ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Proper NTP server usage?

    Scheduled Pinned Locked Moved IT Discussion
    30 Posts 9 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • travisdh1T
      travisdh1 @scottalanmiller
      last edited by

      @scottalanmiller said in Proper NTP server usage?:

      @pete-s said in Proper NTP server usage?:

      Best practice is to actually have a real NTP stratum-1 NTP server on site (or two). But not everyone has that need.

      That's not a best practice then. That's an "optimum way to get super accurate time", which also includes having your own cesium clock. If it were a true best practice, everyone should do it without considering anything else. But 99.99% of companies shouldn't have one, even if they could afford one. Generally only companies like Wall St trading firms need millisecond accuracy, or see even a penny's worth of value from it.

      I had to shake my head at Microsoft's new "best practice" for Server 2016 is using a USB GPS to sync the NTP clock that the network uses. They basically admitted that they don't know how to keep proper time, even with NTP.

      scottalanmillerS 1 Reply Last reply Reply Quote 1
      • scottalanmillerS
        scottalanmiller @1337
        last edited by

        @pete-s said in Proper NTP server usage?:

        @scottalanmiller said in Proper NTP server usage?:

        @pete-s said in Proper NTP server usage?:

        Best practice is to actually have a real NTP stratum-1 NTP server on site (or two). But not everyone has that need.

        That's not a best practice then. That's an "optimum way to get super accurate time", which also includes having your own cesium clock. If it were a true best practice, everyone should do it without considering anything else. But 99.99% of companies shouldn't have one, even if they could afford one. Generally only companies like Wall St trading firms need millisecond accuracy, or see even a penny's worth of value from it.

        Best practice depends on your needs. You assumption about which companies needs NTP servers are incorrect. Many companies have local NTP servers - maybe not in the SMB sector though.

        I know many have their own NTP, I'm including those. It's not that common, even in the enterprise space. Many have it that shouldn't most likely.

        Best Practices are best practices, if following a best practice depends on your needs that means, by definition, it can't be a best practice.

        That's like saying "Best Practice is not to take backups". Then someone points out that basically everyone needs to take backups. You don't say "well it depends on your needs."

        A true best practice is always or essentially always true. Not "just a very unlikely good option".

        1 Reply Last reply Reply Quote 1
        • scottalanmillerS
          scottalanmiller @travisdh1
          last edited by

          @travisdh1 said in Proper NTP server usage?:

          @scottalanmiller said in Proper NTP server usage?:

          @pete-s said in Proper NTP server usage?:

          Best practice is to actually have a real NTP stratum-1 NTP server on site (or two). But not everyone has that need.

          That's not a best practice then. That's an "optimum way to get super accurate time", which also includes having your own cesium clock. If it were a true best practice, everyone should do it without considering anything else. But 99.99% of companies shouldn't have one, even if they could afford one. Generally only companies like Wall St trading firms need millisecond accuracy, or see even a penny's worth of value from it.

          I had to shake my head at Microsoft's new "best practice" for Server 2016 is using a USB GPS to sync the NTP clock that the network uses. They basically admitted that they don't know how to keep proper time, even with NTP.

          THey use SNTP, or have traditionally.

          1 Reply Last reply Reply Quote 0
          • dave247D
            dave247 @1337
            last edited by

            @pete-s said in Proper NTP server usage?:

            @dave247

            There are a couple of different things to think about when it comes to NTP.

            First, for every server that picks the time from another server, the time will become less and less accurate. This is called stratum in NTP lingo. The most accurate NTP server is stratum-1. A NTP server that picks the time from stratum-1 servers becomes a stratum-2 server, etc etc.

            Best practice is to actually have a real NTP stratum-1 NTP server on site (or two). But not everyone has that need.

            Next best would be to have a dedicated non-windows non-virtual NTP server that get the time from ntp pool servers or other ntp servers that are stratum-1. It could also be something that does other work, for instance a firewall.

