The Network Time Protocol
Installing the binary version of the NTP Reference Implementation on Microsoft Windows based systems
Please note:
If you want to use the NTP reference implementation included in this
software package, a number of legal terms apply. You need to read the legal section of this document
and agree to these terms, otherwise you are not allowed to use any part of this software at all.
Table of contents
- Introduction
- Before You Start
- The Installation Procedure
- Upgrading NTP
- Uninstalling NTP
- Unattended Installation (Automatic/Silent Install)
- Addendum
Introduction
-
About this document
This document is part of the NTP binary distribution for Windows systems provided by Meinberg Radio Clocks. It contains short step-by-step instructions how to install this binary release of the NTP reference implementation
as well as some background and informations about the legal terms that apply if you decide to use NTP and the installer.
About the Network Time Protocol (NTP)
(taken from the NTP homepage)
The Network Time Protocol (NTP) is used to synchronize the time of a computer client or server to
another server or reference time source, such as a radio or satellite receiver or modem. It provides
accuracies typically within a millisecond on LANs and up to a few tens of milliseconds on WANs relative
to Coordinated Universal Time (UTC) via a Global Positioning Service (GPS) receiver, for example.
Typical NTP configurations utilize multiple redundant servers and diverse network paths in order to
achieve high accuracy and reliability.
Read more...
Back to top
About the NTP Project and its Reference Implementation
(taken from the ISC NTP Project homepage)
The NTP Project (R&D) produces a reference implementation of the NTP protocol,
and implementation documentation, through a largely a volunteer effort. The NTP software distribution is copyrighted,
as described in the NTP copyright page.
Read more...
Back to top
The Meinberg binary distribution of NTP for Windows Systems
Meinberg offers time synchronization hardware
(time servers and reference time sources like radio clocks)
and is often asked for software recommendations for the clients of a network that requires
synchronized time.
We are using the reference implementation of NTP in our NTP time servers
and tested a number of client software to be used for network time
synchronization. We recommend NTP not only because it offers the
highest compatibility but also an unmatched accuracy and reliability
among all tested network time synchronization products. The NTP project
mainly produces source code releases of NTP, at the moment there is no
official Windows binary distribution available from them. Because a lot
of their customers do not have the time or ressources to build their
own binary version of NTP, we decided to offer a pre-compiled,
easy-to-install software package including an actual version of NTP and
all necessary third party add-ons (e.g. OpenSSL libraries).
If you need a tool for monitoring your NTP time server and/or clients, please check out our NTP Time Server Monitor
application which can be downloaded free of charge from our Website.
Back to top
Before you start
-
System Requirements
Supported Operating Systems
-
This version of NTP only runs on Windows NT and its successors (e.g.
Windows 2000, Windows 2003 and Windows XP machines). Windows 95, 98 and
ME are not supported by the installer and it will show you an error
message and quit in case you do not trust us and try to run the
installer under one of those operating systems :-)
Hardware Requirements
-
The files installed need approx. 2-3 MB of harddisk space. NTP will run
on any hardware that meets or exceeds the minimum hardware requirements
of the underlying operating system.
Back to top
Necessary user rights
-
In order to use this installer, you need Administrator rights. This is
only necessary during installation, the NTP software itself runs fine
without admin rights, as long as the SetSystemTime privilege has been
assigned to the account used for running the service and we strongly
recommend to not run NTP (or any other system service, if possible)
using the local system account or any other account with full
administrator rights. If you want, the installer will create a
restricted account running the NTP service.
Back to top
The Installation Procedure
-
Getting the latest version
Meinberg tries to update the installer at least as often as a new
stable version of NTP has been released by the NTP project. If
important bug fixes or new features have proven their stability, an
updated installer may be released as a "developer version" without
waiting for an official stable NTP release. So, mostly two versions of
the installer ("latest" and "stable") will be available for download on
the Meinberg NTP download page.
Back to top
Installing NTP
Please check that the target system meets the system requirements and that you logged on with sufficient
user rights.
Step 1: Starting the Installer: License Agreement
downloading the appropriate version coming as a one-file executable, double-click it to start the installation procedure.
