Proper NTP server usage?



  • As a pretty green sysadmin, there have been times where I've needed to point things to an NTP server and I've been kind of fuzzy about the best way to go about this, despite reading various resources online... If my memory is correct, I think I've heard that best-practice is to point all your internal devices to the same internal NTP sever and then have that single internal NTP server sync with an external server. So like I would have all my equipment point to the DC and then have the DC sync with a trustworthy external time server. That being said, I'm a little unclear on the best way to do this.

    I just ran w32tm /query /peers on my DC and it looks like it's pointed to pool.ntp.org. I have been checking various other servers and some things point to the DC where other things point to a list of time servers, usually, 0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org and 3.pool.ntp.org. Sometimes it's a mixture of both.

    I guess my question is this: Should I set up my domain controller to use a better time sever that what it's configured for, or is there a better NTP server I should be using. And then should I just point all servers and appliances in my environment to my domain controller for time synchronization?



  • There isn't any real 'issue' with every end point pulling from NTP - But, I want to say, point your end points to your local first, and if that doesn't respond, go direct.

    Like DNS,.. you would have a primary, but also a secondary should the primary be down (reboot) or unreachable.


  • Service Provider

    It's not quite that simple. Using internal NTP is for consolidating the traffic, a bit of a proxy so to speak. For small environments that doesn't make sense.

    You are likely dealing with SNTP in an AD environment, though. In which case nothing you read about NTP applies. You have AD needs and need to use AD as AD requires, which is your AD as your time source.



  • @scottalanmiller said in Proper NTP server usage?:

    It's not quite that simple. Using internal NTP is for consolidating the traffic, a bit of a proxy so to speak. For small environments that doesn't make sense.

    You are likely dealing with SNTP in an AD environment, though. In which case nothing you read about NTP applies. You have AD needs and need to use AD as AD requires, which is your AD as your time source.

    Yeah I get the consolidating/proxy thing and yes, if the proxy goes down, then nothing will sync.

    The main reason I'm asking this is because we have a vmware environment (with a SAN) and I was re-visiting the time syncornization across the hosts and vCenter and I realized things were a little bit messed up. I was going to point them all to the pool.ntp.org servers but I wasn't sure if I should just point them all to my DC or not.

    Additionally, I don't even know how trustworthy the pool.ntp.org time servers are. I'm sure they are fine, but I didn't just want to point everything to NTP servers without knowing much about them other than that I googled them and it seemed good to me.


  • Service Provider

    @dave247 said in Proper NTP server usage?:

    Additionally, I don't even know how trustworthy the pool.ntp.org time servers are. I'm sure they are fine, but I didn't just want to point everything to NTP servers without knowing much about them other than that I googled them and it seemed good to me.

    First, they are the most trustworthy, like crazy trustworthy. They are the global standard for time.

    Second, it doens't matter if they are trustworthy, it only matters that your systems all share a master source. If the master isn't all that accurate is of basically zero concern. The issue is keeping your enviornment in sync with itself. The one thing you can't let happen is your own machines have different times..



  • If you want to you can set up a small Linux NTP server VM. Add a list of your preferred time servers and then have all your servers/devices NTP client point to that Linux NTP server.

    https://www.tecmint.com/install-ntp-server-in-centos/



  • @black3dynamite said in Proper NTP server usage?:

    If you want to you can set up a small Linux NTP server VM. Add a list of your preferred time servers and then have all your servers/devices NTP client point to that Linux NTP server.

    https://www.tecmint.com/install-ntp-server-in-centos/

    Yeah I actually thought of doing that but I think I'm just going to point everything to pool.ntp.org



  • @scottalanmiller said in Proper NTP server usage?:

    @dave247 said in Proper NTP server usage?:

    Additionally, I don't even know how trustworthy the pool.ntp.org time servers are. I'm sure they are fine, but I didn't just want to point everything to NTP servers without knowing much about them other than that I googled them and it seemed good to me.

    First, they are the most trustworthy, like crazy trustworthy. They are the global standard for time.

    Second, it doens't matter if they are trustworthy, it only matters that your systems all share a master source. If the master isn't all that accurate is of basically zero concern. The issue is keeping your enviornment in sync with itself. The one thing you can't let happen is your own machines have different times..

