Solved

NTP synchronization for all servers and computer to PDC Emulator Domain Controller in Virtual Machine

Posted on 2014-10-22
11
908 Views
Last Modified: 2014-10-24
Hi Folks,

May I know what sort of things that I need to know so that I can successfully set the PDC Emulator Domain Controller as the NTP Synchronization authority ?

Where to set the GPO and what other settings do I need to be aware of.

The Domain Controllers are deployed as VMware Virtual Machine and my goal is to synchronize all Workstations and Servers as well as the ESXi servers & other hardware appliances in the Data Center & office building.
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +1
11 Comments
 
LVL 25

Accepted Solution

by:
Mohammed Khawaja earned 250 total points
ID: 40398386
There is no GPO you need to set, however, you could create a GPO to set the time on all DCs.  The PDC and all domain machines should not synchronize their time with the ESX host.  The root PDC emulator should be configured to synchronize time with a reliable NTP server and then all domain joined machines will synchronize their time with the DCs.  Refer to the links below on how to configure DC to synchronize time with a reliable time server:

http://www.ali-inc.com/technical/192-sync-windows-time-with-external-source.html
http://blogs.technet.com/b/nepapfe/archive/2013/03/01/it-s-simple-time-configuration-in-active-directory.aspx
http://jackstromberg.com/2013/10/configuring-external-time-source-on-your-primary-domain-controller/
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40398401
ok, so in this case can i use the following four servers from http://www.pool.ntp.org/zone/oceania ?

   server 0.oceania.pool.ntp.org
	   server 1.oceania.pool.ntp.org
	   server 2.oceania.pool.ntp.org
	   server 3.oceania.pool.ntp.org

Open in new window

0
 
LVL 25

Expert Comment

by:Mohammed Khawaja
ID: 40398405
You very well could or you could use some of Microsoft NTP servers.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 7

Assisted Solution

by:BobintheNoc
BobintheNoc earned 250 total points
ID: 40398416
As the PDC emulator, all member systems and other DCs will automatically sync time, at startup, via Windows builtin services (client for ms networks, perhaps),  which isn't exactly identical to NTP(Network Time Protocol.)

If you specifically want to use NTP, you can specify an NTP server as a source via the w32tm service, by using the w32tm command line command.  By spec'ing the ntp source, you can specifically look to an NTP server of your choice, however for a domain joined machine that uses Kerberos authentication, it'd be advised to leave the sync of Windows time at default.  If you did change/specify and external NTP source, your machine may be accurate according to the NTP source server, however if your DCs ever varied by more than 5 minutes(the default allowed variance for good kerberos handling)  from the NTP server, your member would fail to negotiate via kerberos.

I do believe you can point other devices to your 2003 or better DC as an NTP server as well, just as long as Windows Time services are active.

One potential problem with the out-of-box Microsoft network time is that it's 9nly applied/synced at boot time for the members--if you had a drifting timeclock on the member, and you don't reboot often enough, the sway will eventually go beyond 5 minutes.  So, for those machines that do get left on for months or years at a time, it is good to have the member sync time on a regular basis.
I usually use a registry file to apply to boxes after I've manually setup a machine to use a particular ntp source, then replicate the registry settings to other machines however you'd like, potentially even with a GPO.  There may be a setting already within Group Policy templates for this, but I'm and old d9g and stick with what I know to work consistently.

You can also use the NET TIME command to SET the Microsoft time, even create a scheduled task to run the command on your schedule of choice.  Clumsy, but not too bad.  Otherwise, use w32tm command line to specify sources, etc.  W32tm /? will produce the syntax help.  We can lookup the exact syntax if you can't, just that I'm on my mobile device at the moment.

You could also build your own administrative template with the registry keys to craft out a policy.  

If you need more info, just holler, and I'll run through it more.

For the record though, you had mentioned specifically NTP--maybe a little more description on what you're trying to accomplish will lend to a more defined answer.  Are you having time drift problems?
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40398421
Thanks Bob,

I'm currently decommissioning the old Win2003 physical box that is running on the server room, the replacement will be new Windows Server 2012 R2 Domain Controller VM in sepearate Data Center building.
0
 
LVL 7

Assisted Solution

by:BobintheNoc
BobintheNoc earned 250 total points
ID: 40398432
So you just want to make sure that the other members start using the new DC after the replacement is done?  After the change out, when the members reboot next, they will sync with their logon DC, and if there's only one DC, you'll know which one it is :).  If you have multiple DCs, then the logon DC that the member uses is determined by your sites and services configuration, assuming that there is proper subnet info added to the site.  If no nearest dc is discovered because the site subnet configuration is wrong or missing, the member will seek out the first dc record returned for the dns query of the ad domain.  It's all so automatic that you don't usually have to do anything at all, and it's advised to just leave the defaults alone.  If you do decide to force an NTP peer source, you'll want to always keep it in mind, which is why defaults are good.

Left alone, and barring actual problems or other configurations, Microsoft has this topic nailed down nicely.  Let me know if we haven't convinced you yet, and I'll supply an exact entry to type to sync to the DC, on an ongoing basis.  But again, keep life and your systems simple-variance from MS design means having to increase administrative burden.
0
 
LVL 26

Expert Comment

by:DrDave242
ID: 40402423
One potential problem with the out-of-box Microsoft network time is that it's 9nly applied/synced at boot time for the members
If the Windows Time service is functioning properly, it won't only sync at boot time. By default, it'll sync at an interval that is dynamically determined by the quality of the information it's receiving from its source. (In other words, the polling interval can change over time.) You can, however, configure the service to use a static interval (SpecialPollInterval) in the registry. I believe 3600 seconds (one hour) is the default value for SpecialPollInterval.

To see the current polling interval for a given system, along with some other potentially useful information, use the w32tm /query /status command:
Output of the w32tm /query /status commandAs you can see, this machine is currently polling its time source every 2048 (2^11) seconds. (There's also a /verbose switch for that command that will show you even more info.)

The most important thing to remember is that your PDC Emulator is the only machine in the domain that should require any kind of manual tweaking to its Windows Time Service settings; everything else should sync with the domain hierarchy.
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40403237
Cool, thanks guys for the assistance and clarification.
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40403239
So no need any special needs for virtual machine domain controllers ?
0
 
LVL 25

Assisted Solution

by:Mohammed Khawaja
Mohammed Khawaja earned 250 total points
ID: 40403443
For virtual DCs, ensure you are not synchronizing time with the host server.
0
 
LVL 7

Expert Comment

by:BobintheNoc
ID: 40403545
Thanks for the extra info and correction of my outdated understandings!  Great info.
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This Micro Tutorial walks you through using a remote console to access a server and install ESXi 5.1. This example is showing remote access and installation using a Dell server. The hypervisor is the very first component of your virtual infrastructu…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question