none
NT5DS on Domain Controllers VS All Domain Controllers NTP

    Question

  • I have been all over the technet articles and I have learned just about every facet of NT5DS and the domain hierarchy. From the commands that need to be run to the registry entries that need to be changed and the GPO's that need to be created and I am solid on that front.

    The question I'm having a difficult time trying to determine is why...

    What are the Pro's and Con's of using the hierarchy for our DC's as opposed to just configuring all DC's to utilize NTP and point to highly reliable NTP servers? Currently, we have all of our domain controllers pointed directly at three very highly reliable time servers via a GPO affecting all Domain controllers while leaving all clients on NT5DS to get there time from there authenticating Domain Controllers. Whats the difference in these two setups? Is my current deployment not technically more reliable and redundant? and if so, why is it not best practice?


    • Edited by KPetersonMC Tuesday, April 11, 2017 7:15 PM
    Tuesday, April 11, 2017 7:14 PM

All replies

  • Hi,
    In my experience, I have some personal opinions as below, you could take a look and refer to:
    In a domain the DC having the PDCEmulator FSMO is the time source and should be configured to an external time source. That's by default without specific requirements the only configuration you have to make. For me, it is the first advantages.
    Two, if you domain controllers point directly at three time servers, no matter how reliable these time servers are, it still need to be monitored or configured for each DC which might cost more resources than one time server.
    Regarding cons, as far as I know, the Windows Time Service is NOT built to be a high accuracy NTP solution, if you have the need for high accurate time, you have to use a “Stratum One” device, which is capable of this. 
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, April 12, 2017 8:05 AM
    Moderator
  • if you have a forest with multiple domains, the forest PDC is the one which would be pointed to the NTP device. the other pdc emulators in child domains will receive the time from the hierarchy. 

    But i agree with Wendy, windows time service is NOT for high accuracy. But take a look at windows server 2016, they have a lot of new features for time accuracy for domain controllers ... pretty interesting stuff to read.

    Wednesday, April 12, 2017 9:06 PM
  • Thank you very much for your responce and I appreciate your feedback.

    Here is a logical scenario... Our domain is all located in a central office however we have a small handful of remote offices. If the connectivity between our remote office and our primary office is lost for some reason. Would it not be a more stable environment in relation to time if the DC at the remote office was being directed at an external NTP server? 

    I'm not really concerned when it comes to our client machines. NT5DS is sufficient to keep all of our systems up to date. Im speaking in specifics the Domain Controllers Time to which we have approx 8 DC's. Trying to explain this to our CIO who is very interested in the "why" first posed the question that got me thinking and after giving it thought I cant come up with a reason that for DC's and up why NTP is not a better alternative to allow the hierarchy to centralize at the PDCe. Even if we lose the PDCe and have to move the FSMO roles we have another manual step to get this new DC off the hierarchy and connected to external NTP as it begins to take the time server role. With all DC's pointing at external NTP it seems some of the complications of NT5DS hierarchy don't seem to exist. Its hard to make a case as to why we should use the hierarchy any higher then the DC level.

    Tuesday, April 18, 2017 1:20 PM
  • the best case i have found is , pointing all the forest root DC's to NTP. THis can be done through a GPO. the point is in case of PDC transfer/seizure, any of the new PDC will have the NTP configuration and can enforce the domain heirarchy still.
    Tuesday, April 18, 2017 7:39 PM
  • Here is an interesting thought... What about pointing all DC's, via NTP, to the PDCe with an 0x8 tag... and then supplying the two external NTP servers with 0x2 tags... 

    Would that not be the best of both worlds? Centralized timing on the PDCe with failover redundancy of external NTP sources?

    Wednesday, April 19, 2017 3:54 PM
  • That would be 0xa on the tag for the failovers tho... right?

    Thursday, April 20, 2017 5:29 PM
  • I have seen both setups in place. Both will work as they should be. The most important, does not matter which sync topology you use, is to keep the time sync working as if the their is a gap of 5 mins or higher, you will experience Kerberos failures.

    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Sunday, April 23, 2017 12:31 AM
  • Hi,

    Was your issue resolved? If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions. If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, May 4, 2017 9:16 AM
    Moderator