Another topic that seems to confuse people when it’s a simple process. I’ll blog soon about NTP in general when it comes to stratums and a design. But I want to focus on the Windows AD side now in this post.
#Windows Default options:
NTP – Use on computers that are not joined to a domain.
NT5DS – Use on computers that are joined to a domain.
Pretty straight forward. Windows has two default options. Computers NOT joined to the DOMAIN will use NTP and Computer joined to the DOMAIN will use NT5DS, NOT NTP. NT5DS is what every Domain device uses. It’s default. It’s a time service that synchronizes the entire domain hierarchy.
#HOW NT5DS WORKS:
In a Windows forest, the Primary Domain Controller (PDC) emulator holds the master role. This server holds the best time source if another reliable time source hasn’t been configured. This PDC is usually synched to external time sources or like in some of my other environments, internal GPS NTP appliances.
Next we’ll look at the Flexible Single Master Operation (FSMO) roles to find who that PDC server is.
#LOOK AT FSMO ROLES TO FIND PDC:
I won’t go into each role but there are 5 FSMO roles.
Schema Master – one per forest
Domain Naming Master – 1 per forest
Primary Domain Controller (PDC) Emulator – 1 per domain
Relative ID (RID) Master – 1 per domain
Infrastructure Master – 1 per domain
PDC ON NETWORK WITH EXTERNAL SETTINGS:
You can use the same command to look a remote computer. Below we are looking out our DC that happens to be the PDC. You can see that the server is configured to get its time from external sources and the type is NTP.
#CONFIGURING NTP SETTINGS MANUALLY:
So how do you configured the external time sources on the PDC? Below is the command you would use or something like it. You want the PDC to use reliable NTP sources.
Below we are prioritizing pool.ntp.org over time.nist.gov: