ESXi时间同步测试,及Windows搭建的NTP server无法同步的原因.docx

ESXi与NTP服务器同步的抓包测试问题：ESXi配置NTP时间同步时，当指向由Windows系统搭建的NTP服务器时，无法实现同步，而指向由Linux系统搭建的NTP服务器时，则可以实现同步。为查找问题根源，专门搭建了测试环境，进行抓包分析，研究其中发生的过程。测试环境： 序号名称IP Address系统版本作用1ESXi Server22ESXi5.0ESXi服务器，作为NTP客户端2Router1919Windows 2003配置了路由功能，并安装抓包工具3NTP Server1Windows2003搭建NTP服务器4NTP Server2Rhel5.5搭建NTP服务器拓扑图：测试ESXi使用Windows 2003搭建NTP的服务器按照VMware提供KB的建议，/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=1035833&sliceId=1&docTypeID=DT_KB_1_1&dialogID=970332905&stateId=1 0 970354356 1.配置Windows 2003，搭建NTP客户端修改注册表，步骤如下：1.Enable NTP mode:Locate HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeParametersSet the Type value to NTP.2.Enable the NTP Client:Locate HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeConfigSet the AnnounceFlags value to 5.3.Specify the upstream NTP servers to sync from:Locate HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeTimeProvidersSet the NtpServer value to a list of at least 3 NTP servers.Example: You might set the value to:,0x1 2.,0x1 3.,0x1Note: On a Windows 2008 Domain Controller, NtpServer is located in HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeParameters.4.Specify a 15-minute update interval:Locate HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeTimeProvidersNtpClientSet the SpecialPollInterval value to 900.5.Restart the W32time service for the changes to take effect.2.配置ESXi Server，将其NTP服务器指向由Windows搭建的NTP服务器1.Open the /etc/ntp.conf file in a text editor. For more information, see Editing configuration files in VMware ESXi and ESX (1017022).2.Add the tos maxdist command on its own line:tos maxdist 303.Save and close the configuration file.4.Make the /etc/likewise/lsassd.conf file writable by running the command:chmod +w /etc/likewise/lsassd.conf5.Open the /etc/likewise/lsassd.conf file in a text editor. For more information, see Editing configuration files in VMware ESXi and ESX (1017022).6.Locate the sync-system-time option, uncomment it, and set the value to no:sync-system-time = no7.Save and close the configuration file.8.On ESXi, save the configuration changes to the boot bank so they persist across reboots by running the command:/sbin/auto-backup.sh9.Restart the ntpd and lsassd services for the configuration changes to take effect by running the commands:service lsassd restartservice ntpd restartNote: To restart the ntpd and lsassd services on an ESXi host, run these commands:./etc/init.d/lsassd restart./etc/init.d/ntpd restart3.配置ESXi的NTP服务器地址4.监控数据包只有从ESXi发出的NTP包，NTP server没有回复。5.在KB的基础上做调整，修改注册表，启动NTP服务修改注册表的键值:Run-regedit HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32Time TimeProvidersNtpServer内的Enabled为1，打开NTP服务器功能（默认是不开启NTP Server服务重启W23Time服务6.启动NTP服务后，抓包显示NTP服务器有了回复7.NTP数据包ESXi 发出的NTP请求包是NTP版本4.Windows搭建的NTP Server的响应包是NTP版本3ESXi未完成时间同步，NTP服务器发回的响应包并未被接受。测试ESXi使用Linux搭建NTP的服务器1.配置Linux作为NTP服务器1.编辑ntp.conf2.Ntp.conf配置示例：# Permit time synchronization with our time source, but do not# permit the source to query or modify the service on this system.restrict default nomodify# Permit all access over the loopback interface. This could# be tightened as well, but to do so would effect some of# the administrative functions.restrict # - CLIENT NETWORK -# Permit systems on this network to synchronize with this# time service. Do not permit those systems to modify the# configuration of this service. Also, do not use those# systems as peers for synchronization.# restrict mask nomodify notrap# - OUR TIMESERVERS - server 0.server 1.server 2.# - NTP MULTICASTCLIENT -#multicastclient# listen on default # restrict mask 55 nomodify notrap# restrict mask nomodify notrap# - GENERAL CONFIGURATION -# Undisciplined Local Clock. This is a fake driver intended for backup# and when no outside source of synchronized time is available. The# default stratum is usually 3, but in this case we elect to use stratum# 0. Since the server line does not have the prefer keyword, this driver# is never used for synchronization, unless no other other# synchronization source is available. In case the local host is# controlled by some external source, such as an external oscillator or# another protocol, the prefer keyword would cause the local host to# disregard all other synchronization sources, unless the kernel# modifications are in use and declare an unsynchronized condition.#server# local clockfudge stratum 10# Drift file. Put this in a directory which the daemon can write to.# No symbolic links allowed, either, since the daemon updates the file# by creating a temporary in the same directory and then rename()ing# it to the file.#driftfile /var/lib/ntp/driftbroadcastdelay0.008# Keys file. If you want to diddle your server at run time, make a# keys file (mode 600 for sure) and define the key number to be# used for making requests.# PLEASE DO NOT USE THE DEFAULT VALUES HERE. Pick your own, or remote# systems might be able to reset your clock at will. Note also that# ntpd is started with a -A flag, disabling authentication, that# will have to be removed as well.#keys/etc/ntp/keys3. Linux防火墙启动123端口2.更改ESXi的NTP服务器，将其指向Linux服务器的IP：3.NTP数据包内容1. 总共发了