[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 348
  • Last Modified:

Entering the NTP external source in PDC Emulator DC role

What is the best practice in putting in the external time source for the PDC emulator which serves as the NTP server for all the workstations & servers in Active Directory domain ?

Since all of my users are spread across different timezones and all of my servers are in Australia, I wonder if I should select the following list of NTP:

server 0.au.pool.ntp.org
         server 1.au.pool.ntp.org
         server 2.au.pool.ntp.org
         server 3.au.pool.ntp.org

over the following random list of NTP below:
Name:    host-24-56-178-140.beyondbb.com
Address:  24.56.178.140

Name:    64.147.116.229.static.nyinternet.net
Address:  64.147.116.229

Name:    nist1-lv.ustiming.org
Address:  64.250.229.100

and lastly how am I suppose to type in the value in the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameter\
Type: NTP
NtpServer:.....

Open in new window


shall I type in the FQDN of the NTP pool above or the first line of the IP address returned from the:
nslookup 0.au.pool.ntp.org
nslookup 1.au.pool.ntp.org
nslookup 2.au.pool.ntp.org
nslookup 3.au.pool.ntp.org

above ?
0
Senior IT System Engineer
Asked:
Senior IT System Engineer
  • 7
  • 5
  • 3
4 Solutions
 
VB ITSSpecialist ConsultantCommented:
It's good practice to use time sources that are geographically local to your servers as this will reduce the network latency as well as avoid the likelihood of disruptions if an international network outage occur (not uncommon for us Aussies).

As for the NTPServer registry key, you can use both the IP address or the DNS name of the time source as long as you separate the entries with a space between them.

e.g. 0.au.pool.ntp.org 1.au.pool.ntp.org 3.au.pool.ntp.org 4.au.pool.ntp.org

You should also look at using the 0x1 and 0x2 flags with each time source. Have a read of this article for more info on what these flags do: http://blogs.msdn.com/b/w32time/archive/2008/02/26/configuring-the-time-service-ntpserver-and-specialpollinterval.aspx
0
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
Thanks VB, that does make sense after all.

as for the flag, can I just specify like below:

0.au.pool.ntp.org,0x1 1.au.pool.ntp.org,0x1 3.au.pool.ntp.org,0x2 4.au.pool.ntp.org,0x2

would that be acceptable ?
0
 
MaheshArchitectCommented:
You could use command if wanted to:

The command:
w32tm /config /manualpeerlist:peers  /syncfromflags:manual /reliable:yes /update

Replace peers with NTP server name, if multiple NTP servers, replace peers as shown below
w32tm /config /manualpeerlist:"contoso.com clock.adatum.com" /syncfromflags:manual /reliable:yes /update

Open in new window

Replace peers with FQDN you have
http://technet.microsoft.com/en-us/library/cc786897(v=ws.10).aspx
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Senior IT System EngineerIT ProfessionalAuthor Commented:
Mahesh,

So in this case I can just use the w32tm command line without worrying / confused myself about typing the hex flag values to the registry key?

w32tm /config /manualpeerlist:"0.au.pool.ntp.org 1.au.pool.ntp.org 3.au.pool.ntp.org 4.au.pool.ntp.org" /syncfromflags:manual /reliable:yes /update

Would that be good enough ?

do I have to do the following registry entry changes as well ?
Registry screenshot
0
 
VB ITSSpecialist ConsultantCommented:
Thanks VB, that does make sense after all.

as for the flag, can I just specify like below:

0.au.pool.ntp.org,0x1 1.au.pool.ntp.org,0x1 3.au.pool.ntp.org,0x2 4.au.pool.ntp.org,0x2

would that be acceptable ?
Yep that will work perfectly fine. Just realised I forgot 2.au.pool.ntp.org in that list though :)
0
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
ah yes, the more the merrier :-)

is there any caveats or drawback if I put the NTP Pool FQDN rather than the IP Address ?
I'm still wondering which format to choose for the best performance.
0
 
MaheshArchitectCommented:
No need to do further registry changes,
You are telling command that they are reliable time sources with /reliable:yes switch
Command will take care of that and no need to specify 0x1 values
After you run command, do not forget to restart w32tm (time) service

After that Just check in system log event ID 37 and 35
Also you can verify time source from cmd
w32tm /query /source
w32tm /query /status
0
 
VB ITSSpecialist ConsultantCommented:
Use the FQDN as I believe the ntp.pool.org servers are setup in round-robin DNS, which means the IP address can vary each time you resolve it. This is mainly done for redundancy purposes.

Whilst the 0x1, 0x2, etc. flags aren't compulsory, they are good to have as it determines how your NTP server should react if one of the time sources is unreachable. The flags can also be used to dictate how often it should poll the time source.  For instance if you have a Special Poll Interval set but don't append the time source with 0x1 then the Special Poll Interval doesn't take affect.

They are there to give you more fine-grained control over your NTP server.
0
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
ok, so I have executed the command:

w32tm /query /source
w32tm /query /status

Open in new window


in the new domain controller VM, but somehow the result is not showing on the PDC emulator role ?
where and how to check the setting which overrides the default PDC emulator role as the definitive NTP ?
0
 
VB ITSSpecialist ConsultantCommented:
How did you configure the NTP server settings? Group Policy or via the registry on your PDC?
0
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
This is the thing that I don't know yet.

I'm newly joined to this company and all of the server seems to get their time synch from various different source and I need to standardize it.
0
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
This is the only entry that I can found so far from the Windows Server 2003 which currently running as the PDC Emulator role:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters]
"type"="NTP"
"ServiceMain"="SvchostEntry_W32Time"
"ServiceDll"=C:\WINNT\system32\w32time.dll
"NtpServer"="24.56.178.140 64.147.116.229 64.250.229.100"

Open in new window


why is that the server in the domain not getting the time synched from this one server consistently ?

The domain is one single domain in the forest.
Windows Server 2003 Functionality and Domain level.
0
 
MaheshArchitectCommented:
1st check if PDC server is able to get time updates from set sources
Check for event ID 35 and 37 under system logs

After that you can enforce GPO on client computers to take time settings from domain DC server only

In GPO you can setup startup script under computer configuration
Create .bat file like below

w32tm /config /syncfromflags:domhier /update
net stop w32time
net start w32time

http://technet.microsoft.com/en-us/library/cc758905(v=ws.10).aspx

U need to also ensure that windows time service is started in automatic mode on client computers, for that in same GPO enable time service for auto under computer configuration\windows settings\security settings\system services

If you are moving FSMO from old 2003 to new 2008 DC, 1st run below commands on 2003 server
w32tm /config /syncfromflags:domhier /reliable:no /update
net stop w32time
net start w32time
http://technet.microsoft.com/en-us/library/cc738042(v=ws.10).aspx

Then run commands in earlier post on new PDC server to specify new NTP server
0
 
VB ITSSpecialist ConsultantCommented:
This is the only entry that I can found so far from the Windows Server 2003 which currently running as the PDC Emulator role:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters]
"type"="NTP"
"ServiceMain"="SvchostEntry_W32Time"
"ServiceDll"=C:\WINNT\system32\w32time.dll
"NtpServer"="24.56.178.140 64.147.116.229 64.250.229.100"

why is that the server in the domain not getting the time synched from this one server consistently ?

The domain is one single domain in the forest.
Windows Server 2003 Functionality and Domain level.
I can see you've opened a new EE question for this. Do you want to close this question since your original query has been answered and we pick it up in your other EE question?
0
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
Thanks Guys.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 7
  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now