    Ah, this makes sense.


  • Service Provider

    @dave247 said in Proper NTP server usage?:

    @black3dynamite said in Proper NTP server usage?:

    If you want to you can set up a small Linux NTP server VM. Add a list of your preferred time servers and then have all your servers/devices NTP client point to that Linux NTP server.

    https://www.tecmint.com/install-ntp-server-in-centos/

    Yeah I actually thought of doing that but I think I'm just going to point everything to pool.ntp.org

    If you have AD, don't do that. Only for non-AD environments.



  • @dave247

    There are a couple of different things to think about when it comes to NTP.

    First, for every server that picks the time from another server, the time will become less and less accurate. This is called stratum in NTP lingo. The most accurate NTP server is stratum-1. A NTP server that picks the time from stratum-1 servers becomes a stratum-2 server, etc etc.

    Best practice is to actually have a real NTP stratum-1 NTP server on site (or two). But not everyone has that need.

    Next best would be to have a dedicated non-windows non-virtual NTP server that get the time from ntp pool servers or other ntp servers that are stratum-1. It could also be something that does other work, for instance a firewall.

    Windows don't run real NTP and can not work as accurate NTP servers out of the box. But you might not need accuracy in which case you should sync the DC to the NTP time server and let the windows clients automatically get their time from the DC. This is the easiest to manage.

    The most accurate time sync on windows will be if you install NTP (compiled for windows) on it. This will replace the w32time service.

    So a typical scenario without a real stratum-1 server would be:
    Pool NTP servers -> local NTP server -> DC -> windows client
    Pool NTP servers -> local NTP server -> linux and appliances
    Pool NTP servers -> local NTP server -> windows OS running NTP

    Local NTP server could be your firewall if you don't have better options.

    Or if you only have windows:
    Pool NTP servers -> DC -> windows client

    or a little better:
    Pool NTP servers -> NTP server installed on DC -> windows client

    NTP servers should preferably be non-virtualized and preferably non-windows as linux and bsd are much better at this.


  • Service Provider

    @pete-s said in Proper NTP server usage?:

    Best practice is to actually have a real NTP stratum-1 NTP server on site (or two). But not everyone has that need.

    That's not a best practice then. That's an "optimum way to get super accurate time", which also includes having your own cesium clock. If it were a true best practice, everyone should do it without considering anything else. But 99.99% of companies shouldn't have one, even if they could afford one. Generally only companies like Wall St trading firms need millisecond accuracy, or see even a penny's worth of value from it.



  • @scottalanmiller said in Proper NTP server usage?:

    @pete-s said in Proper NTP server usage?:

    Best practice is to actually have a real NTP stratum-1 NTP server on site (or two). But not everyone has that need.

    That's not a best practice then. That's an "optimum way to get super accurate time", which also includes having your own cesium clock. If it were a true best practice, everyone should do it without considering anything else. But 99.99% of companies shouldn't have one, even if they could afford one. Generally only companies like Wall St trading firms need millisecond accuracy, or see even a penny's worth of value from it.

    Best practice depends on your needs. You assumption about which companies needs NTP servers are incorrect. Many companies have local NTP servers - maybe not in the SMB sector though.



  • Windows 2016 server has a better NTP server that earlier versions.

    Here is some more info (and with hyper-v).
    https://docs.microsoft.com/en-us/windows-server/networking/windows-time-service/accurate-time



  • @scottalanmiller said in Proper NTP server usage?:

    @pete-s said in Proper NTP server usage?:

    Best practice is to actually have a real NTP stratum-1 NTP server on site (or two). But not everyone has that need.

    That's not a best practice then. That's an "optimum way to get super accurate time", which also includes having your own cesium clock. If it were a true best practice, everyone should do it without considering anything else. But 99.99% of companies shouldn't have one, even if they could afford one. Generally only companies like Wall St trading firms need millisecond accuracy, or see even a penny's worth of value from it.

    I had to shake my head at Microsoft's new "best practice" for Server 2016 is using a USB GPS to sync the NTP clock that the network uses. They basically admitted that they don't know how to keep proper time, even with NTP.


