Proper NTP server usage?
-
@dave247 said in Proper NTP server usage?:
As a pretty green sysadmin, there have been times where I've needed to point things to an NTP server and I've been kind of fuzzy about the best way to go about this, despite reading various resources online... If my memory is correct, I think I've heard that best-practice is to point all your internal devices to the same internal NTP sever and then have that single internal NTP server sync with an external server. So like I would have all my equipment point to the DC and then have the DC sync with a trustworthy external time server. That being said, I'm a little unclear on the best way to do this.
I just ran w32tm /query /peers on my DC and it looks like it's pointed to pool.ntp.org. I have been checking various other servers and some things point to the DC where other things point to a list of time servers, usually, 0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org and 3.pool.ntp.org. Sometimes it's a mixture of both.
I guess my question is this: Should I set up my domain controller to use a better time sever that what it's configured for, or is there a better NTP server I should be using. And then should I just point all servers and appliances in my environment to my domain controller for time synchronization?
By default Windows Servers point to time.windows.com so you have had something changed already. If you have a Domain you can configure a GPO or registry that points all the computers to a DC for the source of time and then setup a GPO or registry to setup the NTP servers that apply to all the DCs.
-
In an AD environment, all AD joined computers automatically get their time from the closest DC. Each DC gets its time from the PDCe if you have more than one DC in your environment.
You don't need to do a thing there.
That said, I have seen issues using the default time.windows.com or whatever it is by default. So on the PDCE, I am using ntp.org I think. Been a while since I set it up, but think that's the one.
It's actually very simple, don't let anyone complicate it. You don't need to install the NTP role or whatever, or change or add anything else.
-
@obsolesce said in Proper NTP server usage?:
In an AD environment, all AD joined computers automatically get their time from the closest DC. Each DC gets its time from the PDCe if you have more than one DC in your environment.
You don't need to do a thing there.
That said, I have seen issues using the default time.windows.com or whatever it is by default. So on the PDCE, I am using ntp.org I think. Been a while since I set it up, but think that's the one.
It's actually very simple, don't let anyone complicate it. You don't need to install the NTP role or whatever, or change or add anything else.
2016 changes that. No NTP servers setup by default on the primary FSMO role holder that all computers get their time from. Microsoft's recommendation is to use a USB GPS for the primary time provider. You have to use w32tm if you want to sync with an NTP source now. I've had good results using pool.ntp.org servers.
-
-
@obsolesce said in Proper NTP server usage?:
@travisdh1 said in Proper NTP server usage?:
2016 changes that.
Changes what?
Did you misread?
I did not. I got to deal with a client's domain that was implementing only after 2016 became standard. The primary role holder had no time server configured by default. Their entire network was having the clocks sync to a server without ANY time provider.
-
@travisdh1 said in Proper NTP server usage?:
@obsolesce said in Proper NTP server usage?:
@travisdh1 said in Proper NTP server usage?:
2016 changes that.
Changes what?
Did you misread?
I did not. I got to deal with a client's domain that was implementing only after 2016 became standard. The primary role holder had no time server configured by default. Their entire network was having the clocks sync to a server without ANY time provider.
So where was the PDCE getting the time from?
-
@obsolesce said in Proper NTP server usage?:
@travisdh1 said in Proper NTP server usage?:
@obsolesce said in Proper NTP server usage?:
@travisdh1 said in Proper NTP server usage?:
2016 changes that.
Changes what?
Did you misread?
I did not. I got to deal with a client's domain that was implementing only after 2016 became standard. The primary role holder had no time server configured by default. Their entire network was having the clocks sync to a server without ANY time provider.
So where was the PDCE getting the time from?
Hardware by default.
-
I just stood up a 2016 DC. I did nothing at all to it, and by default it uses the PDCE as the
w32tm /query /source
.I haven't had a need to stand up a 2016 PDCE, just regular DCs.
I'm going to stand one up in a lab to see what the source is by default.
I could have sworn it was time.windows.com and not CMOS. That was 2012 R2 though, I'm curious now.
-
@obsolesce said in Proper NTP server usage?:
I just stood up a 2016 DC. I did nothing at all to it, and by default it uses the PDCE as the
w32tm /query /source
.I haven't had a need to stand up a 2016 PDCE, just regular DCs.
