Solved

NTP synchronization for all servers and computer to PDC Emulator Domain Controller in Virtual Machine

Posted on 2014-10-22
11
846 Views
Last Modified: 2014-10-24
Hi Folks,

May I know what sort of things that I need to know so that I can successfully set the PDC Emulator Domain Controller as the NTP Synchronization authority ?

Where to set the GPO and what other settings do I need to be aware of.

The Domain Controllers are deployed as VMware Virtual Machine and my goal is to synchronize all Workstations and Servers as well as the ESXi servers & other hardware appliances in the Data Center & office building.
0
Comment
  • 4
  • 3
  • 3
  • +1
11 Comments
 
LVL 24

Accepted Solution

by:
Mohammed Khawaja earned 250 total points
ID: 40398386
There is no GPO you need to set, however, you could create a GPO to set the time on all DCs.  The PDC and all domain machines should not synchronize their time with the ESX host.  The root PDC emulator should be configured to synchronize time with a reliable NTP server and then all domain joined machines will synchronize their time with the DCs.  Refer to the links below on how to configure DC to synchronize time with a reliable time server:

http://www.ali-inc.com/technical/192-sync-windows-time-with-external-source.html
http://blogs.technet.com/b/nepapfe/archive/2013/03/01/it-s-simple-time-configuration-in-active-directory.aspx
http://jackstromberg.com/2013/10/configuring-external-time-source-on-your-primary-domain-controller/
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40398401
ok, so in this case can i use the following four servers from http://www.pool.ntp.org/zone/oceania ?

   server 0.oceania.pool.ntp.org
	   server 1.oceania.pool.ntp.org
	   server 2.oceania.pool.ntp.org
	   server 3.oceania.pool.ntp.org

Open in new window

0
 
LVL 24

Expert Comment

by:Mohammed Khawaja
ID: 40398405
You very well could or you could use some of Microsoft NTP servers.
0
 
LVL 7

Assisted Solution

by:BobintheNoc
BobintheNoc earned 250 total points
ID: 40398416
As the PDC emulator, all member systems and other DCs will automatically sync time, at startup, via Windows builtin services (client for ms networks, perhaps),  which isn't exactly identical to NTP(Network Time Protocol.)

If you specifically want to use NTP, you can specify an NTP server as a source via the w32tm service, by using the w32tm command line command.  By spec'ing the ntp source, you can specifically look to an NTP server of your choice, however for a domain joined machine that uses Kerberos authentication, it'd be advised to leave the sync of Windows time at default.  If you did change/specify and external NTP source, your machine may be accurate according to the NTP source server, however if your DCs ever varied by more than 5 minutes(the default allowed variance for good kerberos handling)  from the NTP server, your member would fail to negotiate via kerberos.

I do believe you can point other devices to your 2003 or better DC as an NTP server as well, just as long as Windows Time services are active.

One potential problem with the out-of-box Microsoft network time is that it's 9nly applied/synced at boot time for the members--if you had a drifting timeclock on the member, and you don't reboot often enough, the sway will eventually go beyond 5 minutes.  So, for those machines that do get left on for months or years at a time, it is good to have the member sync time on a regular basis.
I usually use a registry file to apply to boxes after I've manually setup a machine to use a particular ntp source, then replicate the registry settings to other machines however you'd like, potentially even with a GPO.  There may be a setting already within Group Policy templates for this, but I'm and old d9g and stick with what I know to work consistently.

You can also use the NET TIME command to SET the Microsoft time, even create a scheduled task to run the command on your schedule of choice.  Clumsy, but not too bad.  Otherwise, use w32tm command line to specify sources, etc.  W32tm /? will produce the syntax help.  We can lookup the exact syntax if you can't, just that I'm on my mobile device at the moment.

You could also build your own administrative template with the registry keys to craft out a policy.  

If you need more info, just holler, and I'll run through it more.

For the record though, you had mentioned specifically NTP--maybe a little more description on what you're trying to accomplish will lend to a more defined answer.  Are you having time drift problems?
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40398421
Thanks Bob,

I'm currently decommissioning the old Win2003 physical box that is running on the server room, the replacement will be new Windows Server 2012 R2 Domain Controller VM in sepearate Data Center building.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 7

Assisted Solution

by:BobintheNoc
BobintheNoc earned 250 total points
ID: 40398432
So you just want to make sure that the other members start using the new DC after the replacement is done?  After the change out, when the members reboot next, they will sync with their logon DC, and if there's only one DC, you'll know which one it is :).  If you have multiple DCs, then the logon DC that the member uses is determined by your sites and services configuration, assuming that there is proper subnet info added to the site.  If no nearest dc is discovered because the site subnet configuration is wrong or missing, the member will seek out the first dc record returned for the dns query of the ad domain.  It's all so automatic that you don't usually have to do anything at all, and it's advised to just leave the defaults alone.  If you do decide to force an NTP peer source, you'll want to always keep it in mind, which is why defaults are good.

Left alone, and barring actual problems or other configurations, Microsoft has this topic nailed down nicely.  Let me know if we haven't convinced you yet, and I'll supply an exact entry to type to sync to the DC, on an ongoing basis.  But again, keep life and your systems simple-variance from MS design means having to increase administrative burden.
0
 
LVL 25

Expert Comment

by:DrDave242
ID: 40402423
One potential problem with the out-of-box Microsoft network time is that it's 9nly applied/synced at boot time for the members
If the Windows Time service is functioning properly, it won't only sync at boot time. By default, it'll sync at an interval that is dynamically determined by the quality of the information it's receiving from its source. (In other words, the polling interval can change over time.) You can, however, configure the service to use a static interval (SpecialPollInterval) in the registry. I believe 3600 seconds (one hour) is the default value for SpecialPollInterval.

To see the current polling interval for a given system, along with some other potentially useful information, use the w32tm /query /status command:
Output of the w32tm /query /status commandAs you can see, this machine is currently polling its time source every 2048 (2^11) seconds. (There's also a /verbose switch for that command that will show you even more info.)

The most important thing to remember is that your PDC Emulator is the only machine in the domain that should require any kind of manual tweaking to its Windows Time Service settings; everything else should sync with the domain hierarchy.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40403237
Cool, thanks guys for the assistance and clarification.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40403239
So no need any special needs for virtual machine domain controllers ?
0
 
LVL 24

Assisted Solution

by:Mohammed Khawaja
Mohammed Khawaja earned 250 total points
ID: 40403443
For virtual DCs, ensure you are not synchronizing time with the host server.
0
 
LVL 7

Expert Comment

by:BobintheNoc
ID: 40403545
Thanks for the extra info and correction of my outdated understandings!  Great info.
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

HOW TO: Connect to the VMware vSphere Hypervisor 6.5 (ESXi 6.5) using the vSphere (HTML5 Web) Host Client 6.5, and perform a simple configuration task of adding a new VMFS 6 datastore.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now