  • Service Provider

    @pete-s said in Proper NTP server usage?:

    @scottalanmiller said in Proper NTP server usage?:

    @pete-s said in Proper NTP server usage?:

    Best practice is to actually have a real NTP stratum-1 NTP server on site (or two). But not everyone has that need.

    That's not a best practice then. That's an "optimum way to get super accurate time", which also includes having your own cesium clock. If it were a true best practice, everyone should do it without considering anything else. But 99.99% of companies shouldn't have one, even if they could afford one. Generally only companies like Wall St trading firms need millisecond accuracy, or see even a penny's worth of value from it.

    Best practice depends on your needs. You assumption about which companies needs NTP servers are incorrect. Many companies have local NTP servers - maybe not in the SMB sector though.

    I know many have their own NTP, I'm including those. It's not that common, even in the enterprise space. Many have it that shouldn't most likely.

    Best Practices are best practices, if following a best practice depends on your needs that means, by definition, it can't be a best practice.

    That's like saying "Best Practice is not to take backups". Then someone points out that basically everyone needs to take backups. You don't say "well it depends on your needs."

    A true best practice is always or essentially always true. Not "just a very unlikely good option".


  • Service Provider

    @travisdh1 said in Proper NTP server usage?:

    @scottalanmiller said in Proper NTP server usage?:

    @pete-s said in Proper NTP server usage?:

    Best practice is to actually have a real NTP stratum-1 NTP server on site (or two). But not everyone has that need.

    That's not a best practice then. That's an "optimum way to get super accurate time", which also includes having your own cesium clock. If it were a true best practice, everyone should do it without considering anything else. But 99.99% of companies shouldn't have one, even if they could afford one. Generally only companies like Wall St trading firms need millisecond accuracy, or see even a penny's worth of value from it.

    I had to shake my head at Microsoft's new "best practice" for Server 2016 is using a USB GPS to sync the NTP clock that the network uses. They basically admitted that they don't know how to keep proper time, even with NTP.

    THey use SNTP, or have traditionally.



  • @pete-s said in Proper NTP server usage?:

    @dave247

    There are a couple of different things to think about when it comes to NTP.

    First, for every server that picks the time from another server, the time will become less and less accurate. This is called stratum in NTP lingo. The most accurate NTP server is stratum-1. A NTP server that picks the time from stratum-1 servers becomes a stratum-2 server, etc etc.

    Best practice is to actually have a real NTP stratum-1 NTP server on site (or two). But not everyone has that need.

    Next best would be to have a dedicated non-windows non-virtual NTP server that get the time from ntp pool servers or other ntp servers that are stratum-1. It could also be something that does other work, for instance a firewall.

    Windows don't run real NTP and can not work as accurate NTP servers out of the box. But you might not need accuracy in which case you should sync the DC to the NTP time server and let the windows clients automatically get their time from the DC. This is the easiest to manage.

    The most accurate time sync on windows will be if you install NTP (compiled for windows) on it. This will replace the w32time service.

    So a typical scenario without a real stratum-1 server would be:
    Pool NTP servers -> local NTP server -> DC -> windows client
    Pool NTP servers -> local NTP server -> linux and appliances
    Pool NTP servers -> local NTP server -> windows OS running NTP

    Local NTP server could be your firewall if you don't have better options.

    Or if you only have windows:
    Pool NTP servers -> DC -> windows client

    or a little better:
    Pool NTP servers -> NTP server installed on DC -> windows client

    NTP servers should preferably be non-virtualized and preferably non-windows as linux and bsd are much better at this.

    That seems over-complicated as shit.



  • @dave247 said in Proper NTP server usage?:

    As a pretty green sysadmin, there have been times where I've needed to point things to an NTP server and I've been kind of fuzzy about the best way to go about this, despite reading various resources online... If my memory is correct, I think I've heard that best-practice is to point all your internal devices to the same internal NTP sever and then have that single internal NTP server sync with an external server. So like I would have all my equipment point to the DC and then have the DC sync with a trustworthy external time server. That being said, I'm a little unclear on the best way to do this.

