Is it possible to make a Router as an NTP Server.
My requirement is to allow Windows Domain controller to connect to NTP Server to synchronise the time and then all other server will point to Domain Controller.
Looking for a best options
What kind of router are you using? We have our Catalyst 6513 set up as NTP server. Tehse are some of the commands:
ntp clock-period xxxxx
ntp peer 184.108.40.206
It is certainly possible to configure your router to act as an NTP server for the devices in the Windows network. The best solution for this is to configure the router to learn NTP time from one of the available NTP servers in the Internet. If the router has learned authoritative time from an Internet NTP server then it will automatically act as an NTP server for the devices in your network.
If, for some reason, you do not configure your router to learn NTP time from an Internet NTP server, then you would use the ntp master command on your router to have it act as an NTP server for your network. Based on your description you do not need the ntp authenticate command and you should not configure the ntp clock-period command as suggested by Mohamad. The ntp peer command which he suggests is the command to have your router learn NTP time from an NTP server and the 220.127.116.11 is one of the available public NTP servers so it would be good to use this in your router.
note: if you learn time from an Internet NTP server you do not need the ntp master command. You would need the ntp master command only if your router is not learning time from any other source. I suggest that you just use this and be done with it:
ntp peer 18.104.22.168
Do I need to open any ports on the ASA Firewall to allow traffic from Windows Domain Controller to the router and vice-versa
Thats the setup I have.
I agree with Rick. NTP "clock-period" is auto-generated by the appliance so I always remove this from my config documents.
You can go to the NTP website (http://support.ntp.org/bin/view/Servers/WebHome) and choose from the list of Public Pool, Primary or Secondary and drill down to your region.
Again with Rick, I'd avoid using "NTP Master" if you have your NTP is authoritative.
In my scenario.
The Router will learn NTP time from one of the available NTP servers in the Internet.
I have only configured the router with "ntp peer 22.214.171.124"
The output are :-
sh ntp associations
address ref clock st when poll reach delay offset disp
*~126.96.36.199 .ACTS. 1 10 64 175 259.0 3.67 2.1
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
Do I need to add any security parameter to it, or any missing config
Do you see the "*" symbol? It means that that IP Address you've provided is now the "master" time. The third column shows that this is an authoritative time, the "1", means that this is the highest.
To verify, do a "show clock". If your time does not have a "." symbol in the beginning, then it means that your appliance is synchronized to a clock source.
If you have noticed I have just entered basic reqd command for NTP, is there any security issues with this.
Bit concern about security, any suggestions
What you have configured is typically enough when you learn time from one of the public Internet NTP servers. You might configure some authentication or access lists as suggested by Leo for NTP within your own network. But it is not common to do that with the public Internet NTP servers.
Most people regard the security risk in doing NTP with public Internet NTP servers as slight risk. If you are concerned about that risk the alternative is to purchase some device with atomic clodk and to generate your own authoritative time without using the public Internet NTP servers.