Timeserver on DOMAIN using GPO
I've built a server to provide time on the local network, and have been using it with Xen Server pools as I don't like giving the management interface on the hypervisor access the the outside network. There are currently no VLANs setup, and the time syncs as it should for the hypervisors. This NTP server is not a domain controller, secondary or otherwise (although I can change this if required, but would like to avoid having it as Primary).
The NTP server is a windows server 2008 R2 standard, with relevant services installed. I can go the linux route, but I'm not sure if would cause problems in provide time to windows systems (I don't imagine it would).
In any case, I've tested the configuration, and manually sync'd one windows system to it. What I want to do next is SYNC all the computers that are joined to the domain with this specific server. I have been unsucessful so far, I'm not sure if it's what I detailed in the GPO.
I essentially have the entry configured in the GPO:
Computer Configuration -> Administrative Templates -> System -> Windows Time Service -> Time Providers -> Windows NTP Configuration
This points to the server non-pdc-server.server_on_d
Should I instead have it point to the pdc and have the pdc somehow sync with this server? or use Windows NTP server instead of client? I'm a little confused.
The NTP server is a windows server 2008 R2 standard, with relevant services installed. I can go the linux route, but I'm not sure if would cause problems in provide time to windows systems (I don't imagine it would).
In any case, I've tested the configuration, and manually sync'd one windows system to it. What I want to do next is SYNC all the computers that are joined to the domain with this specific server. I have been unsucessful so far, I'm not sure if it's what I detailed in the GPO.
I essentially have the entry configured in the GPO:
Computer Configuration -> Administrative Templates -> System -> Windows Time Service -> Time Providers -> Windows NTP Configuration
This points to the server non-pdc-server.server_on_d
Should I instead have it point to the pdc and have the pdc somehow sync with this server? or use Windows NTP server instead of client? I'm a little confused.
ASKER
Ok that's a fair suggestion.
I will rebuild the server with CentOS or FreeBSD, but what bothers me at the moment is that the member servers on the domain aren't syncing with the PDC for time. Would I need to manually open a port (123) on the firewall for the PDC?
This implies I would not need to install additional services on the PDC to provide network time? I can also have the computers joined on the domain to retrieve time from the PDC automatically?
I will rebuild the server with CentOS or FreeBSD, but what bothers me at the moment is that the member servers on the domain aren't syncing with the PDC for time. Would I need to manually open a port (123) on the firewall for the PDC?
This implies I would not need to install additional services on the PDC to provide network time? I can also have the computers joined on the domain to retrieve time from the PDC automatically?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So far, the linux system is setup, and the domain controller I manually synched with it as a test by doing a "net time /set \\linuxserverhostname"
However, I can't get member servers or workstations to synchronize.
Strangely, when I do a "net time" in the command line, from any system, it already pops up with the PDC and states the time on the PDC correctly. If I'm logged in as administrator on the system in question and do "net time /set \\PDC.domain.ads" it will sync, otherwise as regular domain user it will say that user doesn't have required privileges.
I have a feeling that a GPO entry I have to prevent users from modifying system time is also preventing the system itself from applying the time sync. I'll test this out this weekend, and will update.
However, I can't get member servers or workstations to synchronize.
Strangely, when I do a "net time" in the command line, from any system, it already pops up with the PDC and states the time on the PDC correctly. If I'm logged in as administrator on the system in question and do "net time /set \\PDC.domain.ads" it will sync, otherwise as regular domain user it will say that user doesn't have required privileges.
I have a feeling that a GPO entry I have to prevent users from modifying system time is also preventing the system itself from applying the time sync. I'll test this out this weekend, and will update.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry for the delay, but yes correcting the GPO that prevented users from changing the time on their system made the difference.
I would synchronize the PDC with a NTP server on a stand-alone machine, Windows or Linux (Linux NTP is easy to setup and it is supported as source for Windows). I would also prefer that the NTP source is a Linux physical machine, in order to eliminate possible loops with the integration services.
Local Policies can be configured on a stand-alone Windows servers to synchronize the time with the PDC.
I am sorry, I cannot give more precise instructions because all my notes are in the office, but you can find all necessary information on Internet.
I hope this helps. If you have more questions I will be able to provide you more detailed info tomorrow.