Albert Widjaja
asked on
Standardizing NTP source for all Windows Server joined to domain
Hi,
Can someone here please share some steps to standardize the time source in my domain-joined Windows Server (2003 up to 2012 R2) and also the Workstations (XP to 8.1) ?
Because when I run the following command to check the NTP source:
2003
2008-2012 R2
They are all returns different values from internal domain controller and also some default time.windows.com
The PDC emulator role is Win2003 called PRODDC02 but somehow the other domain controller, which runs on Win2008R2 doesn't refer to this PDC role ? why is that ? is it because the domain controller Windows Server 2003 is too old ?
Can someone here please share some steps to standardize the time source in my domain-joined Windows Server (2003 up to 2012 R2) and also the Workstations (XP to 8.1) ?
Because when I run the following command to check the NTP source:
2003
net time /querysntp
2008-2012 R2
w32tm /query /source
They are all returns different values from internal domain controller and also some default time.windows.com
The PDC emulator role is Win2003 called PRODDC02 but somehow the other domain controller, which runs on Win2008R2 doesn't refer to this PDC role ? why is that ? is it because the domain controller Windows Server 2003 is too old ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
After setting up NTP in your AD servers use GPO's to set NTP for all the clients and member servers.
http://blogs.technet.com/b/nepapfe/archive/2013/03/01/it-s-simple-time-configuration-in-active-directory.aspx
http://blogs.technet.com/b/nepapfe/archive/2013/03/01/it-s-simple-time-configuration-in-active-directory.aspx
You can create a GPO and set the time providers but all of the DC's already know which domain controller is the authoritative time provider based on the PDC role holder.
If you ever need to seize or transfer the PDC role for any reason you will need to also wait for group policy to update accordingly.
I have setup and used Time Service for years without specifying it in the GPO. All of the DC's act as a time source and get their time source from the PDC in your environment. This allows for more flexibility if you ever have to transfer or seize this role, you will not be in a situation waiting on Group Policy to process. Other DC's will see that a new DC has been promoted the PDC role and as long as you setup an external time source via the registry all the DC's will point to the new PDC as the time server.
Either way will work this is just my own opinion.
Will.
If you ever need to seize or transfer the PDC role for any reason you will need to also wait for group policy to update accordingly.
I have setup and used Time Service for years without specifying it in the GPO. All of the DC's act as a time source and get their time source from the PDC in your environment. This allows for more flexibility if you ever have to transfer or seize this role, you will not be in a situation waiting on Group Policy to process. Other DC's will see that a new DC has been promoted the PDC role and as long as you setup an external time source via the registry all the DC's will point to the new PDC as the time server.
Either way will work this is just my own opinion.
Will.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok, so after I transfer the FSMO role to the new Win2k8r2 VM, should I force replicate AD from this new PDC emulator ?
And then after that, create the GPO with WMI Filter applied to Domain Controllers OU, do I have to Force Replicate AD again ?
Lastly, after the GPO takes into effect for the PDC emulator role, I assume that I do not have to do anything on the domain joined server & workstations.
Is that correct ?
And then after that, create the GPO with WMI Filter applied to Domain Controllers OU, do I have to Force Replicate AD again ?
Lastly, after the GPO takes into effect for the PDC emulator role, I assume that I do not have to do anything on the domain joined server & workstations.
Is that correct ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Well done saige! I hadn't thought to use a wmi filter to identify the PDC, thats a great idea! Thanks for sharing!
ASKER
Ok, so in this case for the PDC emulator WMI filtered Timesycnh GPO to be created, shall I put it on the root domain and as the priority #2 below the default domain policy?
is that correct.
is that correct.
Put it on your Domain controller OU.
ASKER
Many thanks all !
netdom query fsmo
Make sure that your PDC is correct. If all of these settings are correct from the PDC role. Then having other DC show up when you run w32tm /query /source is completely normal.
This is the hierarchy for time source.
First - External Source (internet)
Second - PDC Emulator
Third - All other DC's in your environment
Anyone of the domain controllers can provide time source to clients PDC is authoritative but DC's get their time from the PDC emulator as well.
Take a look at the following link which provides you a detailed hierarchy of Time Source service.
Active Directory Time Source Hierarchy Diagram
Will.