I'm going to stand one up in a lab to see what the source is by default.
I could have sworn it was time.windows.com and not CMOS. That was 2012 R2 though, I'm curious now.
It has always been CMOS first, that's why all the systems that lose their time over time are due to that. Also any VM prior to booting to the OS regardless or not they have Guest Services enabled, get the time from the Host BIOS.
-
@dbeato said in Proper NTP server usage?:
@obsolesce said in Proper NTP server usage?:
I just stood up a 2016 DC. I did nothing at all to it, and by default it uses the PDCE as the
w32tm /query /source
.I haven't had a need to stand up a 2016 PDCE, just regular DCs.
I'm going to stand one up in a lab to see what the source is by default.
I could have sworn it was time.windows.com and not CMOS. That was 2012 R2 though, I'm curious now.
It has always been CMOS first, that's why all the systems that lose their time over time are due to that. Also any VM prior to booting to the OS regardless or not they have Guest Services enabled, get the time from the Host BIOS.
That makes sense. The PDCE I set to use ntp.org very well may have said CMOS before I changed it. But regardless, when you join a pc or server to the domain, it automatically is set to use the PDCE as the time source.
-
@obsolesce said in Proper NTP server usage?:
@dbeato said in Proper NTP server usage?:
@obsolesce said in Proper NTP server usage?:
I just stood up a 2016 DC. I did nothing at all to it, and by default it uses the PDCE as the
w32tm /query /source
.I haven't had a need to stand up a 2016 PDCE, just regular DCs.
I'm going to stand one up in a lab to see what the source is by default.
I could have sworn it was time.windows.com and not CMOS. That was 2012 R2 though, I'm curious now.
It has always been CMOS first, that's why all the systems that lose their time over time are due to that. Also any VM prior to booting to the OS regardless or not they have Guest Services enabled, get the time from the Host BIOS.
That makes sense. The PDCE I set to use ntp.org very well may have said CMOS before I changed it. But regardless, when you join a pc or server to the domain, it automatically is set to use the PDCE as the time source.
Yes, in a domain all computers get the time from a DC.
-
@dbeato said in Proper NTP server usage?:
@obsolesce said in Proper NTP server usage?:
@dbeato said in Proper NTP server usage?:
@obsolesce said in Proper NTP server usage?:
I just stood up a 2016 DC. I did nothing at all to it, and by default it uses the PDCE as the
w32tm /query /source
.I haven't had a need to stand up a 2016 PDCE, just regular DCs.
I'm going to stand one up in a lab to see what the source is by default.
I could have sworn it was time.windows.com and not CMOS. That was 2012 R2 though, I'm curious now.
It has always been CMOS first, that's why all the systems that lose their time over time are due to that. Also any VM prior to booting to the OS regardless or not they have Guest Services enabled, get the time from the Host BIOS.
That makes sense. The PDCE I set to use ntp.org very well may have said CMOS before I changed it. But regardless, when you join a pc or server to the domain, it automatically is set to use the PDCE as the time source.
Yes, in a domain all computers get the time from a DC.
They SHOULD anyway.
-
@scottalanmiller said in Proper NTP server usage?:
@dbeato said in Proper NTP server usage?:
@obsolesce said in Proper NTP server usage?:
@dbeato said in Proper NTP server usage?:
@obsolesce said in Proper NTP server usage?:
I just stood up a 2016 DC. I did nothing at all to it, and by default it uses the PDCE as the
w32tm /query /source
.I haven't had a need to stand up a 2016 PDCE, just regular DCs.
I'm going to stand one up in a lab to see what the source is by default.
I could have sworn it was time.windows.com and not CMOS. That was 2012 R2 though, I'm curious now.
It has always been CMOS first, that's why all the systems that lose their time over time are due to that. Also any VM prior to booting to the OS regardless or not they have Guest Services enabled, get the time from the Host BIOS.
That makes sense. The PDCE I set to use ntp.org very well may have said CMOS before I changed it. But regardless, when you join a pc or server to the domain, it automatically is set to use the PDCE as the time source.
Yes, in a domain all computers get the time from a DC.
They SHOULD anyway.
Yeah, that's important to note, should is the keyword.