3

I know the best practice would be to have the PDC Emulator to sync against an external NTP time source, and have all other domain controllers sync against the PDC Emulator.

However, my network layout is... 'interesting', to say the least.

My company is a multinational company. For reasons unknown to mere mortals, the group headquarter (located in another country) demands all country-branch-offices to connect directly to the group headquarter instead of the country-head-office. The PDC Emulator is located in the country-head-office.

But the domain is country-wide, not global.

In other words, it's a "hub and spoke" arrangement... but with the PDC Emulator located in one spoke instead of in the hub.

Now, group HQ is 'kind enough' to provide a time reference server; let's call it ntp.bigcompany.com. I already had my PDC Emulator sync against that time reference.

The million dollar question: In your opinion, should I keep doing it the 'recommended' way (i.e., have branch DCs sync to the PDC Emulator), or should I force all DCs to sync to ntp.bigcompany.com?

Edited to add: Just to make things clearer, all offices (branch or head) in my country has NO direct Internet connectivity; all offices are connected to HQ via VPN. There's a proxy farm in the HQ to serve the web browsers in branch-/head-office. NTP traffic to public Internet NTP servers are blocked.

pepoluan
  • 5,038
  • 4
  • 47
  • 72
  • Why not run your own NTP server and have it downstream from ntp.bigcompany.com ? Then connect your DCs to this? Maybe I'm missing something, question is interesting to say the least. – gparent Apr 27 '12 at 15:26
  • @gparent you mean, adding an NTP server on each branch office? Why not have the DCs sync directly to ntp.bigcompany.com, then? – pepoluan Apr 27 '12 at 15:31

3 Answers3

2

I would sync to local ntp at every DC site that is GPS satelite sync'd personally, that way even when links are down (god forbid), your systems are all still in perfect time sync and no worries with time and AD when you replicate after the network failure.

dc5553
  • 332
  • 1
  • 9
  • Sounds nice, but I don't think there's a budget to deploy 80+ GPS time synchronizers ;_; (yes, we have almost 90 branch offices). – pepoluan Apr 27 '12 at 15:32
  • How many offices have domain controllers? those are the ones im talking about. – dc5553 Apr 27 '12 at 15:34
  • Each branch office has at least one RODC. The head office alone has 3 writable DCs. – pepoluan Apr 27 '12 at 15:35
  • 1k per a server location, with a network of this size timing is crucial not just for AD replication but security iccidents. I think its worth the money if they can swing it. – dc5553 Apr 27 '12 at 15:38
  • 2
    dc5553 - I'm going to disagree with you. Satellite clocks aren't necessary to keep AD's NTP working well. You can do just fine working with all your upstream sources being reliable NTP as well. Unless you're doing something that requires legally-admissible timestamps (911 calls) or other very-high accuracy applications. OOTB, AD allows 5 or 10 minutes skew IIRC. With that kind of tolerance, why would you need to buy 90 GPS clocks? – mfinni Apr 27 '12 at 16:04
  • everyone has an opinion I guess, it just so happens I work in a field that does require that time of fidelity so take all my advice with that in mind. I certainly would not advocate 80x gps enabled time servers but where there is a writeable DC go with it. – dc5553 Apr 27 '12 at 17:20
  • @mfinni And in my defense there was no mention of 80x different sites in the question. Multinational tells me spread out foot print with possibility of broken links this is why I recommend it. Anyone who reads this question please know that and use my recommendation only for a smaller amount of sites and with multinational/multitimezone wan links. – dc5553 Apr 27 '12 at 17:28
1

However you do it, you should make sure that everything in the domain is no more than 5 minutes apart from anything else. Honestly, it sounds like you might have needed child domains for this if there are management issues resolving this problem.

Normally child domains aren't needed much except in the case of management boundaries, but it seems like you are clearly running into a management issue. Separate child domains would allow there to be a separate PDC Emulator at each site.

MDMarra
  • 100,734
  • 32
  • 197
  • 329
  • Problem is, due to "need to press down costs", the branch offices have no dedicated IT staff, so we can't put a PDC Emulator in each branch office; we're practically required to use RODCs. – pepoluan Apr 27 '12 at 15:34
1

Why not just move the PDC Emulator role to the "HUB" office?

HostBits
  • 11,796
  • 1
  • 25
  • 39