Solved

Standardizing NTP source for all Windows Server joined to domain

Posted on 2015-01-15
12
488 Views
Last Modified: 2015-03-23
Hi,

Can someone here please share some steps to standardize the time source in my domain-joined Windows Server (2003 up to 2012 R2) and also the Workstations (XP to 8.1) ?

Because when I run the following command to check the NTP source:

2003
net time /querysntp

Open in new window


2008-2012 R2
w32tm /query /source

Open in new window


They are all returns different values from internal domain controller and also some default time.windows.com

The PDC emulator role is Win2003 called PRODDC02 but somehow the other domain controller, which runs on Win2008R2 doesn't refer to this PDC role ? why is that ? is it because the domain controller Windows Server 2003 is too old ?
0
Comment
  • 3
  • 3
  • 2
  • +3
12 Comments
 
LVL 13

Assisted Solution

by:frankhelk
frankhelk earned 125 total points
Comment Utility
Hmmm ... W32time, the timekeeping service in Windows. I experienced enough trouble with that piece of crap when in NTP mode to avoid using it whenever I can.

My recommendation:

Use a Windows port of the classic *ix NTP service, sync a master (or two, three) with an external source (i.e. from pool.ntp.org) and sync the clients and DCs to the master. The NTP service software is free. Easy to install and configure, works like a charm and is stable as a rock. And it is nicer when it comes to one of the rare cases of troubleshooting.

See this article for the "How To".

The NTP service has a low ressource footprint, therefore the NTP functionality could be hooked onto existing machines or VM's like webservers, ftp servers, mailservers or database hosts - even in a DMZ - without visible performance impact.
0
 
LVL 26

Assisted Solution

by:Dan McFadden
Dan McFadden earned 125 total points
Comment Utility
First off, I would identify (properly) what DCs are running what FSMO roles.  Running the following command from an elevated (as Domain Administrator) command prompt will tell you:

netdom query /domain:YourDomainName.extension fsmo

The output should look like this:


Schema master                      servername.domainname.ext
Domain naming master       servername.domainname.ext
PDC                                          servername.domainname.ext
RID pool manager                 servername.domainname.ext
Infrastructure master           servername.domainname.ext
The command completed successfully.

Also, how many DCs are 2003 and how many are 2008+?

I would move any role that may be running on the 2003 DC off to your newest DCs, leaving the 2003 DC with no roles.

Next, you have to configure the DC with the PDC Emulator role, as an authoritive time server.  Here are couple links to time sync best practices and an how to article:

1.  https://social.technet.microsoft.com/Forums/windowsserver/en-US/043b1ebe-e7bc-40ca-91e0-174a6854808e/time-sync-best-practices?forum=winserverDS
2. http://blogs.msmvps.com/mweber/2010/06/27/time-configuration-in-a-windows-domain/

After this is complete and your PDC Emulator role holder is properly syncing time from a reliable source, you should deploy a GPO to configure the time service on your workstations.  The only server or workstation that should something other than NT5DS is the PDC Emulator, which should use NTP.

Reference link:

http://blogs.technet.com/b/nepapfe/archive/2013/03/01/it-s-simple-time-configuration-in-active-directory.aspx

What all this will do, is allow only the PDC DC to sync its time to an external reliable/trusted time source.  All other DCs, non-DC member servers and workstations will sync to any one of the DCs in your domain.

As an external time source, I recommend (and use) the time servers available in the ntp.org pool that is local to you:

Link:  http://www.pool.ntp.org/en/

If you have your own NTP appliance, then use that as the primary external time source, and a ntp.org pool server as a secondary.

Dan
0
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
This is by design! If you have correctly configured your PDC role for an external time source (via registry) and you run the below command.

netdom query fsmo

Make sure that your PDC is correct. If all of these settings are correct from the PDC role. Then having other DC show up when you run w32tm /query /source is completely normal.

This is the hierarchy for time source.
First - External Source (internet)
Second - PDC Emulator
Third - All other DC's in your environment

Anyone of the domain controllers can provide time source to clients PDC is authoritative but DC's get their time from the PDC emulator as well.

Take a look at the following link which provides you a detailed hierarchy of Time Source service.
 Active Directory Time Source Hierarchy Diagram

Will.
0
 
LVL 13

Expert Comment

by:Greg Hejl
Comment Utility
After setting up NTP in your AD servers use GPO's to set NTP for all the clients and member servers.

http://blogs.technet.com/b/nepapfe/archive/2013/03/01/it-s-simple-time-configuration-in-active-directory.aspx
0
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
You can create a GPO and set the time providers but all of the DC's already know which domain controller is the authoritative time provider based on the PDC role holder.

