NTP not propegating across domain

I am trying to get a single internal NTP source setup on my domain, but what I have tried is not working.

PDC has been updated to have HLKC\System\CurrentControlSet\Services\W32Time\Config\AnnounceFlag set to 'a'.
PDC has been updated to have HLKC\System\CurrentControlSet\Services\W32Time\TimeProviders\Ntpserver\Enabled set to '1'
GPO has been created pointing to the PDC as the NTP Server.

When I check with 'w32tm /query /peers', some computers do not list the PDC as the peer.

How do I get this fixed and working?
jjwolvenAsked:
Who is Participating?
 
Cliff GaliherConnect With a Mentor Commented:
Don't use GPO.  The *only* place you need to set peers is on the PDCe. And since there can only be one PDCe in a domain, that means you'd only ever change this one place.  Group Policies are for *groups* and setting a GPO risks the possibility if the setting going to unintended servers *AND* makes deciphering the environment for "the next guy" harder.  Just don't use GPO.  Don't don't don't.

-Cliff
0
 
Cliff GaliherCommented:
Undo everything you did.  By default everything "just works" and some of the changes you made could actually be breaking things.

Time services in a domain use a hierarchical approach. The group policy could be interfering. Setting flags manually could be interfering.  Just give the PDCe-role server a good time source and the rest will gall into place.
0
 
jjwolvenAuthor Commented:
Before I made the changes, the PDC was not being used as a peer.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
ferraristaCommented:
Cliff is right. Double check that the PDCE of your root domain has configured the NTP source(s) correctly. Also check UDP 123 is allowed.

You can of course use GPO to configure NTP but is not compulsory. A few links that discuss this approach:

http://www.sysadminlab.net/windows/configuring-ntp-on-windows-using-gpo

https://theitbros.com/configure-ntp-time-sync-group-policy/
0
 
jjwolvenAuthor Commented:
If it was configured correctly by default, would it not have showed the PDCe as the Peer?

There was a System Admin previous to me that has made several mistakes - is there a setting list I can refer to so that I can confirm it is set where it should be?
0
 
ferraristaCommented:
Hopefully this will help you

https://support.microsoft.com/en-us/help/223184/registry-entries-for-the-w32time-service

The time source for replication type should be set to NT5DS (synchronize to domain hierarchy [default])
0
 
Cliff GaliherCommented:
No, domain members will not show the PDCe as a peer by default.  Nor would you want it to.

Keep in mind that Active Directory was designed to be *VERY* scalable and very geographically dispersed.  If all machines in a 100,000 device domain needed to talk to the PDCe, that wouldn't be WAN friendly, nor very nice to the PDCe.  As I said, Active Directory uses a hierarchal approach by default.

The PDCe will be an authoritative source for the domain (as long as it has a source so it knows it is authoritative.) then other domain controllers will sync from it (or from a domain controller that is syncing with it, depending on WAN links, costs, etc) and then member servers and clients will sync with their nearest domain controller, or another one if it is down.

That actually means a couple of things. It means that listing peers would actually be counter-productive as it wouldn't allow the network to dynamically adjust as needed. It also means that static peers would be single points of failure.  In a default configuration, domain joined machines simply have an internal flag that sets the machine to sync time using DOMHIER (domain hierarchy) and then the windows time code knows to use AD to find the "best" peer in that moment.  And the next time it syncs, it may indeed poll a different peer if that changes.  with laptops roaming from site to site, that is *exactly* what you want, and windows does it very well.

It does have the side effect though that you won't see hard-coded peers when you query the list.  That is normal and expected. You don't want peers to be showing in such a scenario.
0
 
jjwolvenAuthor Commented:
Understood.
I am working on this for a security audit that requires we show evidence that it is using a time source.
How would this be shown?

