We help IT Professionals succeed at work.

NTP in domain

Hadzicki
Hadzicki asked
on
Medium Priority
27 Views
Last Modified: 2020-01-27
We have setup where we have a main site and a warm DR site. Both sites are connected via a site-2-site vpn and both sites have 2 domain controllers.

All DC are 2016 and we are a vmware shop.

Recently, we started to noticed major time drifts. We thought this was due to time.nist.a being deprecated.

We updated the peers on all the DCs to go to new time servers


I feel the problem is we have peers set on all the domain controllers and that we need to do the following

PDC - set primary and secondary NIST server

all other DC, Set Primary as the PDC with time.nist.giv as a fall back encase the server is down.


Please let me know your feedback or if you have a similar setup.


Thanks!
Comment
Watch Question

Sean BravenerSenior Information Technology Consultant
CERTIFIED EXPERT
Awarded 2019
Distinguished Expert 2019

Commented:
configurations I have used in the past is using one ntp server as the authoritative and have everything sync to that.  do not use the host as the time server as you WILL start to see drift as server clocks tend to drift no matter what you do.  
for vmware set your vcenter to sync to an ntp server and have all your vm's sync to that.

Author

Commented:
Hi Sean.

I see something similar to this mentioned when it came to hyper v in the MS documentation.

So to clarify,  Your child DC have their peer list pointing to the PDC > PDC has its peer list pointing to vcenter appliance > and the vcenter appliance gets time from NIST?
Sean BravenerSenior Information Technology Consultant
CERTIFIED EXPERT
Awarded 2019
Distinguished Expert 2019

Commented:
that is correct

Author

Commented:
Ahhh. Ok. Thank you for that! Do you use your domain group policy still for the time out and other settings (minus the peers of course)?
Sean BravenerSenior Information Technology Consultant
CERTIFIED EXPERT
Awarded 2019
Distinguished Expert 2019

Commented:
yes you would if default settings are not to your liking

Author

Commented:
Awesome. Thank you for the info!
CERTIFIED EXPERT

Commented:
First, I'd recommend a peek into my article on NTP basics.

Second, I support the tip to sync all machines to the same NTP source. That might be, in example,

- all machines set to get their time from pool.ntp.org servers (see article on details), or
- one (or better, two, or mybe more) dedicated machines (RasPi's would do fine) which sync to servers from pool.ntp.org, or
- one (or better: two) time server appliances like i.e. this one which syncs to i.e. radio signals like DCF77, or GPS, or other sources.

Third, I'd recommend to throw out W32time, the Windows native timekeeper service (from my experience a lousy piece of crap, at least when it comes to cope with NTP). Use some Windows port of the classic *ux NTP client instead, i.e. the distribution available from Meinberg, which has a pretty nice installer and works well whenever I need it.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.