            Windows don't run real NTP and can not work as accurate NTP servers out of the box. But you might not need accuracy in which case you should sync the DC to the NTP time server and let the windows clients automatically get their time from the DC. This is the easiest to manage.

            The most accurate time sync on windows will be if you install NTP (compiled for windows) on it. This will replace the w32time service.

            So a typical scenario without a real stratum-1 server would be:
            Pool NTP servers -> local NTP server -> DC -> windows client
            Pool NTP servers -> local NTP server -> linux and appliances
            Pool NTP servers -> local NTP server -> windows OS running NTP

            Local NTP server could be your firewall if you don't have better options.

            Or if you only have windows:
            Pool NTP servers -> DC -> windows client

            or a little better:
            Pool NTP servers -> NTP server installed on DC -> windows client

            NTP servers should preferably be non-virtualized and preferably non-windows as linux and bsd are much better at this.

            That seems over-complicated as shit.

            1 Reply Last reply Reply Quote 0
            • dbeatoD
              dbeato @dave247
              last edited by

              @dave247 said in Proper NTP server usage?:

              As a pretty green sysadmin, there have been times where I've needed to point things to an NTP server and I've been kind of fuzzy about the best way to go about this, despite reading various resources online... If my memory is correct, I think I've heard that best-practice is to point all your internal devices to the same internal NTP sever and then have that single internal NTP server sync with an external server. So like I would have all my equipment point to the DC and then have the DC sync with a trustworthy external time server. That being said, I'm a little unclear on the best way to do this.

              I just ran w32tm /query /peers on my DC and it looks like it's pointed to pool.ntp.org. I have been checking various other servers and some things point to the DC where other things point to a list of time servers, usually, 0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org and 3.pool.ntp.org. Sometimes it's a mixture of both.

              I guess my question is this: Should I set up my domain controller to use a better time sever that what it's configured for, or is there a better NTP server I should be using. And then should I just point all servers and appliances in my environment to my domain controller for time synchronization?

              By default Windows Servers point to time.windows.com so you have had something changed already. If you have a Domain you can configure a GPO or registry that points all the computers to a DC for the source of time and then setup a GPO or registry to setup the NTP servers that apply to all the DCs.

              https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-simple-time-configuration-in-active-directory/

              1 Reply Last reply Reply Quote 0
              • ObsolesceO
                Obsolesce
                last edited by Obsolesce

                In an AD environment, all AD joined computers automatically get their time from the closest DC. Each DC gets its time from the PDCe if you have more than one DC in your environment.

                You don't need to do a thing there.

                That said, I have seen issues using the default time.windows.com or whatever it is by default. So on the PDCE, I am using ntp.org I think. Been a while since I set it up, but think that's the one.

                It's actually very simple, don't let anyone complicate it. You don't need to install the NTP role or whatever, or change or add anything else.

                travisdh1T 1 Reply Last reply Reply Quote 1
                • travisdh1T
                  travisdh1 @Obsolesce
                  last edited by

                  @obsolesce said in Proper NTP server usage?:

                  In an AD environment, all AD joined computers automatically get their time from the closest DC. Each DC gets its time from the PDCe if you have more than one DC in your environment.

                  You don't need to do a thing there.

                  That said, I have seen issues using the default time.windows.com or whatever it is by default. So on the PDCE, I am using ntp.org I think. Been a while since I set it up, but think that's the one.

                  It's actually very simple, don't let anyone complicate it. You don't need to install the NTP role or whatever, or change or add anything else.

                  2016 changes that. No NTP servers setup by default on the primary FSMO role holder that all computers get their time from. Microsoft's recommendation is to use a USB GPS for the primary time provider. You have to use w32tm if you want to sync with an NTP source now. I've had good results using pool.ntp.org servers.

                  ObsolesceO 1 Reply Last reply Reply Quote 0
                  • ObsolesceO
                    Obsolesce @travisdh1
                    last edited by

                    @travisdh1 said in Proper NTP server usage?:

                    2016 changes that.

                    Changes what?