If you ever need to seize or transfer the PDC role for any reason you will need to also wait for group policy to update accordingly.

I have setup and used Time Service for years without specifying it in the GPO. All of the DC's act as a time source and get their time source from the PDC in your environment. This allows for more flexibility if you ever have to transfer or seize this role, you will not be in a situation waiting on Group Policy to process. Other DC's will see that a new DC has been promoted the PDC role and as long as you setup an external  time source via the registry all the DC's will point to the new PDC as the time server.

Either way will work this is just my own opinion.

Will.
0
 
LVL 32

Assisted Solution

by:it_saige
it_saige earned 250 total points
Comment Utility
Here is how I view time services in Windows.  It's easy as pie.  As others have stated, ensure that the PDCe FSMO Holder is configured (either via Registry or via Group Policy using a WMI Filter) to obtain it's time from an external source (or even from an internal source [it should be implied that the internal source is not another DC] that get's it's time from an external source; e.g. - your router or a *nix based proxy).

Don't change anything else, don't fiddle with the clients, servers or other DC's (save to reset their time service to default settings).  Don't set any policies directing clients, servers or other DC's where to get their time from.  By default; *BY DEFAULT* the windows time service is configured to get it's time from:
In a domain - the DC that contains the PDCe FSMO role.
In a workgroup - time.windows.com (which Microsoft admits is not a reliable time source).

The only other consideration has to deal with Virtual DC instances, you want to make sure that you disable the time service Integration Service for the Guest operating system in the Hyper Visor configuration (I ran into this issue where a PDCe was configured as a VM and because of this, the time was off by exactly 5 minutes on all of the domain computers).

My current configuration is based on a WMI filter and uses the default time service registry entries coupled with the following GPO settings:In Group Policy Management -> Linked to the Domain Controllers OU is the Authoritative Time Server Policy.The Authoritative Time Server policy uses a WMI Filter called PDCe Role.Here are the settings of the PDCe Role WMI Filter.And here are the settings for the Authoritative Time Server Policy.With these in place, the only thing you should need to do is reset the time service settings on all of the DC's (with exception to the PDCe holder) to their default values and everything will fall into place.

Configuring the Windows Time Service for Windows Server
Configuring an Authoritative Time Server with Group Policy Using WMI Filtering
Hyper-V Time Sync

-saige-
1
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 7

Author Comment

by:Senior IT System Engineer
Comment Utility
Ok, so after I transfer the FSMO role to the new Win2k8r2 VM, should I force replicate AD from this new PDC emulator ?

And then after that, create the GPO with WMI Filter applied to Domain Controllers OU, do I have to Force Replicate AD again ?

Lastly, after the GPO takes into effect for the PDC emulator role, I assume that I do not have to do anything on the domain joined server & workstations.

Is that correct ?
0
 
LVL 32

Accepted Solution

by:
it_saige earned 250 total points
Comment Utility
It won't hurt anything to do a replication.  Really the only thing you would probably force is a group policy update so that the time policies take affect immediately.  Other than that, I would only recommend doing a reset of the time services on all of the servers (starting with the PDCe) just to ensure a clean slate.

Personally I would do the steps in this order.

1. Reset the time service to default values on the server you are transferring the PDCe FSMO role to.

Run the following from an elevated command prompt to reset the time service:
net stop w32time
w32tm /unregister
w32tm /register
net start w32time

Open in new window

2. Transfer the PDCe FSMO role to the server you want.

3. Setup the group policy with the WMI filter.

4. Force a group policy update on the PDCe FSMO holder.

5. Reset the time service on each additional DC and set it to use the Domain Hierarchy for completeness.

Run the following from an elevated command prompt to reset the time service:
net stop w32time
w32tm /unregister
w32tm /register
w32tm /config /syncfromflags:domhier /update
w32tm /resync /rediscover
net start w32time

Open in new window

Other than that, the domain joined computers and servers should just fall in line so long as they have no special registry settings that override the defaults.

Also, make sure that you heed the advice concerning Hyper-V time synchronization.

-saige-
0
 
LVL 13

Expert Comment

by:Greg Hejl
Comment Utility
Well done saige!  I hadn't thought to use a wmi filter to identify the PDC,  thats a great idea!  Thanks for sharing!
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
Comment Utility
Ok, so in this case for the PDC emulator WMI filtered Timesycnh GPO to be created, shall I put it on the root domain and as the priority #2 below the default domain policy?

is that correct.
0
 
LVL 13

Expert Comment

by:Greg Hejl
Comment Utility
Put it on your Domain controller OU.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
Comment Utility
Many thanks all !
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

OfficeMate Freezes on login or does not load after login credentials are input.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now