    I just ran w32tm /query /peers on my DC and it looks like it's pointed to pool.ntp.org. I have been checking various other servers and some things point to the DC where other things point to a list of time servers, usually, 0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org and 3.pool.ntp.org. Sometimes it's a mixture of both.

    I guess my question is this: Should I set up my domain controller to use a better time sever that what it's configured for, or is there a better NTP server I should be using. And then should I just point all servers and appliances in my environment to my domain controller for time synchronization?

    By default Windows Servers point to time.windows.com so you have had something changed already. If you have a Domain you can configure a GPO or registry that points all the computers to a DC for the source of time and then setup a GPO or registry to setup the NTP servers that apply to all the DCs.

    https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-simple-time-configuration-in-active-directory/



  • In an AD environment, all AD joined computers automatically get their time from the closest DC. Each DC gets its time from the PDCe if you have more than one DC in your environment.

    You don't need to do a thing there.

    That said, I have seen issues using the default time.windows.com or whatever it is by default. So on the PDCE, I am using ntp.org I think. Been a while since I set it up, but think that's the one.

    It's actually very simple, don't let anyone complicate it. You don't need to install the NTP role or whatever, or change or add anything else.



  • @obsolesce said in Proper NTP server usage?:

    In an AD environment, all AD joined computers automatically get their time from the closest DC. Each DC gets its time from the PDCe if you have more than one DC in your environment.

    You don't need to do a thing there.

    That said, I have seen issues using the default time.windows.com or whatever it is by default. So on the PDCE, I am using ntp.org I think. Been a while since I set it up, but think that's the one.

    It's actually very simple, don't let anyone complicate it. You don't need to install the NTP role or whatever, or change or add anything else.

    2016 changes that. No NTP servers setup by default on the primary FSMO role holder that all computers get their time from. Microsoft's recommendation is to use a USB GPS for the primary time provider. You have to use w32tm if you want to sync with an NTP source now. I've had good results using pool.ntp.org servers.



  • @travisdh1 said in Proper NTP server usage?:

    2016 changes that.

    Changes what?

    Did you misread?



  • @obsolesce said in Proper NTP server usage?:

    @travisdh1 said in Proper NTP server usage?:

    2016 changes that.

    Changes what?

    Did you misread?

    I did not. I got to deal with a client's domain that was implementing only after 2016 became standard. The primary role holder had no time server configured by default. Their entire network was having the clocks sync to a server without ANY time provider.



  • @travisdh1 said in Proper NTP server usage?:

    @obsolesce said in Proper NTP server usage?:

    @travisdh1 said in Proper NTP server usage?:

    2016 changes that.

    Changes what?

    Did you misread?

    I did not. I got to deal with a client's domain that was implementing only after 2016 became standard. The primary role holder had no time server configured by default. Their entire network was having the clocks sync to a server without ANY time provider.

    So where was the PDCE getting the time from?


  • Service Provider

    @obsolesce said in Proper NTP server usage?:

    @travisdh1 said in Proper NTP server usage?:

    @obsolesce said in Proper NTP server usage?:

    @travisdh1 said in Proper NTP server usage?:

    2016 changes that.

    Changes what?

    Did you misread?

    I did not. I got to deal with a client's domain that was implementing only after 2016 became standard. The primary role holder had no time server configured by default. Their entire network was having the clocks sync to a server without ANY time provider.

    So where was the PDCE getting the time from?

    Hardware by default.



  • I just stood up a 2016 DC. I did nothing at all to it, and by default it uses the PDCE as the w32tm /query /source.

    I haven't had a need to stand up a 2016 PDCE, just regular DCs.

    I'm going to stand one up in a lab to see what the source is by default.

    I could have sworn it was time.windows.com and not CMOS. That was 2012 R2 though, I'm curious now.



  • @obsolesce said in Proper NTP server usage?:

    I just stood up a 2016 DC. I did nothing at all to it, and by default it uses the PDCE as the w32tm /query /source.

    I haven't had a need to stand up a 2016 PDCE, just regular DCs.

    I'm going to stand one up in a lab to see what the source is by default.

    I could have sworn it was time.windows.com and not CMOS. That was 2012 R2 though, I'm curious now.

