1

I inherited an environment with a Windows 2012R2 Domain Controller (serverA) set as the NTP server. This server is going to be retired shortly for a new (separate) 2019 instance. The domain controller does not have the PDC Emulator role assigned to it.

The NTP server points at a separate NTP server outside of our immediate network. This NTP server it points at is not a public NTP server accessible over the internet. It's internal to the organization but not part of the network my environment resides in.

If I run w32tm /query /source on any of the other servers in our environment (app, database, domain controllers) they reference our NTP server or one of the other domain controllers in our environment.

Where I'm getting confused or need clarification, is the registry setting for domain member servers reference time.windows.com,0x8 or time.windows.com,0x9 here: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters - NtpServer

Only one domain controller has the registry value above set as the NTP server in our environment (serverA). Should this registry value for the domain member servers be set to the IP/host name of our domain controller (serverA)?

Before I perform any kind of migration I want to make sure I understand the current configuration so I can fix/resolve any issues. I'd appreciate any help or clarification!

jrd1989
  • 698
  • 15
  • 48
  • 1
    You should confirm how domain members are synchronizing. You may not see that with w32tm /query /source, that is what the /status /verbose switches are for. Also it sounds like there isn't a coherent synchronization strategy now. Most organizations do not synchronize domain members using NTP, they synchronize using Active Directory (NT5DS). – Greg Askew Mar 07 '22 at 17:32
  • I appreciate the response. If I run ```w32tm /query /status /verbose``` on the member servers in the domain the "Source" value is either our domain controller running NTP services or one of the other domain controllers in our environment. – jrd1989 Mar 07 '22 at 19:29

1 Answers1

2

AD DS joined computers by default discover time from the domain hierarchy. In HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\ Type is NT5DS and NtpServer does not matter. The one computer where type should be static NTP is the PDC of the forest root. In terms of NTP stratum, this would be:

  1. NTP servers
  2. PDC emulator
  3. Other domain controllers
  4. Other member computers

Consider group policy to enforce the time settings on DCs, in case the PDC changes. Now that you know which registry settings, you can search for example policy, like this one in PowerShell. Substitute your NTP server, of course.

Determine whether you intend to use this default design, or something else. And apply it consistently to every device, which you do not appear to have now. All computers could be set to a static NTP. But as you found out, any given host will not last forever, especially DCs.

Note that DCs are running an NTP service, which can also be used by non-domain or non-Windows devices. The domain name makes for a good service address: pool ad.example.net iburst

References:

John Mahowald
  • 32,050
  • 2
  • 19
  • 34
  • I appreciate this information. The NTP server does not have the PDC Emulator role assigned to it. It has other DC roles but not PDC Emulator. I want to migrate NTP services to a new 2019 DC with PDC the emulator role though. Just so I understand, are you saying the ```NtpServer``` registry value setting on domain members should be set to our NTP server instead of time.windows.com,0x8 which is the current setting? I agree GPO would be much easier from a config/maintenance standpoint and will look to do that one I understand how everything should be configured, thanks! – jrd1989 Mar 07 '22 at 19:49
  • Yes, use your NTP server as `NtpServer` everywhere, and not `time.windows.com` (which is probably overloaded anyway). But configured static NTP servers are not used when member computers discover via `NT5DS` – John Mahowald Mar 07 '22 at 20:01
  • I think this is where my confusion lies. Currently the domain member servers and all DC's except the DC hosting NTP services have the registry setting for ```Type``` set as ```NT5DS``` and ```NtpServer``` is set to ```time.windows.com```. Since the domain members are set as NT5DS though the ```NtpServer``` value doesn't matter since they're pulling from the domain/domain controllers and technically don't need to be updated then, correct? By updated I mean switching out the time.windows.com URL for our NTP host name. – jrd1989 Mar 07 '22 at 20:19
  • Both of these can be true: 1) NtpServer does not matter with NT5DS discovery 2) time.windows.com is garbage relative to a local NTP server, so no need to be selective in a GPO that updates NtpServer – John Mahowald Mar 08 '22 at 21:48