Solved

NTP setting for PDCE in child domain

Posted on 2016-09-20
6
39 Views
Last Modified: 2016-09-21
I have a question for other experts out there.

Guidance states a PDCE in a child domain should point to any DC in the forest root to maintain domheir  (preferably the PDCe in the forest root).  

The GPO value format in the NTP server setting is "(FQDN | IP),server-flag"

If I want to automate this as much as possible for _my_ PDC's time policy, I *should* be able to use the _pdc SRV record for the Forest root's PDC emulator in place of the A record FQDN, allowing the child domains PDCe to find the PDCe role holder in the forest root...

Has anyone tried it?
0
Comment
Question by:sAMAccountName
6 Comments
 
LVL 38

Expert Comment

by:Adam Brown
ID: 41807741
I haven't tried it myself, but you would need to make sure the NTP Server Service is enabled on the Root domain's PDC Emulator using the Enable Windows NTP Server policy. You would then use the following setting for the NTPServer value: <PDC for root domain's FQDN>,0x01
0
 
LVL 5

Author Comment

by:sAMAccountName
ID: 41807754
Would the forest root PDCe need the actual NTP service installed and running or would w32time itself suffice?  Its operating as the time authority already in domheir and is the highest stratum time server in the forest - member servers participate in nt5ds time services with it so its already offering the capability to synchronize.

Im simply wondering if I can point to the SRV record for the PDC in the forest root instead of its A record.  If possible, it would be more tolerant of changes to the forest root unary role holders (PDCe specifically).  Ive done similar with the _kerberos SRV record, aliasing it to krbmaster.domain.com for unices requiring a master of operations in the realm...  It dawned on me that might work for domain time services in this case.

Unfortunately, I dont have a lab with a child domain so I cant easily test this without a bunch of other work.
0
 
LVL 4

Expert Comment

by:Felicia King
ID: 41808601
Edit the default domain controllers policy for the child domain. Edit the Windows Time area.
Set the following settings. Just poke around in there you will find them.
Announce flags = 5
NTPserver: fqdnPDC,0x9 fqdn2ndDC,0x2
Cross site sync flags 2
Event log flags 2

gpupdate /force
w32tm /resync /nowait /rediscover
w32tm /query /status
Net stop w32time
Net start w32time
0
 
LVL 38

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 41808844
Would the forest root PDCe need the actual NTP service installed and running or would w32time itself suffice?

I'm not 100% sure that the NTP Server service has to be running, but I also don't know if being part of a child domain grants the permissions required to sync using the nt5ds time service. Remote access to W32TM is controlled through a hidden (and pretty much unchangeable) ACL. I haven't really worked with child domains in a while, but I seem to remember having issues until the NTP Server service was enabled.

As to using SRV record VS A record...SRV records are requested by applications to determine which A record should be used during configuration to find information for whatever service they need to request from the server. It works like this:

1. SRV record exists for _pdc._msdcs.domain.com is configured to point to the PDCE in the Domain.
2. W32TM on client machines is configured to sync using DOMHIER flag
3. When W32TM is performs a sync action, it queries _pdc._msdcs.domain.com to retrieve the FQDN of the PDCE role holder
4. W32TM resolves the Host Name stored in the _pdc._msdcs.domain.com and connects to the W32TM service of the PDC.
5. W32TM updates its time to match the value returned by the PDC for that domain.

This type of functionality is hard coded into the W32TM service, so if a computer is configured to use DOMHIER for the Syncfromflags setting, it will do the above actions every time it tries to sync time. You can certainly create a DNS CNAME record that points to _pdc._msdcs.domain.com in the child domain, but you would still need to configure the Child PDCE to use that as a manual sync source, which is no different than using the root domain PDCE's A record, so it's basically a superfluous effort. W32TM will only ever query _pdc._msdcs.child.domain.com if the systems are set to use the DOMHIER flag.

Now, you could change the _pdc._msdcs.child.domain.com SRV record to point to the root PDCE, but you'll end up breaking the child domain's clients' ability to query the child domain's PDCE for account lockout and password expiration data. PDCE does more than just time control.

For a child domain, the SRV query will go to _pdc._msdcs.child.domain.com, and nowhere else, so it can't query the root domain for time. When a server has the PDCE role, it is simply configured as an "Authoritative" time source that other systems can use to sync from. W32TM *will not* sync from a system that isn't flagged as Authoritative.

When configuring a PDCE server in a root domain or child domain, unless you are certain the time in the CMOS clock is always going to be accurate, you'll want to use a  known accurate time source like time.windows.com or pool.ntp.org (I use this one, since time.windows.com has been flaky in my experience).

In order for a Child domain's PDCE to have the exact same time as the PDCE in the root directory, you have to configure the Child PDCE to either sync with the same source as the root PDCE or sync directly from the root PDCE. There is no way around this requirement, and you can't change the way W32TM queries SRV records when using the DOMHIER flags, so you can't make a Child Domain PDCE request the _pdc._msdcs.domain.com SRV record to get the root domain's address. You may be able to hack the system to work this way, but such a solution is not supported by MS and we cannot provide you with instructions on how to do so (per the E-E ToS).

Does that all make more sense?
0
 
LVL 14

Expert Comment

by:Todd Nelson
ID: 41809329
The child domain is a red herring in this question because NTP uses domain hierarchy by default.  However, I like to set domain hierarchy because I honestly don't trust the default settings--even though it works out of the box.

The PDCe in the child domain will get it's time from a domain based on a scoring method.


Domain Controller Status                              Score 
-----                                                 -----
Domain controller located in same site                  8
Domain controller marked as a reliable time source      4
Domain controller located in the parent domain          2
Domain controller that is a PDC emulator                1

Open in new window


Here are some references...
0
 
LVL 5

Author Comment

by:sAMAccountName
ID: 41809342
Adam:

3. When W32TM is performs a sync action, it queries _pdc._msdcs.domain.com to retrieve the FQDN of the PDCE role holder
4. W32TM resolves the Host Name stored in the _pdc._msdcs.domain.com and connects to the W32TM service of the PDC.

this is precisely why I was wondering if I could use the root PDCs record.

Thanks for your feedback.  Similarly, its been a long time since I've been in a position to work with child domains.
0

Join & Write a Comment

Synchronize a new Active Directory domain with an existing Office 365 tenant
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now