After checking that the target operating system is supported and that sufficient
user rights are present, the first page appears, containing legal informations covering the copyrights,
licenses and other legal terms. In order to proceed you need to agree to these terms by clicking the "I Agree" button.
[Prev][Next][Top]
Step 2: Choosing the Destination Folder: Where to install
You need to specify the directory the files will be installed in, default is PROGRAMDIR\NTP. PROGRAMDIR is depending on
the language and install location of your Windows version, for a standard english windows version installed on drive C: this is
"C:\Program Files\".
During installation a number of subdirectories will be created, e.g.
bin, etc and doc. You should keep an eye (or two) on security and may
want to restrict access to the destination folder after installation.
[Prev][Next][Top]
Step 3: Choosing Components: What to install
The installer offers you a number of components that can be selected
for install. Per default, everything is selected and this should fit
most situations. Here is a list of all components and their meaning:
[Prev][Next][Top]
-
The NTP daemon
A "daemon" is a term widely used in the Unix world. It stands for a
service program running in the background (i.e. without a visible
interface like a window). The Windows equivalent are System Services,
which can be controlled by using the Service Control Console
(services.msc). A Windows System Service can be run automatically at
system startup and logs on in the background, without the need of an
interactive logon.
Because the NTP daemon (ntpd.exe) is needed for client (i.e. aquire time) as well as server (i.e. distribute or redistribute)
configurations, installation is mandatory and this component cannot be deselected.
At a later stage you can choose whether it should start automatically with Windows or not.
[Prev][Next][Top]
The NTP Tools
This component contains a number of command line executables which are
not needed when operating a NTP client or server, but they are very
useful and should be included in every install. At the moment ntpq.exe,
ntpdc.exe and ntp-keygen.exe are included in this section. Please refer
to the documentation of these commands in order to find out what they
do. [Prev][Next][Top]
The NTP Documentation
The NTP Public Services Project composed a comprehensive set of html
pages forming the official NTP documentation. If you choose to install
this component, the documentation will be installed in the doc
subdirectory of the destination folder. [Prev][Next][Top]
Start Menu Entries
If you select this component (it is on per default) the installer will
create entries in your start menu to allow you to start/stop/restart
the NTP service, edit your configuration file and browse the installed
documentation. Additionally you will find a few interesting links to
NTP related websites in your NTP Start Menu (which is created as
Meinberg/Network Time Protocol). [Prev][Next][Top]
Settings
This component actually does not include any files, it just allows you
to enable/disable certain actions the installer is applying to your
system. The one and only setting that can be activated/deactivated is
expanding the PATH environment variable of your system to include the
path to the NTP binaries. If you do not want to install multiple
versions of NTP in different directories, we would recommend to not
disable this setting (it's selected per default). The PATH variable
holds a list of semicolon separated directories where the system should
look for an executable file when you do not specify its full path. That
means: You can use the command 'ntpq' anywhere without having to type
in the full path to the .exe file everytime you want to use it.
[Prev][Next][Top]
OpenSSL libraries
Selecting this component will install two DLL files from the OpenSSL
software distribution into the bin subdirectory of your NTP folder. You
should leave that turned on (that's the default) and only deselect it
if you already have a copy of the OpenSSL DLLs (libeay32.dll and
ssleay32.dll) in a place where NTP can find them (e.g. the
windows\system32 directory).
[Prev][Next][Top]
Step 4: Copying files
When you finished selecting your wanted components, the installer
starts copying the necessary files. Before this happens, it is checked
if there is already a NTP service running on this machine. If yes, you
are asked if this service should be stopped before starting the copy
process. It is recommended to choose "Yes" (=stop the service) here in
order to prevent file access errors when trying to eventually overwrite
the ntpd.exe file of an already running instance of NTP.
[Prev][Next][Top]
Step 5: Configuration File Settings
After copying of the files has been completed, the configuration file
page comes up. Here you can specify a location where the NTP daemon
looks for its configuration file (default is etc\ntp.conf in the
directory where you installed NTP), whether an initial configuration
file should be created for you and if you want to run NTP as a system
service.
