Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


NTP setting for PDCE in child domain

Posted on 2016-09-20
Medium Priority
Last Modified: 2016-09-21
I have a question for other experts out there.

Guidance states a PDCE in a child domain should point to any DC in the forest root to maintain domheir  (preferably the PDCe in the forest root).  

The GPO value format in the NTP server setting is "(FQDN | IP),server-flag"

If I want to automate this as much as possible for _my_ PDC's time policy, I *should* be able to use the _pdc SRV record for the Forest root's PDC emulator in place of the A record FQDN, allowing the child domains PDCe to find the PDCe role holder in the forest root...

Has anyone tried it?
Question by:sAMAccountName
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 43

Expert Comment

by:Adam Brown
ID: 41807741
I haven't tried it myself, but you would need to make sure the NTP Server Service is enabled on the Root domain's PDC Emulator using the Enable Windows NTP Server policy. You would then use the following setting for the NTPServer value: <PDC for root domain's FQDN>,0x01

Author Comment

ID: 41807754
Would the forest root PDCe need the actual NTP service installed and running or would w32time itself suffice?  Its operating as the time authority already in domheir and is the highest stratum time server in the forest - member servers participate in nt5ds time services with it so its already offering the capability to synchronize.

Im simply wondering if I can point to the SRV record for the PDC in the forest root instead of its A record.  If possible, it would be more tolerant of changes to the forest root unary role holders (PDCe specifically).  Ive done similar with the _kerberos SRV record, aliasing it to krbmaster.domain.com for unices requiring a master of operations in the realm...  It dawned on me that might work for domain time services in this case.

Unfortunately, I dont have a lab with a child domain so I cant easily test this without a bunch of other work.

Expert Comment

by:Felicia King
ID: 41808601
Edit the default domain controllers policy for the child domain. Edit the Windows Time area.
Set the following settings. Just poke around in there you will find them.
Announce flags = 5
NTPserver: fqdnPDC,0x9 fqdn2ndDC,0x2
Cross site sync flags 2
Event log flags 2

gpupdate /force
w32tm /resync /nowait /rediscover
w32tm /query /status
Net stop w32time
Net start w32time
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

LVL 43

Accepted Solution

Adam Brown earned 2000 total points
ID: 41808844
Would the forest root PDCe need the actual NTP service installed and running or would w32time itself suffice?

I'm not 100% sure that the NTP Server service has to be running, but I also don't know if being part of a child domain grants the permissions required to sync using the nt5ds time service. Remote access to W32TM is controlled through a hidden (and pretty much unchangeable) ACL. I haven't really worked with child domains in a while, but I seem to remember having issues until the NTP Server service was enabled.

As to using SRV record VS A record...SRV records are requested by applications to determine which A record should be used during configuration to find information for whatever service they need to request from the server. It works like this:

1. SRV record exists for _pdc._msdcs.domain.com is configured to point to the PDCE in the Domain.
2. W32TM on client machines is configured to sync using DOMHIER flag
3. When W32TM is performs a sync action, it queries _pdc._msdcs.domain.com to retrieve the FQDN of the PDCE role holder
4. W32TM resolves the Host Name stored in the _pdc._msdcs.domain.com and connects to the W32TM service of the PDC.
5. W32TM updates its time to match the value returned by the PDC for that domain.

This type of functionality is hard coded into the W32TM service, so if a computer is configured to use DOMHIER for the Syncfromflags setting, it will do the above actions every time it tries to sync time. You can certainly create a DNS CNAME record that points to _pdc._msdcs.domain.com in the child domain, but you would still need to configure the Child PDCE to use that as a manual sync source, which is no different than using the root domain PDCE's A record, so it's basically a superfluous effort. W32TM will only ever query _pdc._msdcs.child.domain.com if the systems are set to use the DOMHIER flag.

Now, you could change the _pdc._msdcs.child.domain.com SRV record to point to the root PDCE, but you'll end up breaking the child domain's clients' ability to query the child domain's PDCE for account lockout and password expiration data. PDCE does more than just time control.

For a child domain, the SRV query will go to _pdc._msdcs.child.domain.com, and nowhere else, so it can't query the root domain for time. When a server has the PDCE role, it is simply configured as an "Authoritative" time source that other systems can use to sync from. W32TM *will not* sync from a system that isn't flagged as Authoritative.

When configuring a PDCE server in a root domain or child domain, unless you are certain the time in the CMOS clock is always going to be accurate, you'll want to use a  known accurate time source like time.windows.com or pool.ntp.org (I use this one, since time.windows.com has been flaky in my experience).

In order for a Child domain's PDCE to have the exact same time as the PDCE in the root directory, you have to configure the Child PDCE to either sync with the same source as the root PDCE or sync directly from the root PDCE. There is no way around this requirement, and you can't change the way W32TM queries SRV records when using the DOMHIER flags, so you can't make a Child Domain PDCE request the _pdc._msdcs.domain.com SRV record to get the root domain's address. You may be able to hack the system to work this way, but such a solution is not supported by MS and we cannot provide you with instructions on how to do so (per the E-E ToS).

Does that all make more sense?
LVL 16

Expert Comment

by:Todd Nelson
ID: 41809329
The child domain is a red herring in this question because NTP uses domain hierarchy by default.  However, I like to set domain hierarchy because I honestly don't trust the default settings--even though it works out of the box.

The PDCe in the child domain will get it's time from a domain based on a scoring method.

Domain Controller Status                              Score 
-----                                                 -----
Domain controller located in same site                  8
Domain controller marked as a reliable time source      4
Domain controller located in the parent domain          2
Domain controller that is a PDC emulator                1

Open in new window

Here are some references...

Author Comment

ID: 41809342

3. When W32TM is performs a sync action, it queries _pdc._msdcs.domain.com to retrieve the FQDN of the PDCE role holder
4. W32TM resolves the Host Name stored in the _pdc._msdcs.domain.com and connects to the W32TM service of the PDC.

this is precisely why I was wondering if I could use the root PDCs record.

Thanks for your feedback.  Similarly, its been a long time since I've been in a position to work with child domains.

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question