> >> Server: UnKnow
> >> Address: 192.168.0.4
> >> (root) ??? unnow type 41 ???
> >> *** No records availble internal type for both IPv4 and IPv6 Addresses
> >> (A+AAAA) for 192.168.0.4
> >>
> >> Same gose for 192.168.0.5
> >> Im using the build in DNS (not bind), ntp 4.2.6.p5+dfsg-3ubuntu2
> >> Using DNS Manager from Windows Admin Tools im getting Empty Reverse DNS
> >>
> >> arne: cat /etc/ntp.conf
> >> # /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
> >> server 127.127.1.0
> >> fudge 127.127.1.0 stratum 10
> >>
> >> driftfile       /var/lib/ntp/ntp.drift
> >> logfile         /var/log/ntp
> >> ntpsigndsocket  /var/lib/ntp_signd/
> >>
> >> server 0.pl.pool.ntp.org        iburst pref
> >> restrict default kod nomodify notrap nopeer mssntp
> >>
> >> restrict 127.0.0.1
> >>
> >> restrict 0.pl.pool.ntp.org      mask 255.255.255.255    nomodify notrap
> >> nopeer noquery
> >>
> >>
> >> melanippe: cat /etc/ntp.conf
> >> # /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
> >> server 127.127.1.0
> >> fudge 127.127.1.0 stratum 10
> >>
> >> server arne.domain.local  iburst prefer
> >>
> >> driftfile /var/lib/ntp/ntp.drift
> >> logfile /var/log/ntp
> >>
> >> restrict default kod nomodify notrap nopeer mssntp
> >>
> >> restrict 127.0.0.1
> >>
> >> restrict arne.domain.local        mask 255.255.255.255    nomodify
> >> notrap nopeer noquery
> > >From what I know you have to manually create the reverse DNS zone. You
> > can do it using samba-tool dns zonecreate <server> <zone> or using DNS
> > manager from Windows Admin Tools. Than you need to populate the zone
> > adding your hosts (again samba-tool dns add <server> <zone> <name> <A|
> > AAAA|PTR|CNAME|NS|MX|SRV|TXT> <data> or using DNS manager from Windows
> > Admin Tools).
> >
> > About ntp: I'm not using samba from ubuntu/debian package but I compiled
> > it myself so paths are different. In my case ntpsignedsocket is
> > in /usr/local/samba/var/run/ntp_signd/ and I had to
> > modify /etc/apparmor.d/usr.sbin.ntpd adding
> >
> > ...
> >    # for signed ntp requests
> >    /usr/local/samba/var/run/ntp_signd/** rw,
> >    /usr/local/samba/var/run/ntp_signd/ rw,
> > ...
> >
> > and reload apparmor profiles
> >
> > Another thing (but not sure if relevant 'cause can't find anything to
> > prove it) is that on ntp.conf of "master" DC I added the line
> > broadcast BROADCAST_ADDRESS_OF_YOUR_LAN (e.g. 192.168.0.255)
> >
> > Hope this helps,
> > Daniele.
> >
> >
> 

I'm not a developer nor have a deep knowledge in this field, I'm just a
user so hope to not create more confusion than you already have ;-)

BTW, the first step I'd suggest is to assert ntpd is properly working.
Have a look to syslog/ntplog files to see if all is up adn running.
I had some issues with apparmor blocking access to some modules (eg
type=1400 audit(1418978033.974:24): apparmor="DENIED" operation="open"
parent=1 profile="/usr/sbin/ntpd"
name="/usr/local/samba/lib/libnss_winbind.so.2" pid=1086 comm="ntpd"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0 I guess this prevents
signd requests to work)

On the other hand, you can test from a linux box if you can sync using
ntpdate -d server_name
That won't test signd requests but at least should tell you that the
server side is working.

Hope this helps,
Daniele.