You can use the "..." button to browse your files and find an already
existing ntp.conf file. Under normal circumstances we recommend to not
change the location of the config file and simply use the setting your
installer selected for you. When
you choose to create a configuration file (this should be done when
installing NTP for the first time on your computer or if you do not
want to use your old configuration file), you can select which NTP
servers you want to use for synchronization.
The installer comes with a drop down list (labelled "External Time
Reference" or "Pool Server") which includes a number of countries where
public NTP servers provided by the NTP Pool Project are
available. You should choose your county (or the nearest country) from
the list and everytime your NTP daemon starts, you are using a
different NTP server thanks to a rotation mechanism (see the Pool Project website if you are interested in the details.
If the installer detects the Meinberg Time Adjustment Service, it
allows you to choose "Follow Meinberg Time Service". The presence of
this service indicates that your system has a PCI radio clock from
Meinberg installed or uses an external reference clock connected to a
serial port. As the Meinberg Time Service already keeps the local clock
of your system synchronized to the Meinberg hardware clock, the NTP
configuration would be set up to simply use the local clock as a time
source with Stratum level 1. This configuration makes sense if you want
to use the Meinberg Time Service to get its time directly from a
Meinberg device but would like to be able to distribute the time via
NTP to your clients.
You are not able or do not want to use an entry of the drop down list
because you are sitting behind a corporate firewall and the security
policy permits no NTP connections to the outside world? Or you do not
have an internet connection or want to use a more reliable and accurate
NTP server in your local network? No problem, the next field on this
page allows you to specify up to nine NTP servers manually. Just enter
a comma-separated list of IP addresses or hostnames and there you go.
Example:
In your local network you maintain three NTP servers with which you
want to synchronize your Windows PC time. The NTP servers are called
"tick", "tack" and "tock", so all you have to do is to enter
"tick,tack,tock" into the NTP server field (the one that is labelled
"You can specify up to 9...") and that's it.
Advanced server specifications: If you want, you can add NTP specific tags/parameters to each server. So, you want to speed up
initial synchronization by using the iburst
option? And you want to prefer "tick" because you like the sound of its
name? Just enter: "tick prefer iburst,tack iburst, tock iburst" and you
are done.
[Prev][Next][Top]
Step 6: Service Settings
After configuring the config file settings, you are presented with a
dialogue where you have to specifiy how the service is installed.
First, you need to select the user account under which the service
runs. Service Account A service logs on in the background, for
this it needs a user account. You can either choose to create a new,
specially dedicated user account for the NTP daemon or you can use an
already existing account. The last option (and the worst from a
security viewpoint) is the possibility to run the service under the
local SYSTEM account, which has far too much access rights to be left
alone, therefore we strongly recommend (no, let me emphasize that)... strongly(!!) recommend to use
the default setting and create a dedicated user. You should use an
already existing user only if you are reinstalling and want to reuse
the dedicated user you created in a previous install.
This newly created user (its name and password has to be defined by you
in the next step) will only be granted the right to logon as a service
(no interactive or network logon allowed) and maintain the system time
(that's what you want from it, I suppose). Nothing else is allowed for
this user, so if anyone ever tries to attack the NTP service and
succeeds, he/she has very limited possibilities to cause any harm on
your system. You
can add extra security to your installation by changing the access
rights for the NTP folder on your harddisk to let only Admin and the
NTP user account access the files in it.
Starting Options
The NTP service can be run automatically when your system starts. If
you want to start it manually (this makes only sense if you want to
test NTP in non-productive environments), you can deselect the check
box "Start NTP service automatically".
NTP depends on being the only one altering the system clock, so the next option "Disable other Time Services eventually installed"
makes sure that at least a few services are deactivated (the start
option for these services is set to "deactivated"). This affects all
services named "NetworkTimeProtocol", "Network Time Protocol" and
"W32time". If you do not want to let the installer mess around with
your precious system, you can deselect this check box and the starting
options for those services are left untouched. However, this may cause
NTP not to run properly or even prevent it from running at all. You
have been warned :-) .
The next option ("Start NTP right after installation")
controls whether to start the service at the end of the installation or
not. If you think it is better to check a few things first, you may
want to deselect this option. If you chose to run NTP automatically, it
will be started during the next system boot or manually by using the
"net start NTP" command or the services.msc console.