                    Did you misread?

                    travisdh1T 1 Reply Last reply Reply Quote 0
                    • travisdh1T
                      travisdh1 @Obsolesce
                      last edited by

                      @obsolesce said in Proper NTP server usage?:

                      @travisdh1 said in Proper NTP server usage?:

                      2016 changes that.

                      Changes what?

                      Did you misread?

                      I did not. I got to deal with a client's domain that was implementing only after 2016 became standard. The primary role holder had no time server configured by default. Their entire network was having the clocks sync to a server without ANY time provider.

                      ObsolesceO 1 Reply Last reply Reply Quote 0
                      • ObsolesceO
                        Obsolesce @travisdh1
                        last edited by

                        @travisdh1 said in Proper NTP server usage?:

                        @obsolesce said in Proper NTP server usage?:

                        @travisdh1 said in Proper NTP server usage?:

                        2016 changes that.

                        Changes what?

                        Did you misread?

                        I did not. I got to deal with a client's domain that was implementing only after 2016 became standard. The primary role holder had no time server configured by default. Their entire network was having the clocks sync to a server without ANY time provider.

                        So where was the PDCE getting the time from?

                        JaredBuschJ 1 Reply Last reply Reply Quote 0
                        • JaredBuschJ
                          JaredBusch @Obsolesce
                          last edited by

                          @obsolesce said in Proper NTP server usage?:

                          @travisdh1 said in Proper NTP server usage?:

                          @obsolesce said in Proper NTP server usage?:

                          @travisdh1 said in Proper NTP server usage?:

                          2016 changes that.

                          Changes what?

                          Did you misread?

                          I did not. I got to deal with a client's domain that was implementing only after 2016 became standard. The primary role holder had no time server configured by default. Their entire network was having the clocks sync to a server without ANY time provider.

                          So where was the PDCE getting the time from?

                          Hardware by default.

                          1 Reply Last reply Reply Quote 2
                          • ObsolesceO
                            Obsolesce
                            last edited by

                            I just stood up a 2016 DC. I did nothing at all to it, and by default it uses the PDCE as the w32tm /query /source.

                            I haven't had a need to stand up a 2016 PDCE, just regular DCs.

                            I'm going to stand one up in a lab to see what the source is by default.

                            I could have sworn it was time.windows.com and not CMOS. That was 2012 R2 though, I'm curious now.

                            dbeatoD 1 Reply Last reply Reply Quote 0
                            • dbeatoD
                              dbeato @Obsolesce
                              last edited by

                              @obsolesce said in Proper NTP server usage?:

                              I just stood up a 2016 DC. I did nothing at all to it, and by default it uses the PDCE as the w32tm /query /source.

                              I haven't had a need to stand up a 2016 PDCE, just regular DCs.

                              I'm going to stand one up in a lab to see what the source is by default.

                              I could have sworn it was time.windows.com and not CMOS. That was 2012 R2 though, I'm curious now.

                              It has always been CMOS first, that's why all the systems that lose their time over time are due to that. Also any VM prior to booting to the OS regardless or not they have Guest Services enabled, get the time from the Host BIOS.

                              ObsolesceO 1 Reply Last reply Reply Quote 1
                              • ObsolesceO
                                Obsolesce @dbeato
                                last edited by

                                @dbeato said in Proper NTP server usage?:

                                @obsolesce said in Proper NTP server usage?:

                                I just stood up a 2016 DC. I did nothing at all to it, and by default it uses the PDCE as the w32tm /query /source.

                                I haven't had a need to stand up a 2016 PDCE, just regular DCs.

                                I'm going to stand one up in a lab to see what the source is by default.

                                I could have sworn it was time.windows.com and not CMOS. That was 2012 R2 though, I'm curious now.

                                It has always been CMOS first, that's why all the systems that lose their time over time are due to that. Also any VM prior to booting to the OS regardless or not they have Guest Services enabled, get the time from the Host BIOS.

                                That makes sense. The PDCE I set to use ntp.org very well may have said CMOS before I changed it. But regardless, when you join a pc or server to the domain, it automatically is set to use the PDCE as the time source.

