NTP setting for PDCE in child domain

Posted on 2016-09-20
Last Modified: 2016-09-21
I have a question for other experts out there.

Guidance states a PDCE in a child domain should point to any DC in the forest root to maintain domheir  (preferably the PDCe in the forest root).  

The GPO value format in the NTP server setting is "(FQDN | IP),server-flag"

If I want to automate this as much as possible for _my_ PDC's time policy, I *should* be able to use the _pdc SRV record for the Forest root's PDC emulator in place of the A record FQDN, allowing the child domains PDCe to find the PDCe role holder in the forest root...

Has anyone tried it?
Question by:sAMAccountName
LVL 39

Expert Comment

by:Adam Brown
ID: 41807741
I haven't tried it myself, but you would need to make sure the NTP Server Service is enabled on the Root domain's PDC Emulator using the Enable Windows NTP Server policy. You would then use the following setting for the NTPServer value: <PDC for root domain's FQDN>,0x01

Author Comment

ID: 41807754
Would the forest root PDCe need the actual NTP service installed and running or would w32time itself suffice?  Its operating as the time authority already in domheir and is the highest stratum time server in the forest - member servers participate in nt5ds time services with it so its already offering the capability to synchronize.

Im simply wondering if I can point to the SRV record for the PDC in the forest root instead of its A record.  If possible, it would be more tolerant of changes to the forest root unary role holders (PDCe specifically).  Ive done similar with the _kerberos SRV record, aliasing it to for unices requiring a master of operations in the realm...  It dawned on me that might work for domain time services in this case.

Unfortunately, I dont have a lab with a child domain so I cant easily test this without a bunch of other work.

Expert Comment

by:Felicia King
ID: 41808601
Edit the default domain controllers policy for the child domain. Edit the Windows Time area.
Set the following settings. Just poke around in there you will find them.
Announce flags = 5
NTPserver: fqdnPDC,0x9 fqdn2ndDC,0x2
Cross site sync flags 2
Event log flags 2

gpupdate /force
w32tm /resync /nowait /rediscover
w32tm /query /status
Net stop w32time
Net start w32time
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

LVL 39

Accepted Solution

Adam Brown earned 500 total points
ID: 41808844
Would the forest root PDCe need the actual NTP service installed and running or would w32time itself suffice?

I'm not 100% sure that the NTP Server service has to be running, but I also don't know if being part of a child domain grants the permissions required to sync using the nt5ds time service. Remote access to W32TM is controlled through a hidden (and pretty much unchangeable) ACL. I haven't really worked with child domains in a while, but I seem to remember having issues until the NTP Server service was enabled.

As to using SRV record VS A record...SRV records are requested by applications to determine which A record should be used during configuration to find information for whatever service they need to request from the server. It works like this:

1. SRV record exists for is configured to point to the PDCE in the Domain.
2. W32TM on client machines is configured to sync using DOMHIER flag
3. When W32TM is performs a sync action, it queries to retrieve the FQDN of the PDCE role holder
4. W32TM resolves the Host Name stored in the and connects to the W32TM service of the PDC.
5. W32TM updates its time to match the value returned by the PDC for that domain.

This type of functionality is hard coded into the W32TM service, so if a computer is configured to use DOMHIER for the Syncfromflags setting, it will do the above actions every time it tries to sync time. You can certainly create a DNS CNAME record that points to in the child domain, but you would still need to configure the Child PDCE to use that as a manual sync source, which is no different than using the root domain PDCE's A record, so it's basically a superfluous effort. W32TM will only ever query if the systems are set to use the DOMHIER flag.

Now, you could change the SRV record to point to the root PDCE, but you'll end up breaking the child domain's clients' ability to query the child domain's PDCE for account lockout and password expiration data. PDCE does more than just time control.

For a child domain, the SRV query will go to, and nowhere else, so it can't query the root domain for time. When a server has the PDCE role, it is simply configured as an "Authoritative" time source that other systems can use to sync from. W32TM *will not* sync from a system that isn't flagged as Authoritative.

When configuring a PDCE server in a root domain or child domain, unless you are certain the time in the CMOS clock is always going to be accurate, you'll want to use a  known accurate time source like or (I use this one, since has been flaky in my experience).

In order for a Child domain's PDCE to have the exact same time as the PDCE in the root directory, you have to configure the Child PDCE to either sync with the same source as the root PDCE or sync directly from the root PDCE. There is no way around this requirement, and you can't change the way W32TM queries SRV records when using the DOMHIER flags, so you can't make a Child Domain PDCE request the SRV record to get the root domain's address. You may be able to hack the system to work this way, but such a solution is not supported by MS and we cannot provide you with instructions on how to do so (per the E-E ToS).

Does that all make more sense?
LVL 15

Expert Comment

by:Todd Nelson
ID: 41809329
The child domain is a red herring in this question because NTP uses domain hierarchy by default.  However, I like to set domain hierarchy because I honestly don't trust the default settings--even though it works out of the box.

The PDCe in the child domain will get it's time from a domain based on a scoring method.

Domain Controller Status                              Score 
-----                                                 -----
Domain controller located in same site                  8
Domain controller marked as a reliable time source      4
Domain controller located in the parent domain          2
Domain controller that is a PDC emulator                1

Open in new window

Here are some references...

Author Comment

ID: 41809342

3. When W32TM is performs a sync action, it queries to retrieve the FQDN of the PDCE role holder
4. W32TM resolves the Host Name stored in the and connects to the W32TM service of the PDC.

this is precisely why I was wondering if I could use the root PDCs record.

Thanks for your feedback.  Similarly, its been a long time since I've been in a position to work with child domains.

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
This article runs through the process of deploying a single EXE application selectively to a group of user.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question