    It has always been CMOS first, that's why all the systems that lose their time over time are due to that. Also any VM prior to booting to the OS regardless or not they have Guest Services enabled, get the time from the Host BIOS.



  • @dbeato said in Proper NTP server usage?:

    @obsolesce said in Proper NTP server usage?:

    I just stood up a 2016 DC. I did nothing at all to it, and by default it uses the PDCE as the w32tm /query /source.

    I haven't had a need to stand up a 2016 PDCE, just regular DCs.

    I'm going to stand one up in a lab to see what the source is by default.

    I could have sworn it was time.windows.com and not CMOS. That was 2012 R2 though, I'm curious now.

    It has always been CMOS first, that's why all the systems that lose their time over time are due to that. Also any VM prior to booting to the OS regardless or not they have Guest Services enabled, get the time from the Host BIOS.

    That makes sense. The PDCE I set to use ntp.org very well may have said CMOS before I changed it. But regardless, when you join a pc or server to the domain, it automatically is set to use the PDCE as the time source.



  • @obsolesce said in Proper NTP server usage?:

    @dbeato said in Proper NTP server usage?:

    @obsolesce said in Proper NTP server usage?:

    I just stood up a 2016 DC. I did nothing at all to it, and by default it uses the PDCE as the w32tm /query /source.

    I haven't had a need to stand up a 2016 PDCE, just regular DCs.

    I'm going to stand one up in a lab to see what the source is by default.

    I could have sworn it was time.windows.com and not CMOS. That was 2012 R2 though, I'm curious now.

    It has always been CMOS first, that's why all the systems that lose their time over time are due to that. Also any VM prior to booting to the OS regardless or not they have Guest Services enabled, get the time from the Host BIOS.

    That makes sense. The PDCE I set to use ntp.org very well may have said CMOS before I changed it. But regardless, when you join a pc or server to the domain, it automatically is set to use the PDCE as the time source.

    Yes, in a domain all computers get the time from a DC.


  • Service Provider

    @dbeato said in Proper NTP server usage?:

    @obsolesce said in Proper NTP server usage?:

    @dbeato said in Proper NTP server usage?:

    @obsolesce said in Proper NTP server usage?:

    I just stood up a 2016 DC. I did nothing at all to it, and by default it uses the PDCE as the w32tm /query /source.

    I haven't had a need to stand up a 2016 PDCE, just regular DCs.

    I'm going to stand one up in a lab to see what the source is by default.

    I could have sworn it was time.windows.com and not CMOS. That was 2012 R2 though, I'm curious now.

    It has always been CMOS first, that's why all the systems that lose their time over time are due to that. Also any VM prior to booting to the OS regardless or not they have Guest Services enabled, get the time from the Host BIOS.

    That makes sense. The PDCE I set to use ntp.org very well may have said CMOS before I changed it. But regardless, when you join a pc or server to the domain, it automatically is set to use the PDCE as the time source.

    Yes, in a domain all computers get the time from a DC.

    They SHOULD anyway.



  • @scottalanmiller said in Proper NTP server usage?:

    @dbeato said in Proper NTP server usage?:

    @obsolesce said in Proper NTP server usage?:

    @dbeato said in Proper NTP server usage?:

    @obsolesce said in Proper NTP server usage?:

    I just stood up a 2016 DC. I did nothing at all to it, and by default it uses the PDCE as the w32tm /query /source.

    I haven't had a need to stand up a 2016 PDCE, just regular DCs.

    I'm going to stand one up in a lab to see what the source is by default.

    I could have sworn it was time.windows.com and not CMOS. That was 2012 R2 though, I'm curious now.

    It has always been CMOS first, that's why all the systems that lose their time over time are due to that. Also any VM prior to booting to the OS regardless or not they have Guest Services enabled, get the time from the Host BIOS.

    That makes sense. The PDCE I set to use ntp.org very well may have said CMOS before I changed it. But regardless, when you join a pc or server to the domain, it automatically is set to use the PDCE as the time source.

    Yes, in a domain all computers get the time from a DC.

    They SHOULD anyway.

    Yeah, that's important to note, should is the keyword.