There have been some questions about how Novell Directory Services works with time syncing. This document will describe a basic solution set for configuring and maintaining time servers. If a discussion about NetWare 5's NTP.NLM in conjunction with timesync.nlm is wanted, see solution document 10011518.
Directory Services is so dependant upon time stamping, that if time is not in sync with servers, you cannot depend upon anything in DS to work properly; put another way, "all bets are off". Time syncing will be the very first thing checked before partitioning, or merging operations occur, and each of these operations will error out if time is not in sync. Novell Technical Support will also check this area first before troubleshooting any kind of DS or syncing errors occuring with the network.
TIME SYNC OVERVIEW:
The best way to check time syncing is through DSREPAIR.NLM. After loading dsrepair, go to "time synchronization". This will give a list of every server | ds version | replica depth | time type | in sync? This list will give an immediate view of how time is operating on the network. Additionally, you can see how far off (in seconds) a server is from being synced completely. NDS allows a default +/-2 second differential and a server can still be considered fully synced. This can be changed; "set timesync synchronization radius" is the parameter and the number is taken in milliseconds (default = 2000).
Time Sync Basic Rule: You must have one (and only one) SINGLE time source in the tree OR a PRIMARY and REFERENCE server. Singles and Primary/Reference servers do not mix in the same tree. A secondary time server will get his time from either a single time server, primary, or a reference time server.
Normally in environments with 30 or less servers, the network will be set up with a SINGLE time server and the rest of the servers will be secondary. If there are more servers than this, most companies choose to implement a REFERENCE server with one or more PRIMARY servers - the rest of the servers become secondary. There can be only one REFERENCE server in a Novell Directory Services Tree.
Level One = REFERENCE server
Level Two = Up to 13 PRIMARY servers
Level Three = More PRIMARY servers, each one pointing to two or three LEVEL TWO Primaries for configured sources. Do not point any Level Three PRIMARY servers to a Level One REFERENCE server.
If a network does not meet this criteria (namely, one single and all secondaries, or one reference, a primary or more, and all secondaries) then, no matter what dsrepair | time synchronization says, the servers will never operate properly with time. This must be fixed.
HOW TIME IS SYNCED:
There are two ways in which time synchronization happens:
1. SAP (Service Advertising Protocol): Time can be synced through SAP 26B. To see if sap 26B is being received at the server, load IPXCON, and go to Services. Look through the list of services. 26B will show up in the right column. If it does not show up, there may be a problem with the router filtering out 26B. Obviously, if the network uses SAP to establish time syncing, this will need to be fixed.
2. Configured Sources: A configured list of servers can be defined for a server to look at for it's time. This method does not rely upon SAP to receive and set time correctly. An IPX connection is actually made to the server in the configured list and that server's time is polled.
Customers often call in with a network having time sync problems where one server is a primary and the rest are secondary. Obviously, this will not work. Change the primary to a single and everything should be fine.
Customers have also called in with a network that has 5 primaries, 7 secondaries, and no referenceserver. This is also incorrect. Change a primary to a reference server, or a secondary to a reference server. This will complete the model and satisfy the rule and time should sync up correctly. Also, do not go
"hog wild" and make more primary time servers than necessary. The vast majority of the network should be secondary time servers. Place primary/single/reference time servers at key locations.
HOW TO CHANGE TIME SERVER TYPE:
1. Load servman. Go to SERVER PARAMETERS | TIME.
2. Change "TIMESYNC type" and "Default time server type" from whatever they are to what you want them to be; i.e., SECONDARY to SINGLE, etc.
3. Hit <ESC> twice and an "Update Options" menu will appear. It will ask you if you want to save the changes to the Autoexec.ncf/Startup.ncf file plus the Timesync.cfg file. This is necessary to do. Save first to the autoexec.ncf file, and then the program will return you to the same menu. From there, update the timesync.cfg file.
4. Exit out of servman.
5. At the console prompt you can either "unload timesync" and then "load timesync" or type "set timesync restart flag=on" This option may give you a message about how unloading timesync is dangerous - say YES to it, and load it right back up.
HOW TO SET UP CONFIGURED SOURCES:
1. Load servman. Go to server parameters | time.
2. Change "TIMESYNC Configured Sources" from off to on.
3. Hit <ENTER> on "TIMESYNC ADD Time Source". A box will pop up and allow you to type. Type in the name of a time source you want this server to poll for time. Remember, secondaries get their time from a single, primary or reference server. Primary servers get their time from a reference.
