Options

NTP Server

brad-brad- Member Posts: 1,218
in Off-Topic
Got a question...

We just brought a new backup DC online and want to use it to give time to the rest of the domain. I found the group policy settings for it under:
computer acct --> admin templates --> system --> windows time server

The settings there are self explanitory enough.

What I would like for it to do is use its own time to push out to the rest of the domain. When I read about how to do this on the MS website they have all kinds of regedit stuff to do.

I wish I had a couple of test machines, which I don't...but is it enough to just set the group policy and be done with it?

Thanks
· Share on FacebookShare on Twitter

Comments

  • Options
    royalroyal Member Posts: 3,352 ■■■■□□□□□□
    1. You need to use win32tm to change it on the root PDC.
    2. You ONLY need to group policy to ensure registry settings on all the systems use the domain hierarchy and not their own custom settings to ensure time is synchronized.

    The way the domain hierarchy works is:
    Root PDC does manual time synchronization. All DCs in root domain synchronize with Root PDC.
    Child Domain PDCs and Tree PDCs synchronize with the Root PDC.
    All DCs synchronize with the PDCs in their own domain.
    All clients/workstations will synchronize with any DCs in their own Domain at specific intervals. I believe it's every 30 minutes and after 3 successful attempts it goes up to 8 hours. I read the time intervals months ago, so I "think" those are the time intervals.

    So as you can see, you really want to ensure that GPO is set to make sure this hierarchy stays as there's no real enforcement other than the Group Policy settings. If you modify 1 DC within the hierarchy and it modifies all the clients that got time from it, you can have some kerberos issues.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
    · Share on FacebookShare on Twitter
  • Options
    sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Here is a nice display explaining how Time Synch works in a domain:



    GetOpenContent.aspx?assetID=4d3b9294-477c-49eb-a06a-7a330ae0cf58&DocumentSet=en-US&RenderKey=XML



    And like royal stated, the only thing you need to do in Group Policy is force clients to use the domain policy for time, which by the way is supposed to be the default when you join a domain. I have found that this is not always the case though. I had several clients still using NTP out to time.microsoft.com servers until I used a GPO to enforce the domain policy.
    All things are possible, only believe.
    · Share on FacebookShare on Twitter
  • Options
    paintb4707paintb4707 Member Posts: 420
    sprkymrk wrote:
    And like royal stated, the only thing you need to do in Group Policy is force clients to use the domain policy for time, which by the way is supposed to be the default when you join a domain. I have found that this is not always the case though. I had several clients still using NTP out to time.microsoft.com servers until I used a GPO to enforce the domain policy.

    I actually had a question about that. If you query the sntp server on a client and they're still pointing to time.microsoft.com, does that necessarily mean they aren't syncing with the PDC? Should it query no SNTP server at all?
    · Share on FacebookShare on Twitter
  • Options
    sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    paintb4707 wrote:
    sprkymrk wrote:
    And like royal stated, the only thing you need to do in Group Policy is force clients to use the domain policy for time, which by the way is supposed to be the default when you join a domain. I have found that this is not always the case though. I had several clients still using NTP out to time.microsoft.com servers until I used a GPO to enforce the domain policy.

    I actually had a question about that. If you query the sntp server on a client and they're still pointing to time.microsoft.com, does that necessarily mean they aren't syncing with the PDC? Should it query no SNTP server at all?

    The MS documentation and what Ive seen on my network don't jive. I had to watch my firewall logs and see what workstations were going out port 123 to see which ones weren't using a DC for whatever reason. It was really random, I couldn't explain why. I had to force the GPO down their throats and in some cases edit the reigstry to keep everything internal. Weird.
    All things are possible, only believe.
    · Share on FacebookShare on Twitter
  • Options
    darkuserdarkuser Member Posts: 620 ■■■□□□□□□□
    sprkymrk wrote:
    Here is a nice display explaining how Time Synch works in a domain:



    GetOpenContent.aspx?assetID=4d3b9294-477c-49eb-a06a-7a330ae0cf58&DocumentSet=en-US&RenderKey=XML



    And like royal stated, the only thing you need to do in Group Policy is force clients to use the domain policy for time, which by the way is supposed to be the default when you join a domain. I have found that this is not always the case though. I had several clients still using NTP out to time.microsoft.com servers until I used a GPO to enforce the domain policy.

    what the heck is this ??????
    whatever happened to a good old fashioned ntp client and server ???? icon_evil.gif

    http://www.faqs.org/rfcs/rfc1305.html

    may i offer the possum as assistance ?


    Does anyone know if there's a bug ID for this problem? We're running
    IOS 12.2(44)SE.

    The problem is best visualised.

    See: http://i25.tinypic.com/309lesx.jpg
    rm -rf /
    · Share on FacebookShare on Twitter
  • Options
    brad-brad- Member Posts: 1,218
    Thanks for the replies guys.

    So I think it may not be as difficult as the registry entries on the MS site. There is a GP right above the one I was looking at that was not enabled. If what I'm reading on the GP explanations is correct, just enabling and configuring these GP's should do the job...just thought I would run it by you guys.

    This is what I'm thinking (and I have been hesitant to do this because of any authentication issues that might arise)

    First - Configure this policy:
    ntp1oh1.th.jpg

    Second - Configure these policies:
    ntp2qa1.th.jpg

    We're a single domain, a PDC and 1 BDC.

    Would my assumption be correct that these policies could replace using the win32tm and updating the registry values?
    · Share on FacebookShare on Twitter
  • Options
    paintb4707paintb4707 Member Posts: 420
    sprkymrk wrote:
    paintb4707 wrote:
    sprkymrk wrote:
    And like royal stated, the only thing you need to do in Group Policy is force clients to use the domain policy for time, which by the way is supposed to be the default when you join a domain. I have found that this is not always the case though. I had several clients still using NTP out to time.microsoft.com servers until I used a GPO to enforce the domain policy.

    I actually had a question about that. If you query the sntp server on a client and they're still pointing to time.microsoft.com, does that necessarily mean they aren't syncing with the PDC? Should it query no SNTP server at all?

    The MS documentation and what Ive seen on my network don't jive. I had to watch my firewall logs and see what workstations were going out port 123 to see which ones weren't using a DC for whatever reason. It was really random, I couldn't explain why. I had to force the GPO down their throats and in some cases edit the reigstry to keep everything internal. Weird.

    Please tell us how you did this. I'd like to set it via group policy as well.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.