[BBLISA] AD as NTP source?

Fri Jul 13 07:57:13 EDT 2012

> From: bblisa-bounces at bblisa.org [mailto:bblisa-bounces at bblisa.org] On
> Behalf Of Rudie, Tony
> 
> I have to decommission the Solaris servers that currently provide the
> stratum-2 layer for my division of the company.  Would it be sheer madness
> to try to use the existing AD domain controllers  (which serve up AD for
all
> servers, Windows and Unix/Linux, as well as all desktops) as the stratum-2
> servers for NTP?

IMHO, AD is the preferred NTP server to use, because it's required and
enabled by default on all your AD servers whether you like it or not.  Also,
it generally doesn't matter if your clients have the *correct* time; it only
matters if they have the *same* time as the AD servers.  (+/- 5 minutes.)
If your AD clients differ by more than 5 minutes, they will refuse to
authenticate.

Here are my notes on configuring NTP on AD (windows server 2003 R2):

(Now that I'm reading below, I have some notes for you about my notes.)  
1)  By default, any windows computer joined to domain will already be using
the AD servers for time sync.
2)  But you need all your AD servers to be in sync with each other.  How to
do it?  In my case, I make all my AD servers sync up to the North America
pool from ntp.org, as described below.  That is really what my notes below
are about.  Choosing the source that AD servers will follow.  
3)  You don't actually need to do anything, necessarily.  If you want to
make your linux/unix machines sync to the AD server, you can simply tell
them to start now.  They will get whatever time the windows AD clients are
getting.

------------------------------------------
Simple Commands

w32tm /stripchart /computer:north-america.pool.ntp.org /samples:1/dataonly
This compares the local time against server's time.

w32tm /resync /rediscover
This tells the system to sync its time to whatever time source is currently
configured.  Probably won't do much of anything, unless you just changed the
peerlist, as described below...
------------------------------------------
The best and easiest and most powerful way to configure time sync is via
domain policy.  This will override any registry settings.

Domain Policy

Go to the "Domain Controllers" OU.
Create a new group policy, as follows:
  Computer Configuration
    Administrative Templates
      System
        Windows Time Service
          Time Providers
            Enable Windows NTP Client:   Enabled
            Configure Windows NTP Client:
              NtpServer:                  bonehed.lcs.mit.edu,0x1
time.keneli.org,0x1 north-america.pool.ntp.org,0x1
              Type:                       NTP
              CrossSiteSyncFlags:         2
              ResolvePeerBackoffMinutes:  15
              ResolvePeerBackoffMaxTimes: 7
              SpecialPollInterval:        3600
              EventLogFlags:              0
            Enable Windows NTP Server:    Enabled

Typically it takes about an hour for a clock skew to reach the final,
correct time.