How to Migrate NTP server source settings from old PDCE to new PDCE?

Hello all.  

I am wanting to double check that the NTP server source settings that the previous PDCE was using were terminated and transferred over to the new PDCE with the FSMO change.  I assumed incorrectly that this was part of the process of transferring FSMO roles.  Also, part of me is worried that a mistake in manually doing this could cause issues effecting Kerberos authentication.

I ran the following command on my computer w32tm /query /source and the results show one of the older non PDCEs.  Then I log into the new server 2012 PDCE and run the same command and it points to the previous 2003 PDCE, that has since had this role transferred.  I then run the following command on it net time /querysntp and it has a list of 4 ntp servers.

How do I enter in these ntp servers into the new 2012 PDCE and then shut them off on the old 2003 previous PDCE (so that it can be demoted and removed from active directory and shut down...without risking time drift and blowing up active directory Kerberos authentication)?  I want the new PDCE to have the 4 NTP servers and be considered the new authoritative time source for all computers on the domain.

Thanks a lot for the help.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Your best bet to reset and reconfigure the time services is to use the following EE PAQs:

Resetting the Time Services:  http:/Q_28597899.html#a40554687

Configuring a GPO with a WMI filter for Time Services: http:/Q_28597899.html#a40553961

By using a Group Policy with a WMI filter to configure your time services, you will essentially get the automatic migration of time services if you ever need to transfer the PDCe FSMO role again.

CnicNVAuthor Commented:
Ok thanks, since I have already transferred the PDC role to another DC and it is pulling its time from the older DC that used to hold that role, I have two additional questions.

1.  By default, what are the 2012 PDC's NTP settings?   What is the DNS of the public time servers that Microsoft has configured them to pull from?

2.  On the old PDC, it has four manually configured NTP servers.  Once I go through all of the steps outlined in that article, will this old DC then pull from the new PDC or will these manual settings over-ride them?

Thanks again.
By default depends on the initial setup of your server/workstation:
A.  Domain Member/Domain Controller - Time service is configured to pull from the Domain Hierarchy; e.g. - w32tm /config /syncfromflags:DOMHIER /update.
B.  Workgroup Member - Time service is configured to pull from; e.g. - w32tim /config /manualpeerlist:",0x9" /syncfromflags:manual /reliable:yes /update.

However, people have found that is *not* a reliable time source.

In answer to your second question, the old DC, should pull it's time from the new PDC (so long as it's time service has been reset to default and reconfigured to pull from the domain hierarchy).

Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

CnicNVAuthor Commented:
Ok thanks, but regarding the first question, in a vacuum or blank slate domain.  You have 3 theoretical domain controllers, two standard, and one PDC.  I get that the two standard ones pull from the PDC, but where does the PDC pull from by default (if anywhere outside of its self)?  Does it pull from or  Or does it simply use its own hardware, CMOS battery to keep accurate time?
In a vacuum or blank state domain, the first domain controller promoted is configured to be an authoritative time server using it's own CMOS clock (this happens because the first domain controller promoted by default receives all of the FSMO roles).

After this, if you move or seize the PDCe FSMO role, you have to manually configure the time service on the new PDCe and reset the time service on the old PDCe.  Hence the reason for using a GPO with a WMI filter.

Essentially you configure all of your DC's (regardless of the current FSMO responsibility) so that they will sync from the Domain Hierarchy.  The GPO is then applied to the PDCe FSMO holder.  No muss, no fuss.  Change the FSMO role and the policy follows the role.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CnicNVAuthor Commented:
Ok perfect, thanks for all of the information.  This is what I was after.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.