<div>
Unless you have a very good reason, the only server you'd change is the PDCe in each domain, and it does *not* need to be a physical machine.
</div>


<div>
Yes, that's what I thought so.<br />
<br />
So if I run the command <b>w32tm /query /computer:$Server /configuration</b> and <b>w32tm /query /source</b> in all of my domain joined server and each domain controller, it should return the <b>PDC emulator FSMO role </b> ?<br />
<br />
But when I run it in each random server in each different AD sites, it returns random Domain Controller instead of the PDC emulator role.<br />
<br />
How to fix this using the Group Policy perhaps?
</div>


<div>
DCs should sync from the PDC emulator, member servers (and client machines) from the nearest DC.
</div>


<div>
OK, so in this case, where can I check in the PDC emulator that it is synching to the Pool of NTP servers from <a href="http://www.pool.ntp.org" rel="ugc">http://www.pool.ntp.org</a>&nbsp;?<br />
<br />
I assume that any domain controllers in the forest which is healthy according to the script <a href="https://gallery.technet.microsoft.com/scriptcenter/Active-Directory-Health-709336cd" rel="ugc nofollow">https://gallery.technet.microsoft.com/scriptcenter/Active-Directory-Health-709336cd</a>&nbsp;should get the NTP configuration from PDC emulator ?
</div>


<div>
At a command prompt, <b>W32TM /query /source</b>.
</div>


<div>
Well, you are mashing terminology. The PDCe rule is per domain, not per forest, so saying that others in the &quot;entire forest&quot; is just wrong.but jo, domain controllers don't get the *configuration* from the PDCe. They sync their *time* from the PDCe. Their default *configuration* is unchanged and uses &quot;domain hierarchy&quot; unless someone manually overwrites it. This allows for dynamic changes in the domain, without requiring changes or updates. &nbsp;Gou can query the PDCe settings with w32time just like any other server.
</div>


<div>
Josh,<br />
<br />
if I set as NTP, I assume the PDC emulator will be synchronising with NTP pool server externally and the other DC will synch to the PDCemulator role ?<br />
<br />
For that case I just need to open TCP or UDP port 123 ?
</div>


<div>
Yes you would need to allow tcp and udp port 123 bi-directional into your forest root DC from the pool.ntp.org set of IP addresses:<br />
Non-authoritative answer:<br />
Name: &nbsp; &nbsp;pool.ntp.org<br />
Addresses: &nbsp;216.229.4.69<br />
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 195.21.152.161<br />
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 69.195.159.158<br />
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 216.6.2.70
</div>


<div>
OK, just the the PDC emulator role Domain controller only right ?<br />
<br />
The rest of the DC will be synching to that role above.
</div>


<div>
Sorry yes, the rest of the DCs are configured to sync internally, not always the PDCe but definitely not to external ntp servers as long as the registry setting is NT5DS and not NTP.
</div>


<div>
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.<br />
<br />
I have recommended this question be closed as follows:<br />
<br />
Split: <br />
-- Josh Wicks (<a href="https:#a42068150" rel="ugc">https:#a42068150</a>)<br />
-- Mal Osborne (<a href="https:#a42067382" rel="ugc">https:#a42067382</a>)<br />
-- Cliff Galiher (<a href="https:#a42067394" rel="ugc">https:#a42067394</a>)<br />
<br />
<br />
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.<br />
<br />
Pber<br />
Experts-Exchange Cleanup Volunteer
</div>


<div>
<div class="content wysiwyg-content">
Hi All,<br />
<br />
I've got about 6 different AD sites under two AD domain in the forest.<br />
<br />
What's the best practice in configuring the Active Directory NTP service so that all servers &amp;&nbsp;network appliances can synch to single time source only to the <b>NTP Pool Server</b> ?<br />
<br />
My understanding is that the NTP server must be on the Physical Machine and the FSMO role <b>PDC Emulator</b>.
</div>
</div>


Hi All,

I've got about 6 different AD sites under two AD domain in the forest.

What's the best practice in configuring the Active Directory NTP service so that all servers & network appliances can synch to single time source only to the NTP Pool Server ?

My understanding is that the NTP server must be on the Physical Machine and the FSMO role PDC Emulator.

The best practice in configuring NTP server for all AD domain with multiple AD sites &amp; DCs ?

Best Practice

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Active Directory

Windows Server 2012 is the server version of Windows 8 and the successor to Windows Server 2008 R2. Windows Server 2012 is the first version of Windows Server to have no support for Itanium-based computers since Windows NT 4.0. Windows Server 2012, now in its second release (Windows Server 2012 Release 2) includes Foundation, Essentials, Standard and Datacenter, and does not support IA-32 or IA-64 processors.

Windows Server 2012

VMware, a software company founded in 1998,  was one of the first commercially successful companies to offer x86 virtualization. The storage company EMC purchased VMware in 1994. Dell Technologies acquired EMC in 2016. VMware’s parent company is now Dell Technologies.

VMware has many software products that run on desktops, Microsoft Windows, Linux, and macOS, which allows the virtualizing of the x86 architecture.  Its enterprise software hypervisor for servers, VMware vSphere Hypervisor (ESXi), is a bare-metal hypervisor that runs directly on the server hardware and does not require an additional underlying operating system.

VMware

The Microsoft Server topic includes all of the legacy versions of the operating system, including the Windows NT 3.1, NT 3.5, NT 4.0 and Windows 2000 and Windows Home Server versions.

The best practice in configuring NTP server for all AD domain with multiple AD sites &amp; DCs ?

The best practice in configuring NTP server for all AD domain with multiple AD sites & DCs ?