Also, when I looked at the other DCs, they showed an external as the NTP Server (time.windows)
0
 
ferraristaCommented:
It would be shown on your PDCEmulator, that should be pointing to your NTP Source. When this happens, you will also see evidence on your severs' event logs. They will record NTP events, such as when your servers are realigning time or reconnecting to an NTP source, such as after a service restart, or a W32Time service restart.
0
 
Cliff GaliherCommented:
It depends on who is doing the audit and what they are looking for.  Active Directory has been around nearly 20 years and the basic functionality for time syncing was there out of the gate.  For most, the first few lines from w32tm /query /configuration shows the flags and that's plenty since a security audit would also, unrelated to time, also be verifying the domain and Kerberos itself, making the domain hierarchy flags sufficient, and dependent on the health of the domain.  If they need you to prove beyond that, that really goes beyond just an NTP question and becomes a much bigger lift.
0
 
jjwolvenAuthor Commented:
What about the DCs that are not PDCe showing time.windows as the NTP Server?
0
 
Cliff GaliherCommented:
and w32tm /query /status is a useful command.
0
 
Cliff GaliherCommented:
It isn't default, if that is what you are asking.  There are a million ways to change these configurations (probably quite literally since it grows exponentially) and I don't think anyone here could guess at every eventuality or every possible place they may have decided to try doing their own thing. Too many possibilities. Fix what you find, and all the more reason to leave things at default or get back to them wherever possible.
0
 
ferraristaCommented:
That should be wrong. They should show NT5DS, meaning they follow domain hierarchy.

Time.Windows is the default value for standalone workstations and servers.
0
 
jjwolvenAuthor Commented:
It looks like they are set to Type=AllSync

Should that be set to NT5DS for all servers and DCs (including PDCe)?
0
 
ferraristaCommented:
Yes, excluding PDCE, which should point to the NTP Source.
0
 
jjwolvenAuthor Commented:
For the PDCe,
Type = NT5DS
NtpServer = <ntp pool>

is that correct?
Will it hurt if I use GPO to set those two settings - that way if I  have to change the PDCe I won't have to change GPO or reg
0
 
ferraristaCommented:
Yes, you can enter multiple NTP sources there for redundancy. I would first set it manually on a couple of sample servers, to make sure it is flowing correctly.
0
 
jjwolvenAuthor Commented:
confirming format for GPO:
example (not actual ntp server names)
0.ntpserver.org,0x1 1.ntpserver.org,0x1 2.ntpserver.org,0x1

ntp server name <comma> 0x1 <space> ntp server2 name <comma> 0x1 <space> etc
0
 
jjwolvenAuthor Commented:
What about using GPO to set them to NT5DS?

As I said, the servers and some workstations show as AllSync
0
 
ferraristaCommented:
All member servers and workstations should use NT5DS.

At this point, it may make sense to use GPO if you have many objects to modify. But, again, test FIRST to make sure your new settings are working correctly.
0
 
Cliff GaliherCommented:
I'd recommend scripting it to fix once instead of relying on group policies. Too easy for things to go wrong. That's making two non-standard changes instead of reverting to standard. Two wrongs don't make a right and all that.
0
 
jjwolvenAuthor Commented:
when using the GPO, if I leave the NTPServer field blank will it remove that reg entry or leave it alone?

or would it be best to set each server manually

NTPGPO.JPG
0
 
jjwolvenAuthor Commented:
Cliff, if I use the script would the following be correct:

$registryPath = "HKLC:\SYSTEM\CurrentControlSet\Services\W32Time\Parameters"
$Name = "Type"
$value = "NT5DS"
New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType DWORD -Force | Out-Null

EDIT:
Hmm...may have overcomplicated that.
would the PropertyType and Force be needed?
0
 
it_saigeDeveloperCommented:
*NO POINTS*

I agree with Cliff.

The only time a GPO is beneficial is when configuring the time settings for the PDCe.  The benefit lay in the fact that NTP settings are not migrated when the PDCe role is transfered from one server to another which makes it a manual step that is often forgotten about given that servers are generally replaced about 5 - 7 years after they are originally purchased.

Here is a previous EE_PAQ that has instructions on how to configure a GPO for just the PDCe: https:/Q_28597899.html/#a40553961

And this previous EE_PAQ has a good discussion concerning Time Synchronization in AD: https:/Q_28646908.html

The discussion thread also includes a post that describes how to clean the NTP slate, as it were: https:/Q_28646908.html#a40698381

-saige-
0
 
jjwolvenAuthor Commented:
Does the script I put up look correct?

EDIT: I will reset NTP on server per the last link and update
0
 
jjwolvenAuthor Commented:
Going back to default was best.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.