@pete-s said in Proper NTP server usage?:
There are a couple of different things to think about when it comes to NTP.
First, for every server that picks the time from another server, the time will become less and less accurate. This is called stratum in NTP lingo. The most accurate NTP server is stratum-1. A NTP server that picks the time from stratum-1 servers becomes a stratum-2 server, etc etc.
Best practice is to actually have a real NTP stratum-1 NTP server on site (or two). But not everyone has that need.
Next best would be to have a dedicated non-windows non-virtual NTP server that get the time from ntp pool servers or other ntp servers that are stratum-1. It could also be something that does other work, for instance a firewall.
Windows don't run real NTP and can not work as accurate NTP servers out of the box. But you might not need accuracy in which case you should sync the DC to the NTP time server and let the windows clients automatically get their time from the DC. This is the easiest to manage.
The most accurate time sync on windows will be if you install NTP (compiled for windows) on it. This will replace the w32time service.
So a typical scenario without a real stratum-1 server would be:
Pool NTP servers -> local NTP server -> DC -> windows client
Pool NTP servers -> local NTP server -> linux and appliances
Pool NTP servers -> local NTP server -> windows OS running NTP
Local NTP server could be your firewall if you don't have better options.
Or if you only have windows:
Pool NTP servers -> DC -> windows client
or a little better:
Pool NTP servers -> NTP server installed on DC -> windows client
NTP servers should preferably be non-virtualized and preferably non-windows as linux and bsd are much better at this.
That seems over-complicated as shit.