4. If the ENTIRE network is using configured sources, turn time sync SAP off. This change will cut downon traffic across the wire. Change "TIMESYNC Service Advertising" to off. If not every server is using configured sources, do not turn this parameter off on a SINGLE/PRIMARY/REFERNCE - it will cause
problems with time syncing correctly.
5. Hit <ESC> until servman asks you to update files again (timesync.cfg). Do it.
6. Go out the console prompt and unload timesync and load timesync.
After a change in the time source provider, not every server in the tree will IMMEDIATELY see it and get in sync. Over the course of the next few minutes, time will eventually begin to come in sync on every server (if it isn't already). To check the progress, use dsrepair | time synchronization. If the waiting game is not what you want, visit each server in the tree and "unload timesync" and "load timesync" or Type at the console "SET TIMESYNC RESTART FLAG=ON" and press <enter>. You should see a message saying that time synchronization has been established with a server.
SOME "GOTCHAS" (AND ODDITIES):
1. A REFERENCE server needs to have a PRIMARY server as a configured source. The reason for this is that a primary server needs to talk to at least another primary server to adjust time. A reference server is a primary server that looks like 16 primary servers plus it will not adjust its time, just give it. The reference server will not get it's time from the primary, but it will not sync with itself unless this is setup.
2. If you use REFERENCE/PRIMARY servers, you will probably want to use configured sources because there is a WAN link and this will cut down on traffic. SAP can still be used, but your bandwidth is important, so think about it. You will not save a much with this change, but every little bit helps.
3. Editing the timesync.cfg can be helpful in adding additional configured sources, and viewing basic time configuration parameters quickly. To see what the configured sources are for a server, "load edit timesync.cfg" at the system console prompt. If edit.nlm gives a message about wanting to create timesync.cfg, this means that the time configuration parameters have not been set up. To create a timesync.cfg file, go into servman.nlm and change a time parameter (don't save), and then change it back to the correct value. Upon hitting <ESC> from the time parameters and selection menu, you will see the menu where the creation of timesync.cfg is - do it.
Timesync.cfg contains information for this specific server about how time syncing is set up. At the bottom of the file is a line that says, "# Configured time source list for <SERVER>"; where <SERVER> is the server's name. Then underneath it will be a list of the configured time sources for this server (where theserver looks to find time if SAP 26B is not used). The line will read "Time Source = <SERVER>". To add another time source, just make a new line under this one that says "Time Souce = <SERVER>". That will do the same thing as would editing timesync.cfg through servman. After making any changes to the timesync.cfg file, unload and load timesync.nlm. This will make the changes to the file take effect. Multiple servers in a configured source: If a secondary server is using configured sources and has two servers (SERVERA and SERVERB) in his list, then if SERVERA goes down, this server will automatically look to SERVERB for the time. This is how fault tolerance for time services is setup; i.e., multiple servers in the timesync.cfg file.
4. Sometimes the "TIMESYNC ADD TIME Source" will not display a server that has been setup as a configured source. Don't panic. This is a bug with servman displaying the parameter. This parameter is known to the system, but servman doesn't display it sometimes.
5. DS Error -659 is a time synchronization error. This document should explain how to fix this problem.
6. A reference server is not absolutely necessary for a network, as long as there are two or more primaries in the tree. A reference server is really a primary server with the weight of 15 additional primary servers behind it. Therefore, if time becomes changed on the network, a primary will advertise his time and a reference will do the same. The primary will see that there are 16 other servers (actually the one reference server) out there with one specific time, so he will move his time to meet it accordingly. So, if a network has a reference server, it will reach a stable time synchronization level much faster than if there were only two primary servers in the tree. This is simplified a bit, but the concept is correct. Hint: Use a reference server when there are primary server(s) in the tree to allow a faster stabilization of time on the network.
7. A secondary server can serve as a time source. You can point other secondary servers to a secondary (reference, primary and single time source servers cannot point to a secondary). However, this can become dangerous as the number of levels removed from a "real" provider increases. Picture a time "tree" where there are secondary servers pointing to secondary servers pointing to secondary servers, etc., finally going to a single time source. This will create problems in the time structure. It is possible to do, but not suggested or encouraged. If at all possible do not use this method of distributing time..