Albert Widjaja
asked on
The best practice in configuring NTP server for all AD domain with multiple AD sites & DCs ?
Hi All,
I've got about 6 different AD sites under two AD domain in the forest.
What's the best practice in configuring the Active Directory NTP service so that all servers & network appliances can synch to single time source only to the NTP Pool Server ?
My understanding is that the NTP server must be on the Physical Machine and the FSMO role PDC Emulator.
I've got about 6 different AD sites under two AD domain in the forest.
What's the best practice in configuring the Active Directory NTP service so that all servers & network appliances can synch to single time source only to the NTP Pool Server ?
My understanding is that the NTP server must be on the Physical Machine and the FSMO role PDC Emulator.
Unless you have a very good reason, the only server you'd change is the PDCe in each domain, and it does *not* need to be a physical machine.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Yes, that's what I thought so.
So if I run the command w32tm /query /computer:$Server /configuration and w32tm /query /source in all of my domain joined server and each domain controller, it should return the PDC emulator FSMO role ?
But when I run it in each random server in each different AD sites, it returns random Domain Controller instead of the PDC emulator role.
How to fix this using the Group Policy perhaps?
So if I run the command w32tm /query /computer:$Server /configuration and w32tm /query /source in all of my domain joined server and each domain controller, it should return the PDC emulator FSMO role ?
But when I run it in each random server in each different AD sites, it returns random Domain Controller instead of the PDC emulator role.
How to fix this using the Group Policy perhaps?
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
DCs should sync from the PDC emulator, member servers (and client machines) from the nearest DC.
ASKER
OK, so in this case, where can I check in the PDC emulator that it is synching to the Pool of NTP servers from http://www.pool.ntp.org ?
I assume that any domain controllers in the forest which is healthy according to the script https://gallery.technet.microsoft.com/scriptcenter/Active-Directory-Health-709336cd should get the NTP configuration from PDC emulator ?
I assume that any domain controllers in the forest which is healthy according to the script https://gallery.technet.microsoft.com/scriptcenter/Active-Directory-Health-709336cd should get the NTP configuration from PDC emulator ?
At a command prompt, W32TM /query /source.
Well, you are mashing terminology. The PDCe rule is per domain, not per forest, so saying that others in the "entire forest" is just wrong.but jo, domain controllers don't get the *configuration* from the PDCe. They sync their *time* from the PDCe. Their default *configuration* is unchanged and uses "domain hierarchy" unless someone manually overwrites it. This allows for dynamic changes in the domain, without requiring changes or updates. Gou can query the PDCe settings with w32time just like any other server.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Josh,
if I set as NTP, I assume the PDC emulator will be synchronising with NTP pool server externally and the other DC will synch to the PDCemulator role ?
For that case I just need to open TCP or UDP port 123 ?
if I set as NTP, I assume the PDC emulator will be synchronising with NTP pool server externally and the other DC will synch to the PDCemulator role ?
For that case I just need to open TCP or UDP port 123 ?
Yes you would need to allow tcp and udp port 123 bi-directional into your forest root DC from the pool.ntp.org set of IP addresses:
Non-authoritative answer:
Name: pool.ntp.org
Addresses: 216.229.4.69
195.21.152.161
69.195.159.158
216.6.2.70
Non-authoritative answer:
Name: pool.ntp.org
Addresses: 216.229.4.69
195.21.152.161
69.195.159.158
216.6.2.70
ASKER
OK, just the the PDC emulator role Domain controller only right ?
The rest of the DC will be synching to that role above.
The rest of the DC will be synching to that role above.
Sorry yes, the rest of the DCs are configured to sync internally, not always the PDCe but definitely not to external ntp servers as long as the registry setting is NT5DS and not NTP.
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I have recommended this question be closed as follows:
Split:
-- Josh Wicks (https:#a42068150)
-- Mal Osborne (https:#a42067382)
-- Cliff Galiher (https:#a42067394)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
Pber
Experts-Exchange Cleanup Volunteer
I have recommended this question be closed as follows:
Split:
-- Josh Wicks (https:#a42068150)
-- Mal Osborne (https:#a42067382)
-- Cliff Galiher (https:#a42067394)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
Pber
Experts-Exchange Cleanup Volunteer