Normally, the NTP daemon will exit immediately when it detects that
your current system time is far off (>1024 seconds). If you want NTP
to accept any time difference at startup and correct it as soon as the
correct time has been received from an NTP time source, you can leave
the checkbox "Allow big initial timestep" on. Uncheck this option if you want NTP to
stop and exit instead of stepping the time. Note:
Even when this option is enabled, NTP will only accept a big time
difference once at startup. If such a big difference occurs again
later, NTP will exit because this indicates that something is broken in
your NTP/time synchronization infrastructure.
If the NTP version included in the installer supports the automatic
enabling of the Windows multimedia timer, this can be turned off by
unchecking the corresponding checkbox "Enable Multimedia Timer at Startup". The per default
enabled feature switches the internal timing of Windows in multimedia
mode and prevents time shifts/steps when any other application using
the multimedia timer is started/stopped. If your system comes with a
version of the Windows Firewall (e.g. on XP SP2, Windows 2003 or
Windows Vista), you can ask the installer to check if your firewall
settings allow NTP to work properly. If you select the option "Check Firewall Settings",
the installer will check that and ask you if you want it to modify the
firewall rules for you in order to allow NTP packets to pass through.
This will effectively add an exception rule for UDP packets on port 123
(the NTP port) to your firewall settings.
[Prev][Next][Top]
Step 7: Specify Service Account
This step is skipped if you chose to run the NTP daemon under the
SYSTEM account, but I am sure you did not choose to do so for security
reasons.
In case you selected to create a new dedicated NTP account, you have to
enter its name (default is ntpd) and specify a password for the
account. You are not allowed to use the account name as your password
and a minimum length of five characters is required. Do not forget to
enter the password a second time in the "confirm" field.
If you chose to use an existing account, you will be asked for the
username and the password of the existing account (no confirmation
needed). Please make sure that you entered the correct password, as a
wrong input will prevent the service from running due to a login
failure.
[Prev][Next][Top]
Step 8: Finish Installation and Start the Service
If you selected that the NTP service should be started at the end of
the installation, this is done now. If an error message says that
starting the service did not succeed, you should look into your
eventlog (run "eventvwr" to check it) and check the reasons for the
failure in the system protocol and/or in the applications protocol.
On the last page of the installer you should now see what the installer
did during the installation process. Click "Finish" and you are done.
Congratulations!
[Prev][Top]
Upgrading NTP
- If the installer detects an already existing installation of NTP
(and if that installation was done using an old version of this
installer), it will ask you directly after startup how to proceed, i.e.
whether you want to simply upgrade your files or prefer a complete
reinstallation.
Automatic or Unattended Installation of NTP
-
Introduction If you want to deploy NTP on a large
number of PCs you probably want to automatize the installation process
in order to save time and shoeleather-costs. The Meinberg NTP Installer
supports automatic/unattended installation by specifying an INI file
which holds the settings you normally would enter via the various
dialogues during the installation. -
Running Installer in Unattended Mode (UAM)
In order to tell the installer that it should run in unattended mode,
you have to specify the name of the INI file on the commandline. This
can be done with the "/USEFILE" option: C:\> ntp_setup-win32-o.exe /USEFILE=C:\my_settings.ini
-
The INI-File: Configuration and Parameters for the Unattended Mode (UAM)
The INI file that is used to define all required parameters for the
installation is following standard Windows INI file format conventions.
Parameters are grouped into four sections: General Installer Parameters, Component Selection, NTP Service Parameters and
NTP Configuration File Settings. At the end of this chapter you will find a sample INI file, but first we will go through
the sections and explain each available parameter.