                                dbeatoD 1 Reply Last reply Reply Quote 1
                                • dbeatoD
                                  dbeato @Obsolesce
                                  last edited by

                                  @obsolesce said in Proper NTP server usage?:

                                  @dbeato said in Proper NTP server usage?:

                                  @obsolesce said in Proper NTP server usage?:

                                  I just stood up a 2016 DC. I did nothing at all to it, and by default it uses the PDCE as the w32tm /query /source.

                                  I haven't had a need to stand up a 2016 PDCE, just regular DCs.

                                  I'm going to stand one up in a lab to see what the source is by default.

                                  I could have sworn it was time.windows.com and not CMOS. That was 2012 R2 though, I'm curious now.

                                  It has always been CMOS first, that's why all the systems that lose their time over time are due to that. Also any VM prior to booting to the OS regardless or not they have Guest Services enabled, get the time from the Host BIOS.

                                  That makes sense. The PDCE I set to use ntp.org very well may have said CMOS before I changed it. But regardless, when you join a pc or server to the domain, it automatically is set to use the PDCE as the time source.

                                  Yes, in a domain all computers get the time from a DC.

                                  scottalanmillerS 1 Reply Last reply Reply Quote 1
                                  • scottalanmillerS
                                    scottalanmiller @dbeato
                                    last edited by

                                    @dbeato said in Proper NTP server usage?:

                                    @obsolesce said in Proper NTP server usage?:

                                    @dbeato said in Proper NTP server usage?:

                                    @obsolesce said in Proper NTP server usage?:

                                    I just stood up a 2016 DC. I did nothing at all to it, and by default it uses the PDCE as the w32tm /query /source.

                                    I haven't had a need to stand up a 2016 PDCE, just regular DCs.

                                    I'm going to stand one up in a lab to see what the source is by default.

                                    I could have sworn it was time.windows.com and not CMOS. That was 2012 R2 though, I'm curious now.

                                    It has always been CMOS first, that's why all the systems that lose their time over time are due to that. Also any VM prior to booting to the OS regardless or not they have Guest Services enabled, get the time from the Host BIOS.

                                    That makes sense. The PDCE I set to use ntp.org very well may have said CMOS before I changed it. But regardless, when you join a pc or server to the domain, it automatically is set to use the PDCE as the time source.

                                    Yes, in a domain all computers get the time from a DC.

                                    They SHOULD anyway.

                                    dbeatoD 1 Reply Last reply Reply Quote 1
                                    • dbeatoD
                                      dbeato @scottalanmiller
                                      last edited by

                                      @scottalanmiller said in Proper NTP server usage?:

                                      @dbeato said in Proper NTP server usage?:

                                      @obsolesce said in Proper NTP server usage?:

                                      @dbeato said in Proper NTP server usage?:

                                      @obsolesce said in Proper NTP server usage?:

                                      I just stood up a 2016 DC. I did nothing at all to it, and by default it uses the PDCE as the w32tm /query /source.

                                      I haven't had a need to stand up a 2016 PDCE, just regular DCs.

                                      I'm going to stand one up in a lab to see what the source is by default.

                                      I could have sworn it was time.windows.com and not CMOS. That was 2012 R2 though, I'm curious now.

                                      It has always been CMOS first, that's why all the systems that lose their time over time are due to that. Also any VM prior to booting to the OS regardless or not they have Guest Services enabled, get the time from the Host BIOS.

                                      That makes sense. The PDCE I set to use ntp.org very well may have said CMOS before I changed it. But regardless, when you join a pc or server to the domain, it automatically is set to use the PDCE as the time source.

                                      Yes, in a domain all computers get the time from a DC.

                                      They SHOULD anyway.

                                      Yeah, that's important to note, should is the keyword.

                                      1 Reply Last reply Reply Quote 0
                                      • 1
                                      • 2
                                      • 2 / 2
                                      • First post
                                        Last post