NTP setting for PDCE in child domain

Posted on 2016-09-20
Medium Priority
Last Modified: 2016-09-21
I have a question for other experts out there.

Guidance states a PDCE in a child domain should point to any DC in the forest root to maintain domheir  (preferably the PDCe in the forest root).  

The GPO value format in the NTP server setting is "(FQDN | IP),server-flag"

If I want to automate this as much as possible for _my_ PDC's time policy, I *should* be able to use the _pdc SRV record for the Forest root's PDC emulator in place of the A record FQDN, allowing the child domains PDCe to find the PDCe role holder in the forest root...

Has anyone tried it?
Question by:sAMAccountName
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 42

Expert Comment

by:Adam Brown
ID: 41807741
I haven't tried it myself, but you would need to make sure the NTP Server Service is enabled on the Root domain's PDC Emulator using the Enable Windows NTP Server policy. You would then use the following setting for the NTPServer value: <PDC for root domain's FQDN>,0x01

Author Comment

ID: 41807754
Would the forest root PDCe need the actual NTP service installed and running or would w32time itself suffice?  Its operating as the time authority already in domheir and is the highest stratum time server in the forest - member servers participate in nt5ds time services with it so its already offering the capability to synchronize.

Im simply wondering if I can point to the SRV record for the PDC in the forest root instead of its A record.  If possible, it would be more tolerant of changes to the forest root unary role holders (PDCe specifically).  Ive done similar with the _kerberos SRV record, aliasing it to krbmaster.domain.com for unices requiring a master of operations in the realm...  It dawned on me that might work for domain time services in this case.

Unfortunately, I dont have a lab with a child domain so I cant easily test this without a bunch of other work.

Expert Comment

by:Felicia King
ID: 41808601
Edit the default domain controllers policy for the child domain. Edit the Windows Time area.
Set the following settings. Just poke around in there you will find them.
Announce flags = 5
NTPserver: fqdnPDC,0x9 fqdn2ndDC,0x2
Cross site sync flags 2
Event log flags 2

gpupdate /force
w32tm /resync /nowait /rediscover
w32tm /query /status
Net stop w32time
Net start w32time
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

LVL 42

Accepted Solution

Adam Brown earned 2000 total points
ID: 41808844
Would the forest root PDCe need the actual NTP service installed and running or would w32time itself suffice?

I'm not 100% sure that the NTP Server service has to be running, but I also don't know if being part of a child domain grants the permissions required to sync using the nt5ds time service. Remote access to W32TM is controlled through a hidden (and pretty much unchangeable) ACL. I haven't really worked with child domains in a while, but I seem to remember having issues until the NTP Server service was enabled.

As to using SRV record VS A record...SRV records are requested by applications to determine which A record should be used during configuration to find information for whatever service they need to request from the server. It works like this:

1. SRV record exists for _pdc._msdcs.domain.com is configured to point to the PDCE in the Domain.
2. W32TM on client machines is configured to sync using DOMHIER flag
3. When W32TM is performs a sync action, it queries _pdc._msdcs.domain.com to retrieve the FQDN of the PDCE role holder
4. W32TM resolves the Host Name stored in the _pdc._msdcs.domain.com and connects to the W32TM service of the PDC.
5. W32TM updates its time to match the value returned by the PDC for that domain.

This type of functionality is hard coded into the W32TM service, so if a computer is configured to use DOMHIER for the Syncfromflags setting, it will do the above actions every time it tries to sync time. You can certainly create a DNS CNAME record that points to _pdc._msdcs.domain.com in the child domain, but you would still need to configure the Child PDCE to use that as a manual sync source, which is no different than using the root domain PDCE's A record, so it's basically a superfluous effort. W32TM will only ever query _pdc._msdcs.child.domain.com if the systems are set to use the DOMHIER flag.

Now, you could change the _pdc._msdcs.child.domain.com SRV record to point to the root PDCE, but you'll end up breaking the child domain's clients' ability to query the child domain's PDCE for account lockout and password expiration data. PDCE does more than just time control.

For a child domain, the SRV query will go to _pdc._msdcs.child.domain.com, and nowhere else, so it can't query the root domain for time. When a server has the PDCE role, it is simply configured as an "Authoritative" time source that other systems can use to sync from. W32TM *will not* sync from a system that isn't flagged as Authoritative.

When configuring a PDCE server in a root domain or child domain, unless you are certain the time in the CMOS clock is always going to be accurate, you'll want to use a  known accurate time source like time.windows.com or pool.ntp.org (I use this one, since time.windows.com has been flaky in my experience).

In order for a Child domain's PDCE to have the exact same time as the PDCE in the root directory, you have to configure the Child PDCE to either sync with the same source as the root PDCE or sync directly from the root PDCE. There is no way around this requirement, and you can't change the way W32TM queries SRV records when using the DOMHIER flags, so you can't make a Child Domain PDCE request the _pdc._msdcs.domain.com SRV record to get the root domain's address. You may be able to hack the system to work this way, but such a solution is not supported by MS and we cannot provide you with instructions on how to do so (per the E-E ToS).

Does that all make more sense?
LVL 16

Expert Comment

by:Todd Nelson
ID: 41809329
The child domain is a red herring in this question because NTP uses domain hierarchy by default.  However, I like to set domain hierarchy because I honestly don't trust the default settings--even though it works out of the box.

The PDCe in the child domain will get it's time from a domain based on a scoring method.

Domain Controller Status                              Score 
-----                                                 -----
Domain controller located in same site                  8
Domain controller marked as a reliable time source      4
Domain controller located in the parent domain          2
Domain controller that is a PDC emulator                1

Open in new window

Here are some references...

Author Comment

ID: 41809342

3. When W32TM is performs a sync action, it queries _pdc._msdcs.domain.com to retrieve the FQDN of the PDCE role holder
4. W32TM resolves the Host Name stored in the _pdc._msdcs.domain.com and connects to the W32TM service of the PDC.

this is precisely why I was wondering if I could use the root PDCs record.

Thanks for your feedback.  Similarly, its been a long time since I've been in a position to work with child domains.

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question