Cannot synchronize with DC NTP

Elleni · January 19, 2020, 4:26pm

I have freshly setup a nethserver as pdc and also run into this problem from time to time. Is there a permanent solution for this? Can I change something somewhere in configuration, or do I have to resolve this by a gpo on my windows 10 clients? Or by a logon script?

Problem can be solved by starting command prompt as administrator and running net time \dc_hostname /set /yes and re-logon. Or could it be suricata? I am asking, because I activated all categories and edited all to block instead of alarm. That way, I created a problem with filebrowsing on my shares, even a rightclick on a file on a share made windows freeze and it took a minute to the context menu to display. I found out, that the suricata module Policy was the blocking one. I will observe if the timing problem is solved too with deactivated Policy module, and if not, report back.

Edit to add, that until now, I encountered no problems anymore. But reading the docs, I am afraid, I could have enabled too much, as apart from mentioned policy rule, all rules are activated and I read that I some could block updates. Having additionally setup Pi-Hole on a vm too, with a bunch of blocklists, I will observe if in the next some weeks, there are updates for nethserver but also for my windows 10 client, and disable if necessary some of the rules. I would appreciate if someone could point on rules that should not be activated apart from the poliy rule anyway.

Elleni · January 22, 2020, 7:57am

On a new installation with sane default settings, it run ruther stable. But around midnight, there was a temporary problem accessing shared drives and profile folder from within windows vm. A reboot of the windows client did the trick. Is there any recomanation on how to improve time synchonisation between windows clients and active directory domain controler?

dnutan · February 1, 2020, 10:40pm

To avoid problems, all hosts in LAN can be configured to use the server as NTP server.

Maybe it could be of use to check ntp status inside the DC container when you run into that problem. To access a shell in the container:

systemd-run -M nsdc -t /bin/bash

Elleni · February 2, 2020, 2:34pm

I will do so, but I think, it could have been because of IPS. Now I restarted with a fresh installation of nethserver and did not yet have this problem. But nonetheless, you are right, and I would like to configure the settings as you suggest. Do I understand you correctly? I should set:

Gateway IP -> green network nethserver ip
dns server -> ip configured for the ad container, when creating active directory domain
wins -> ip configured for the ad container, when creating active directory domain
ntp server -> green network nethserver ip

Do I need to activate ntp on nethserver, or is this automatically active?

dnutan · February 5, 2020, 11:10pm

I quoted what worked for another user but, on top of that, will do some small changes (AD networking is not a strong point of mine, so anyone correct me if you spot something wrong.)

On NethServer configured as AD (DC) and acting as DHCP and DNS server:

Gateway IP -> Green IP (or empty)
NTP servers -> nsdc AD container IP
DNS Servers -> Green IP
WINS Servers -> nothing (legacy netbios name resolution)