NTP Server

Got a question...

We just brought a new backup DC online and want to use it to give time to the rest of the domain. I found the group policy settings for it under:
computer acct --> admin templates --> system --> windows time server

The settings there are self explanitory enough.

What I would like for it to do is use its own time to push out to the rest of the domain. When I read about how to do this on the MS website they have all kinds of regedit stuff to do.

I wish I had a couple of test machines, which I don't...but is it enough to just set the group policy and be done with it?

Thanks

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

royal

1. You need to use win32tm to change it on the root PDC.
2. You ONLY need to group policy to ensure registry settings on all the systems use the domain hierarchy and not their own custom settings to ensure time is synchronized.

The way the domain hierarchy works is:
Root PDC does manual time synchronization. All DCs in root domain synchronize with Root PDC.
Child Domain PDCs and Tree PDCs synchronize with the Root PDC.
All DCs synchronize with the PDCs in their own domain.
All clients/workstations will synchronize with any DCs in their own Domain at specific intervals. I believe it's every 30 minutes and after 3 successful attempts it goes up to 8 hours. I read the time intervals months ago, so I "think" those are the time intervals.

So as you can see, you really want to ensure that GPO is set to make sure this hierarchy stays as there's no real enforcement other than the Group Policy settings. If you modify 1 DC within the hierarchy and it modifies all the clients that got time from it, you can have some kerberos issues.

sprkymrk

Here is a nice display explaining how Time Synch works in a domain:

GetOpenContent.aspx?assetID=4d3b9294-477c-49eb-a06a-7a330ae0cf58&DocumentSet=en-US&RenderKey=XML

GetOpenContent.aspx?assetID=4d3b9294-477c-49eb-a06a-7a330ae0cf58&DocumentSet=en-US&RenderKey=XML

And like royal stated, the only thing you need to do in Group Policy is force clients to use the domain policy for time, which by the way is supposed to be the default when you join a domain. I have found that this is not always the case though. I had several clients still using NTP out to time.microsoft.com servers until I used a GPO to enforce the domain policy.

paintb4707

sprkymrk wrote:

And like royal stated, the only thing you need to do in Group Policy is force clients to use the domain policy for time, which by the way is supposed to be the default when you join a domain. I have found that this is not always the case though. I had several clients still using NTP out to time.microsoft.com servers until I used a GPO to enforce the domain policy.

I actually had a question about that. If you query the sntp server on a client and they're still pointing to time.microsoft.com, does that necessarily mean they aren't syncing with the PDC? Should it query no SNTP server at all?

sprkymrk

paintb4707 wrote:

sprkymrk wrote:

And like royal stated, the only thing you need to do in Group Policy is force clients to use the domain policy for time, which by the way is supposed to be the default when you join a domain. I have found that this is not always the case though. I had several clients still using NTP out to time.microsoft.com servers until I used a GPO to enforce the domain policy.

I actually had a question about that. If you query the sntp server on a client and they're still pointing to time.microsoft.com, does that necessarily mean they aren't syncing with the PDC? Should it query no SNTP server at all?

The MS documentation and what Ive seen on my network don't jive. I had to watch my firewall logs and see what workstations were going out port 123 to see which ones weren't using a DC for whatever reason. It was really random, I couldn't explain why. I had to force the GPO down their throats and in some cases edit the reigstry to keep everything internal. Weird.

darkuser

sprkymrk wrote:

Here is a nice display explaining how Time Synch works in a domain:

And like royal stated, the only thing you need to do in Group Policy is force clients to use the domain policy for time, which by the way is supposed to be the default when you join a domain. I have found that this is not always the case though. I had several clients still using NTP out to time.microsoft.com servers until I used a GPO to enforce the domain policy.

what the heck is this ??????
whatever happened to a good old fashioned ntp client and server ????

http://www.faqs.org/rfcs/rfc1305.html

may i offer the possum as assistance ?

Does anyone know if there's a bug ID for this problem? We're running
IOS 12.2(44)SE.

The problem is best visualised.

See: http://i25.tinypic.com/309lesx.jpg

brad-

Thanks for the replies guys.

So I think it may not be as difficult as the registry entries on the MS site. There is a GP right above the one I was looking at that was not enabled. If what I'm reading on the GP explanations is correct, just enabling and configuring these GP's should do the job...just thought I would run it by you guys.

This is what I'm thinking (and I have been hesitant to do this because of any authentication issues that might arise)

First - Configure this policy:

Second - Configure these policies:

We're a single domain, a PDC and 1 BDC.

Would my assumption be correct that these policies could replace using the win32tm and updating the registry values?

paintb4707

sprkymrk wrote:

paintb4707 wrote:

sprkymrk wrote:

And like royal stated, the only thing you need to do in Group Policy is force clients to use the domain policy for time, which by the way is supposed to be the default when you join a domain. I have found that this is not always the case though. I had several clients still using NTP out to time.microsoft.com servers until I used a GPO to enforce the domain policy.

I actually had a question about that. If you query the sntp server on a client and they're still pointing to time.microsoft.com, does that necessarily mean they aren't syncing with the PDC? Should it query no SNTP server at all?

The MS documentation and what Ive seen on my network don't jive. I had to watch my firewall logs and see what workstations were going out port 123 to see which ones weren't using a DC for whatever reason. It was really random, I couldn't explain why. I had to force the GPO down their throats and in some cases edit the reigstry to keep everything internal. Weird.

Please tell us how you did this. I'd like to set it via group policy as well.