Solved

NTP synchronization for all servers and computer to PDC Emulator Domain Controller in Virtual Machine

Posted on 2014-10-22
11
895 Views
Last Modified: 2014-10-24
Hi Folks,

May I know what sort of things that I need to know so that I can successfully set the PDC Emulator Domain Controller as the NTP Synchronization authority ?

Where to set the GPO and what other settings do I need to be aware of.

The Domain Controllers are deployed as VMware Virtual Machine and my goal is to synchronize all Workstations and Servers as well as the ESXi servers & other hardware appliances in the Data Center & office building.
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +1
11 Comments
 
LVL 25

Accepted Solution

by:
Mohammed Khawaja earned 250 total points
ID: 40398386
There is no GPO you need to set, however, you could create a GPO to set the time on all DCs.  The PDC and all domain machines should not synchronize their time with the ESX host.  The root PDC emulator should be configured to synchronize time with a reliable NTP server and then all domain joined machines will synchronize their time with the DCs.  Refer to the links below on how to configure DC to synchronize time with a reliable time server:

http://www.ali-inc.com/technical/192-sync-windows-time-with-external-source.html
http://blogs.technet.com/b/nepapfe/archive/2013/03/01/it-s-simple-time-configuration-in-active-directory.aspx
http://jackstromberg.com/2013/10/configuring-external-time-source-on-your-primary-domain-controller/
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40398401
ok, so in this case can i use the following four servers from http://www.pool.ntp.org/zone/oceania ?

   server 0.oceania.pool.ntp.org
	   server 1.oceania.pool.ntp.org
	   server 2.oceania.pool.ntp.org
	   server 3.oceania.pool.ntp.org

Open in new window

0
 
LVL 25

Expert Comment

by:Mohammed Khawaja
ID: 40398405
You very well could or you could use some of Microsoft NTP servers.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 7

Assisted Solution

by:BobintheNoc
BobintheNoc earned 250 total points
ID: 40398416
As the PDC emulator, all member systems and other DCs will automatically sync time, at startup, via Windows builtin services (client for ms networks, perhaps),  which isn't exactly identical to NTP(Network Time Protocol.)

If you specifically want to use NTP, you can specify an NTP server as a source via the w32tm service, by using the w32tm command line command.  By spec'ing the ntp source, you can specifically look to an NTP server of your choice, however for a domain joined machine that uses Kerberos authentication, it'd be advised to leave the sync of Windows time at default.  If you did change/specify and external NTP source, your machine may be accurate according to the NTP source server, however if your DCs ever varied by more than 5 minutes(the default allowed variance for good kerberos handling)  from the NTP server, your member would fail to negotiate via kerberos.

I do believe you can point other devices to your 2003 or better DC as an NTP server as well, just as long as Windows Time services are active.

One potential problem with the out-of-box Microsoft network time is that it's 9nly applied/synced at boot time for the members--if you had a drifting timeclock on the member, and you don't reboot often enough, the sway will eventually go beyond 5 minutes.  So, for those machines that do get left on for months or years at a time, it is good to have the member sync time on a regular basis.
I usually use a registry file to apply to boxes after I've manually setup a machine to use a particular ntp source, then replicate the registry settings to other machines however you'd like, potentially even with a GPO.  There may be a setting already within Group Policy templates for this, but I'm and old d9g and stick with what I know to work consistently.

You can also use the NET TIME command to SET the Microsoft time, even create a scheduled task to run the command on your schedule of choice.  Clumsy, but not too bad.  Otherwise, use w32tm command line to specify sources, etc.  W32tm /? will produce the syntax help.  We can lookup the exact syntax if you can't, just that I'm on my mobile device at the moment.

You could also build your own administrative template with the registry keys to craft out a policy.  

If you need more info, just holler, and I'll run through it more.

For the record though, you had mentioned specifically NTP--maybe a little more description on what you're trying to accomplish will lend to a more defined answer.  Are you having time drift problems?
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40398421
Thanks Bob,

I'm currently decommissioning the old Win2003 physical box that is running on the server room, the replacement will be new Windows Server 2012 R2 Domain Controller VM in sepearate Data Center building.
0
 
LVL 7

Assisted Solution

by:BobintheNoc
BobintheNoc earned 250 total points
ID: 40398432
So you just want to make sure that the other members start using the new DC after the replacement is done?  After the change out, when the members reboot next, they will sync with their logon DC, and if there's only one DC, you'll know which one it is :).  If you have multiple DCs, then the logon DC that the member uses is determined by your sites and services configuration, assuming that there is proper subnet info added to the site.  If no nearest dc is discovered because the site subnet configuration is wrong or missing, the member will seek out the first dc record returned for the dns query of the ad domain.  It's all so automatic that you don't usually have to do anything at all, and it's advised to just leave the defaults alone.  If you do decide to force an NTP peer source, you'll want to always keep it in mind, which is why defaults are good.

Left alone, and barring actual problems or other configurations, Microsoft has this topic nailed down nicely.  Let me know if we haven't convinced you yet, and I'll supply an exact entry to type to sync to the DC, on an ongoing basis.  But again, keep life and your systems simple-variance from MS design means having to increase administrative burden.
0
 
LVL 26

Expert Comment

by:DrDave242
ID: 40402423
One potential problem with the out-of-box Microsoft network time is that it's 9nly applied/synced at boot time for the members
If the Windows Time service is functioning properly, it won't only sync at boot time. By default, it'll sync at an interval that is dynamically determined by the quality of the information it's receiving from its source. (In other words, the polling interval can change over time.) You can, however, configure the service to use a static interval (SpecialPollInterval) in the registry. I believe 3600 seconds (one hour) is the default value for SpecialPollInterval.

To see the current polling interval for a given system, along with some other potentially useful information, use the w32tm /query /status command:
Output of the w32tm /query /status commandAs you can see, this machine is currently polling its time source every 2048 (2^11) seconds. (There's also a /verbose switch for that command that will show you even more info.)

The most important thing to remember is that your PDC Emulator is the only machine in the domain that should require any kind of manual tweaking to its Windows Time Service settings; everything else should sync with the domain hierarchy.
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40403237
Cool, thanks guys for the assistance and clarification.
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40403239
So no need any special needs for virtual machine domain controllers ?
0
 
LVL 25

Assisted Solution

by:Mohammed Khawaja
Mohammed Khawaja earned 250 total points
ID: 40403443
For virtual DCs, ensure you are not synchronizing time with the host server.
0
 
LVL 7

Expert Comment

by:BobintheNoc
ID: 40403545
Thanks for the extra info and correction of my outdated understandings!  Great info.
0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows 2008 standard, Disk Cleanup, and Winsxs 30 62
VMware PVSCSI SQL Server 2016 AlwaysOn 2 37
Force Updates from WSUS 5 57
is a device online 4 45
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This Micro Tutorial walks you through using a remote console to access a server and install ESXi 5.1. This example is showing remote access and installation using a Dell server. The hypervisor is the very first component of your virtual infrastructu…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question