Link to home
Start Free TrialLog in
Avatar of Albert Widjaja
Albert WidjajaFlag for Australia

asked on

Standardizing NTP source for all Windows Server joined to domain

Hi,

Can someone here please share some steps to standardize the time source in my domain-joined Windows Server (2003 up to 2012 R2) and also the Workstations (XP to 8.1) ?

Because when I run the following command to check the NTP source:

2003
net time /querysntp

Open in new window


2008-2012 R2
w32tm /query /source

Open in new window


They are all returns different values from internal domain controller and also some default time.windows.com

The PDC emulator role is Win2003 called PRODDC02 but somehow the other domain controller, which runs on Win2008R2 doesn't refer to this PDC role ? why is that ? is it because the domain controller Windows Server 2003 is too old ?
SOLUTION
Avatar of Frank Helk
Frank Helk
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
This is by design! If you have correctly configured your PDC role for an external time source (via registry) and you run the below command.

netdom query fsmo

Make sure that your PDC is correct. If all of these settings are correct from the PDC role. Then having other DC show up when you run w32tm /query /source is completely normal.

This is the hierarchy for time source.
First - External Source (internet)
Second - PDC Emulator
Third - All other DC's in your environment

Anyone of the domain controllers can provide time source to clients PDC is authoritative but DC's get their time from the PDC emulator as well.

Take a look at the following link which provides you a detailed hierarchy of Time Source service.
 Active Directory Time Source Hierarchy Diagram

Will.
After setting up NTP in your AD servers use GPO's to set NTP for all the clients and member servers.

http://blogs.technet.com/b/nepapfe/archive/2013/03/01/it-s-simple-time-configuration-in-active-directory.aspx
You can create a GPO and set the time providers but all of the DC's already know which domain controller is the authoritative time provider based on the PDC role holder.

If you ever need to seize or transfer the PDC role for any reason you will need to also wait for group policy to update accordingly.

I have setup and used Time Service for years without specifying it in the GPO. All of the DC's act as a time source and get their time source from the PDC in your environment. This allows for more flexibility if you ever have to transfer or seize this role, you will not be in a situation waiting on Group Policy to process. Other DC's will see that a new DC has been promoted the PDC role and as long as you setup an external  time source via the registry all the DC's will point to the new PDC as the time server.

Either way will work this is just my own opinion.

Will.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Albert Widjaja

ASKER

Ok, so after I transfer the FSMO role to the new Win2k8r2 VM, should I force replicate AD from this new PDC emulator ?

And then after that, create the GPO with WMI Filter applied to Domain Controllers OU, do I have to Force Replicate AD again ?

Lastly, after the GPO takes into effect for the PDC emulator role, I assume that I do not have to do anything on the domain joined server & workstations.

Is that correct ?
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Well done saige!  I hadn't thought to use a wmi filter to identify the PDC,  thats a great idea!  Thanks for sharing!
Ok, so in this case for the PDC emulator WMI filtered Timesycnh GPO to be created, shall I put it on the root domain and as the priority #2 below the default domain policy?

is that correct.
Put it on your Domain controller OU.
Many thanks all !