-
Automatic Template File Creation
During a regular (interactive) installation the settings specified by
the user will be collected and stored in a file install.ini in the
installation directory of NTP (e.g. C:\Program Files\NTP), the only
exception is the service password, which will not be written into this
file. You can use this automatically created install.ini file as a
template for future unattended installs of NTP, but please remember to
check the settings first and modify them to suit your needs:
- Fill in the service password, it is not written into the template for security reasons
- Change
the location of the config file in order to use a prepared ntp.conf,
this file path should be accessible from all PCs on which you want to
run the unattended install (i.e. it should be on a network drive)
- Check that the
upgrade mode should be Reinstall or Upgrade, in case the unattended
install is run more than once on a PC (it has no effect for a
first-time install)
- Please modify the location of the unattended install log file
[Installer] General Installer Parameters
This section is defined with the Installer group header: [Installer]
All installer related parameters have to be defined here, e.g. the logfile and target directory.
InstallDir
One of the most important parameters, it defines in which directory NTP
should be installed. There will be subdirectories created (like bin, etc and doc).
Example:
InstallDir=C:\NTP
Logfile
Due to the nature of an unattended installation there is no real way of
finding out details about what went wrong when the installer did not
successfully install NTP on the target machine. The Logfile that is
written by the installer in unattended mode can help you in detecting
any problems with your settings or system environment. With the Logfile parameter you
specifiy the full path of the logfile.Example:
Logfile=C:\TMP\NTP_UAM.LOG
UpgradeMode
If the target machine already runs a version of NTP you can use this
parameter to tell the installer what to do with such an existing
version. There are three possibilities: UpgradeMode=Upgrade
will only upgrade the files and does not touch your service settings (like the service account or any commandline parameters)
UpgradeMode=Reinstall
will uninstall the existing version and then perform a regular unattended installation based on the settings in the INI file
UpgradeMode=None
will not do anything and simply aborts the installation at this point,
keeping the existing version intact (basically you can specifiy
anything but Upgrade or Reinstall in order
to achieve this behavior
Silent
If you do not want your users to call you because of those strange
messages that flash on the screen everytime you are installing/updating
NTP on their PC, you can completely disable all visual feedback (which
in UAM means disaling the banners the are normally shown during
installation) by specifying Silent=Yes
in the Installer section of your INI file.
-
[Components] Components Selection
With this section you can control the scope of the installation. The
NTP service (NTPD.EXE) is always installed, but there are optional
components that can be deselected: InstallTools=No
will skip installation of the NTP commandline tools like ntpq or ntpdc.
InstallDocs=No
will skip installation of the NTP documentation set (in docs\).
InstallOpenSSL=No
will skip installation of the OpenSSL library file(s), which are
essential for running NTP on the target machine. The only reason why
you would not want to install them here is when they are already on the
target machine (probably installed by some other application) and you
prefer to use that version instead of the one that comes with the NTP
installer.
Please note that you have a good chance to run into compatibility problems when you choose not to use the included OpenSSL version.
CreateStartMenuEntries=no
will skip creating entries in your Start Menu for
starting/stopping/restarting the NTP service, for the documentation and
for weblinks to interesting/important NTP related websites.
-
[Service] NTP Service Parameters
This section controls the behavior of the NTP service and its installation on the target machine.
StartAfterInstallation
If you want the installer to start the service after the installation has been completed successfully, you have to specify
StartAfterInstallation=Yes
AutoStart
Most people want the NTP service to start automatically when the target
PC is booting Windows. This can be triggered by stating AutoStart=Yes
in the INI file.
ServiceAccount
The installer can either setup your NTP service to run as SYSTEM (e.g.
with full administrative rights) or use a regular user account with
limited access rights. This will reduce the impact of any security
issues with NTP and prevents an attacker to gain Administrator rights
if they somehow manage to compromise NTP. We strongly recommend to run
NTP using such a limited user account. If you want to use the SYSTEM
account, please specify ServiceAccount=@SYSTEM in your INI file. If you want to
use a limited rights account, please tell the installer the name of
this account (it can be automatically created using the CreateUser parameter, see below).
Example:
ServiceAccount=NTPService
CreateAccount
If your INI FIle includes a line like
CreateAccount=Yes
in the Service
section of your INI file, the installer will try to create the NTP user
account for you (you have to specify the name of the account with the ServiceAccount
parameter). It will even setup the access rights of the newly created
account and limit its privileges as far as possible. If the specified
user account already exists and CreateUser is set to Yes the
installer will still try to use that existing account.
