none
External NTP-servers on PDC, how does failover work?

    Question

  • Hi!

    I have 10 DCs in total and 2 DCs (Server 2016) in the main site which are NTP-servers for all my clients and servers (inluding *nix), I'm not really sure how I'm supposed to set up my external NTP-servers with redundancy. As I understand all DCs must synchronize the time with the PDC.

    Example where DC1 is PDC:

    DC1 NTP: - some.ntp.external.com

    DC2 NTP: - DC1

    What will happen in a disaster if DC1 is removed and the PDC role is transfered to DC2 ? I guess that the external ntp server will not be transferred to DC2 and local BIOS clock will take over?. Then this is a manual operation to add the external NTP-servers again in case of a disaster.

    Scenario nr 2 is this:

    DC1 NTP: - some.ntp.external.com

    DC2 NTP: - some.ntp.external.com

    Does this work ? Can you set up external NTP-servers on DC that is not PDC ? This seems like the best option.

    Not sure why I create this thread, guess I just want to know how you guys are doing it with windows and NTP :)

    Thanks!

    Wednesday, April 26, 2017 2:47 PM

Answers

  • You want only the PDC to sync externally, all other domain members (including other DCs) should be set to NT5DS. Create a GPO that sets the NTP server settings and tie it to a WMI targeting the PDC; at that point if the PDC role moves, the new PDC will sync with the external NTP server, the previous PDC will go back to NT5DS.

    https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-simple-time-configuration-in-active-directory/

    • Marked as answer by Samus-Aran Friday, April 28, 2017 6:48 AM
    Wednesday, April 26, 2017 4:13 PM
  • Hi

     If you configure DC1 with external time source then DC1 is your NTP.and all other dc sync from that dc.

    DC1 NTP: - some.ntp.external.com

    DC2 NTP: - some.ntp.external.com

    Does this work ? Can you set up external NTP-servers on DC that is not PDC ? This seems like the best option.>>>

     If there will a disaster situation on your PDC .(Also Ntp),you should sieze fsmo roles to other avaible dc,then configure this new PDC with external time source again.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Marked as answer by Samus-Aran Friday, April 28, 2017 6:48 AM
    Wednesday, April 26, 2017 8:23 PM

All replies

  • You want only the PDC to sync externally, all other domain members (including other DCs) should be set to NT5DS. Create a GPO that sets the NTP server settings and tie it to a WMI targeting the PDC; at that point if the PDC role moves, the new PDC will sync with the external NTP server, the previous PDC will go back to NT5DS.

    https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-simple-time-configuration-in-active-directory/

    • Marked as answer by Samus-Aran Friday, April 28, 2017 6:48 AM
    Wednesday, April 26, 2017 4:13 PM
  • Hi

     If you configure DC1 with external time source then DC1 is your NTP.and all other dc sync from that dc.

    DC1 NTP: - some.ntp.external.com

    DC2 NTP: - some.ntp.external.com

    Does this work ? Can you set up external NTP-servers on DC that is not PDC ? This seems like the best option.>>>

     If there will a disaster situation on your PDC .(Also Ntp),you should sieze fsmo roles to other avaible dc,then configure this new PDC with external time source again.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Marked as answer by Samus-Aran Friday, April 28, 2017 6:48 AM
    Wednesday, April 26, 2017 8:23 PM