NTP - MS Domain offerings? 2

[Hammertime]

Hi there,

Where having a little trouble with configuring NTP for our domain and would be grateful if anyone could offer any advice/information!

We run a 2003 network with 2 x OU's. We are running a SUN system that is setup for the NTP with static IP. The NTP service works for our hubs and routers as they use unicast polling however for devices such as printers and PC's adding the IP of the NTP service makes no difference (tried this on HP printers and XP Pro desktops). It's been suggested that using MS Domain offerings would resolve this however I find NTP difficult to understand as it is!

Clarification and advice would be great,

Hammertime

 

[xmsre]

You would sync the PDC emulator of the root domain in your forest the the external NTP time source. Use the command "net time /setsntp:10.10.1.1" where 10.10.1.1 is the IP address of your NTP time source. Domain members [2000 or later] get the time from the PDC emulator in their domain, and domains in a forest get time from the root domain without any additional configuration.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;224799

 

[mlichstein]

Make sure after running the net time /setsntp command you run w32tm /config /update

"Domain members [2000 or later] get the time from the PDC emulator in their domain"

Not necessarily. Domain clients and member servers sync their time with the DC that authenticates them. Domain controllers will sync their time either with the PDC of their own domain or any DC in the parent domain.

 

[Hammertime]

Hi guys,

Thanks for the info, we now have our two PDC's synchronising with our NTP source and they
reset their clocks by about every minute. Will the domain members including those in the OU's now start to sync as well? Is there anything else we need to do? Do I now add the IP address of the PDC to printers etc to sync?

Hammertime

 

[mlichstein]

Yeah, you'll probably need to manually add the PDCe's IP to the printers if you want to sync them.

But you should make sure that none of the other DCs are configured with an external time source.

net time /querysntp should return nothing on the other DCs and member servers.

 

[Hammertime]

The printers are synced, added IP and all fine.

The members servers in the OU's though are not synced, I tried changing the time and left it for 10 minutes and they didn't correct. Is there something we need to do to the members servers, PC's etc?

 

[xmsre]

The initial default period is 45 minutes. If the local time is behind less than 3 minutes, then the local clock is skewed until the times converge. You may want to wait just a bit longer.

Mlichstein is correct that domain members get their time from the authenticating server as returned in the DSGetDCName() call. Member servers follow the same process as clients. Domain controllers make three queries, the parent domain, the current domain, then the PDCE of the current domain. The PDCE of the root domain is authoritative. Which exact one of the three a domain controller will use is not specified in the referenced article, so I'm unsure of the algorithm used. Mlichstein may be able to share that with you.