ServicePassword
If you want to use an existing account or the installer should create
one, you can specify the password here. This is of course a potential
security problem, but if you let the installer create the account for
you, it will be only allowed to login as a service, which should
dramatically reduce the risk of someone abusing the account. Example: ServicePassword=BackToTheFuture
DisableOthers
If the target machine already runs some kind of a time synchronization
software, the installer can disable them for you when it installs NTP.
There is no point in trying to allow two programs to correct the time,
the result will be that both fight about the system clock and each one
will correct the corrections of the other software. If you want the
installer to look out for other time sync software, you can specifiy DisableOthers=Yes in your INI file. Of course only known
software (like W32time or older NTP installations) will be detected and
the installer will only deactivate their service entry. Nothing is
uninstalled or removed! AllowBigInitialTimeStep The default behavior of NTPD is
that it will exit if it detects a time offset of more than 1024
seconds. This can be a problem if the target PC is off for more than
~20 minutes at system start, therefore you can allow NTPD to correct
such a big offset once at startup by stepping the clock. This can be
achieved by specifying -g on the commandline of NTP and
specifying
AllowBigInitialTimeStep=Yes
in your INI file will tell the installer to add -g to the coimmandline parameters of the NTP service.
EnableMMTimer
Windows applications can tell the system to enable the so-called
Multimedia Timer in order to change the internal timing behavior of the
Windows kernel. Altering this during normal operation can lead to a
sudden time jump of several miliseconds in one direction. When the
MMTimer is switched back to normal afterwards, the time jumps back into
the opposite direction. This will lead to NTP synchronization problems
(obviously) and therefore NTPD can be told to permanently switch the
MMTimer to the higher resolution in order to prevent those time jumps
when you open a Quicktime video or a fancy website with animation and
sound. Example: EnableMMTimer=Yes
It is recommended to use Yes here since there seem to be no performance problems and it prevents those milisecond time jumps as long as NTP is running.
ModifyFirewall
If the Windows Firewall is enabled and allows exceptions, the installer
would add an exeception for NTP packets in order to allow them to pass
the firewall. Setting this parameter to "no" will leave your firewall
settings alone. ModifyFirewall=No
will skip the check for correct handling of NTP packets by the Windows Firewall (if applicable on your system).
[Configuration] NTP Configuration File Settings
The NTP configuration file (usually called ntp.conf) is expected to be stored in the etc subdirectory of your installation path. The installer can copy a
prepared NTP configuration file into that etc directory and configure the service to use it. You have to specify the full path of an already existing file with
UseConfigFile=G:\ntp_client.conf
in the [Configuration] section of your INI file and it will be copied to C:\Program Files\NTP\etc\ntp_client.conf by the installer (assuming that you specified
C:\Program Files\NTP as the InstallDir.
Sample Configuration
Here is an example of an INI file that can be used for the unattended installation of NTP:
[Installer]
InstallDir=C:\NTP
UpgradeMode=Reinstall
Logfile=C:\ntp_silent.log
Silent=Yes
[Components]
InstallTools=yes
InstallDocs=no
InstallOpenSSL=yes
CreateStartMenuEntries=yes
[Service]
StartAfterInstallation=yes
AutoStart=yes
ServiceAccount=NTP
CreateAccount=yes
ServicePassword=carlosantana
DisableOthers=yes
AllowBigInitialTimestep=yes
EnableMMTimer=yes
ModifiyFirewall=yes
[Configuration]
UseConfigFile=C:\ntp_test.conf
[Top]
Uninstalling NTP
-
Using the Software Applet of the Control Panel
It is easy to remove the installation of NTP you installed using this
installer. Just open your Windows control panel, double-click on the
Software icon and browse the list of installed software on your system
until you find an entry called "Network Time Protocol". Now press the
"Uninstall" button (this may be a little bit different on Windows NT,
if you face any difficulties, just check your operating systems
documentation for informations on "Uninstalling third party software".
Running the uninstaller directly
During installation, an uninstaller executable (uninstall.exe) is
copied into the NTP target folder (e.g. "C:\Program Files\NTP"). You
can use the Windows Explorer and browse to this directory. Then start
the uninstaller with a double-click.
Addendum
|
