• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 179
  • Last Modified:

Best Practices for configuring Time in a multiserver domain

What is the best practice for configuring time source in a multi server domain?  (Have a mix of 2003 STD and 2012 STD and HyperV - VMs)

This is what I was thinking.......Have the DC/FSMO get external time,  Have the other DCs and member servers point to the DC/FSMO.  I believe workstations will by default point to the DC/Fsmo???

Should the other DCs and member servers point to the DC/FSMO and have a 2nd time source thats  external?
0
howmad2
Asked:
howmad2
2 Solutions
 
Kent WSr. Network / Systems AdminCommented:
You are correct, your primary DC should look externally, all other computers internally.  If they are joined to the domain, this should happen automatically.  Any machines that are not technically on the domain (linux, etc.) can be pointed to your primary DC.  Your other DCs should also be getting time from the primary.
0
 
DrDave242Commented:
Just so you know, you don't have to manually point the other machines at the PDC Emulator. Simply configure them to get time from the domain hierarchy (by setting the W32Time\Parameters\Type registry key to NT5DS or via the w32tm /config /syncfromflags:DOMHIER /update command), and they'll figure out the rest.
0
 
frankhelkCommented:
I would opt in for the "external time source for the no-dc's as backup" idea ... but that would be tricky to configure with W32time. And I experienced enough trouble with that piece of crap when in NTP mode to avoid using it whenever I can.

My recommendation:

Use a Windows port of the classic *ix NTP service (see my article on NTP for more info), and sync the PDC and BDC to the servers from pool.ntp.org, i.e. with
(...)
server 0.pool.ntp.org iburst
server 1.pool.ntp.org iburst
server 2.pool.ntp.org iburst
server 3.pool.ntp.org iburst
(...)

Open in new window

in ntp.conf. Sync the clients preferably to the PDC/BDC, but give time sources for backup, too, with
(...)
server PDCSERVER iburst prefer
server BDCSERVER iburst prefer
server 0.pool.ntp.org iburst
server 1.pool.ntp.org iburst
server 2.pool.ntp.org iburst
server 3.pool.ntp.org iburst
(...)

Open in new window

in ntp.conf.

The NTP service software is free. Easy to install and configure, has a low ressource footprint, works like a charm and is stable as a rock. And it is nicer when it comes to one of the rare cases of troubleshooting. The NTP service has a low ressource footprint, therefore the NTP functionality could be hooked onto existing machines or VM's like webservers, ftp servers, mailservers or database hosts - even in a DMZ - without visible performance impact.

If securtity is an issue, you might as well place radio controlled clock appliances into your LAN who serve time very reliable and precise.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now