• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 434
  • Last Modified:

NTP setting for PDCE in child domain

I have a question for other experts out there.

Guidance states a PDCE in a child domain should point to any DC in the forest root to maintain domheir  (preferably the PDCe in the forest root).  

The GPO value format in the NTP server setting is "(FQDN | IP),server-flag"

If I want to automate this as much as possible for _my_ PDC's time policy, I *should* be able to use the _pdc SRV record for the Forest root's PDC emulator in place of the A record FQDN, allowing the child domains PDCe to find the PDCe role holder in the forest root...

Has anyone tried it?
1 Solution
Adam BrownSr Solutions ArchitectCommented:
I haven't tried it myself, but you would need to make sure the NTP Server Service is enabled on the Root domain's PDC Emulator using the Enable Windows NTP Server policy. You would then use the following setting for the NTPServer value: <PDC for root domain's FQDN>,0x01
sAMAccountNameSr. Systems EngineerAuthor Commented:
Would the forest root PDCe need the actual NTP service installed and running or would w32time itself suffice?  Its operating as the time authority already in domheir and is the highest stratum time server in the forest - member servers participate in nt5ds time services with it so its already offering the capability to synchronize.

Im simply wondering if I can point to the SRV record for the PDC in the forest root instead of its A record.  If possible, it would be more tolerant of changes to the forest root unary role holders (PDCe specifically).  Ive done similar with the _kerberos SRV record, aliasing it to krbmaster.domain.com for unices requiring a master of operations in the realm...  It dawned on me that might work for domain time services in this case.

Unfortunately, I dont have a lab with a child domain so I cant easily test this without a bunch of other work.
Felicia KingCommented:
Edit the default domain controllers policy for the child domain. Edit the Windows Time area.
Set the following settings. Just poke around in there you will find them.
Announce flags = 5
NTPserver: fqdnPDC,0x9 fqdn2ndDC,0x2
Cross site sync flags 2
Event log flags 2

gpupdate /force
w32tm /resync /nowait /rediscover
w32tm /query /status
Net stop w32time
Net start w32time
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Adam BrownSr Solutions ArchitectCommented:
Would the forest root PDCe need the actual NTP service installed and running or would w32time itself suffice?

I'm not 100% sure that the NTP Server service has to be running, but I also don't know if being part of a child domain grants the permissions required to sync using the nt5ds time service. Remote access to W32TM is controlled through a hidden (and pretty much unchangeable) ACL. I haven't really worked with child domains in a while, but I seem to remember having issues until the NTP Server service was enabled.

As to using SRV record VS A record...SRV records are requested by applications to determine which A record should be used during configuration to find information for whatever service they need to request from the server. It works like this:

1. SRV record exists for _pdc._msdcs.domain.com is configured to point to the PDCE in the Domain.
2. W32TM on client machines is configured to sync using DOMHIER flag
3. When W32TM is performs a sync action, it queries _pdc._msdcs.domain.com to retrieve the FQDN of the PDCE role holder
4. W32TM resolves the Host Name stored in the _pdc._msdcs.domain.com and connects to the W32TM service of the PDC.
5. W32TM updates its time to match the value returned by the PDC for that domain.

This type of functionality is hard coded into the W32TM service, so if a computer is configured to use DOMHIER for the Syncfromflags setting, it will do the above actions every time it tries to sync time. You can certainly create a DNS CNAME record that points to _pdc._msdcs.domain.com in the child domain, but you would still need to configure the Child PDCE to use that as a manual sync source, which is no different than using the root domain PDCE's A record, so it's basically a superfluous effort. W32TM will only ever query _pdc._msdcs.child.domain.com if the systems are set to use the DOMHIER flag.

Now, you could change the _pdc._msdcs.child.domain.com SRV record to point to the root PDCE, but you'll end up breaking the child domain's clients' ability to query the child domain's PDCE for account lockout and password expiration data. PDCE does more than just time control.

For a child domain, the SRV query will go to _pdc._msdcs.child.domain.com, and nowhere else, so it can't query the root domain for time. When a server has the PDCE role, it is simply configured as an "Authoritative" time source that other systems can use to sync from. W32TM *will not* sync from a system that isn't flagged as Authoritative.

When configuring a PDCE server in a root domain or child domain, unless you are certain the time in the CMOS clock is always going to be accurate, you'll want to use a  known accurate time source like time.windows.com or pool.ntp.org (I use this one, since time.windows.com has been flaky in my experience).

In order for a Child domain's PDCE to have the exact same time as the PDCE in the root directory, you have to configure the Child PDCE to either sync with the same source as the root PDCE or sync directly from the root PDCE. There is no way around this requirement, and you can't change the way W32TM queries SRV records when using the DOMHIER flags, so you can't make a Child Domain PDCE request the _pdc._msdcs.domain.com SRV record to get the root domain's address. You may be able to hack the system to work this way, but such a solution is not supported by MS and we cannot provide you with instructions on how to do so (per the E-E ToS).

Does that all make more sense?
Todd NelsonSystems EngineerCommented:
The child domain is a red herring in this question because NTP uses domain hierarchy by default.  However, I like to set domain hierarchy because I honestly don't trust the default settings--even though it works out of the box.

The PDCe in the child domain will get it's time from a domain based on a scoring method.

Domain Controller Status                              Score 
-----                                                 -----
Domain controller located in same site                  8
Domain controller marked as a reliable time source      4
Domain controller located in the parent domain          2
Domain controller that is a PDC emulator                1

Open in new window

Here are some references...
sAMAccountNameSr. Systems EngineerAuthor Commented:

3. When W32TM is performs a sync action, it queries _pdc._msdcs.domain.com to retrieve the FQDN of the PDCE role holder
4. W32TM resolves the Host Name stored in the _pdc._msdcs.domain.com and connects to the W32TM service of the PDC.

this is precisely why I was wondering if I could use the root PDCs record.

Thanks for your feedback.  Similarly, its been a long time since I've been in a position to work with child domains.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now