4

I am working on a plan towards overhauling how time synchronization is handled on our network. Currently our network is predominantly Windows-based, in a fairly standard AD domain broken up into various sites. However we are starting to utilize Linux-based servers in our environment as well, with the thought that this balance will continue to shift towards that direction.

In such a mixed environment I am trying to figure out where NT5DS is used, if at all. Is it a better idea to have the Windows infrastructure respect the domain hierarchy for time synchronization and have the Linux servers pull time from the domain, or should an NTP server be spun up and have everything (Windows or Linux) pull its time from it?

I see both avenues as being functional, but am concerned that I am overlooking obvious gotcha's down the road. On one hand, it seems silly to have a (proposed) fleet of Linux servers getting their time from a Windows domain. On the other hand, having every host on the network pull from one NTP server on the local network feels like a comparatively flat solution.

Tony Mitera
  • 55
  • 1
  • 1
  • 5

1 Answers1

5

NT5DS Is the client protocol for Windows systems to retrieve time from a DC. Using this on your Windows machines does not prevent you from also enabling the NTP server on your Windows DCs, and configuring your Linux clients to use your DCs as a source of time using the NTP protocol. I configure my DCs using group policy to enable NTP so I can point my Linux systems at them. Enabling NTP on the Windows servers also allows me to use check_ntp from my nagios box to monitor time.

Your PDC emulator really should be pointed at a good sources of time. For the best results you should be configured to use at least 3 low stratum servers.

Is there any difference (in terms of functionality and reliability) between using the Windows NTP server as opposed to a Linux-based one? If they're essentially the same, it does seem like it's a lot less headache going the Windows route.

It partly depends on your Windows DC. If you aren't running at least 2008r2 on all your DCs I wouldn't trust them to keep time accurate at all. Earlier versions of the Windows time service did SNTP only. Many people will swear by the reference implementation of NTP and say it is the only true NTP, but recent versions of Windows seem to do a relatively good job at keeping the time accurate enough.

I monitor time on all my servers (Linux&Windows) using nagios, and the Windows boxes are usually within ~2-6ms with respect to the monitoring system, which is certainly accurate enough for my usage. If you have higher accuracy requirements you may need to setup an internal NTP servers running on Linux. You could setup a Linux box as an NTP server and use that in addition to your Windows DCs.

Honestly, I would just start with the Windows DCs, and setup time monitoring. If your time isn't kept accurate enough, then add additional NTP servers or making changes as required.

Community
  • 1
Zoredache
  • 130,897
  • 41
  • 276
  • 420
  • Is there any difference (in terms of functionality and reliability) between using the Windows NTP server as opposed to a Linux-based one? If they're essentially the same, it does seem like it's a lot less headache going the Windows route. – Tony Mitera Apr 21 '15 at 18:23
  • Updated with an answer. – Zoredache Apr 21 '15 at 18:38
  • Thank you for the clarification. As a final point of clarification (and one I've long been trying to find an answer to) is there any rhyme or reason as to what server responds to an NTP request that is sent to the domain (say domain.local)? Do such requests just get sent to whatever DC has the PDC Emulator role, or does it get handled by any of the available DCs? – Tony Mitera Apr 21 '15 at 18:52
  • I believe clients(member computers0 can sync with any DC, and DCs sync with the PDC Emulator. The PDC emulator should be configured to be an NTP client and sync with good external sources of time. But like you, I don't really have a good link to the supporting documentation for that. – Zoredache Apr 21 '15 at 18:55
  • One point that I didn't see mentioned here, was that many devices such as Cisco switches, just as an example, will refuse to sync with a Windows Server, even a 2008R2 or 2012 Windows Server, because they still don't use a reference NTP implementation. But I totally agree with everything you said. – Ryan Ries Apr 21 '15 at 20:31