Hello, If i have 3 Domain Controller (DC), is all three DC will act as NTP server? Is the DC will act as NTP client also to sync the time to NTP pool, or the DC will sync the time from RTC from the mainboard?

Hello Handian Sudianto , Thank you for posting in Q&A forum. In a typical Active Directory environment, the time synchronization hierarchy works as follows: Primary Domain Controller Emulator (PDC Emulator) FSMO Role: One of your Domain Controllers (DCs) will hold the Primary Domain Controller (PDC) Emulator Flexible Single Master Operations (FSMO) role. By default, this DC will act as the authoritative time server for the entire domain. This DC should be configured to synchronize time with an external NTP server, such as those available in the NTP pool. Other Domain Controllers: The other DCs will synchronize their time with the PDC Emulator. Clients and Member Servers: All other machines in the domain will synchronize their time with any available DC, typically the one they authenticate against. So, to answer your questions: Will all three DCs act as NTP servers? Yes, all Domain Controllers in an Active Directory domain can act as NTP servers for the domain clients. Will the DC also act as an NTP client to sync time with an NTP pool, or will it sync time from the RTC of the mainboard? The DC holding the PDC Emulator role should be configured to sync time with an external NTP server from an NTP pool. Other DCs will sync their time from the PDC Emulator, which prevents relying solely on the less accurate Real-Time Clock (RTC) of the mainboard. I hope the information above is helpful. Best Regards, Yanhong Liu ============================================ If the Answer is helpful, please click " Accept Answer " and upvote it.

Active Directory NTP - Microsoft Q&A

Accepted answer

Yanhong Liu 11,320 Reputation points Microsoft Vendor

2024-08-22T03:14:01.6333333+00:00
Hello Handian Sudianto ,

Thank you for posting in Q&A forum.

In a typical Active Directory environment, the time synchronization hierarchy works as follows:

Primary Domain Controller Emulator (PDC Emulator) FSMO Role: One of your Domain Controllers (DCs) will hold the Primary Domain Controller (PDC) Emulator Flexible Single Master Operations (FSMO) role. By default, this DC will act as the authoritative time server for the entire domain. This DC should be configured to synchronize time with an external NTP server, such as those available in the NTP pool.

Other Domain Controllers: The other DCs will synchronize their time with the PDC Emulator.

Clients and Member Servers: All other machines in the domain will synchronize their time with any available DC, typically the one they authenticate against.

So, to answer your questions:

Will all three DCs act as NTP servers?

Yes, all Domain Controllers in an Active Directory domain can act as NTP servers for the domain clients.

Will the DC also act as an NTP client to sync time with an NTP pool, or will it sync time from the RTC of the mainboard?

The DC holding the PDC Emulator role should be configured to sync time with an external NTP server from an NTP pool. Other DCs will sync their time from the PDC Emulator, which prevents relying solely on the less accurate Real-Time Clock (RTC) of the mainboard.

I hope the information above is helpful.

Best Regards,

Yanhong Liu

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Please sign in to rate this answer.

1 person found this answer helpful.
Handian Sudianto 5,121 Reputation points

2024-08-22T03:29:07.3566667+00:00

Hi

All right, so all DC will act as NTP server and PDC have additional role as Time authoritative. Am i right?

What default external NTP pool for PDC and also how we can change this?

Yanhong Liu 11,320 Reputation points Microsoft Vendor

2024-08-22T06:20:03.2966667+00:00

Hi,

Yes, in a Windows domain environment, every Domain Controller (DC) function as an NTP server for its clients within the domain. The Primary Domain Controller (PDC) Emulator has an additional responsibility of being the authoritative time source for the domain.

By default, the PDC emulator is not configured to synchronize with an external NTP source. You need to manually configure it to use an external NTP server or pool.

Here’s how you can change the NTP settings on your PDC Emulator:

Open Command Prompt with Administrative Privileges:

Click Start, type cmd, right-click Command Prompt, and select "Run as administrator."

Configure the NTP Settings:

Use the w32tm command to configure the time service. The following command sets the external NTP servers:

w32tm.exe /config /syncfromflags：manual /manualpeerlist：131.107.13.100,0x8 /reliable：yes /update

w32tm.exe /config /update

Note:The IP address in the example is a National Institute of Standards and Technology (NIST) time server at Microsoft in Redmond, Washington. Replace this IP address with the time service of your choice.

Restart the Windows Time Service:

To apply the changes, restart the Windows Time service with the following commands:

net stop w32time net start w32time

Confirm the Configuration:

You can verify the configuration and current status with the following command:

w32tm /query /configuration

For more details, please refer to: https://learn.microsoft.com/en-us/services-hub/unified/health/remediation-steps-ad/configure-the-root-pdc-with-an-authoritative-time-source-and-avoid-widespread-time-skew

If the Answer is helpful, please click "Accept Answer" and upvote it.

Handian Sudianto 5,121 Reputation points

2024-08-22T06:24:10.0766667+00:00

Hi..

By default, the PDC emulator is not configured to synchronize with an external NTP source. You need to manually configure it to use an external NTP server or pool.

That mean the PDC by default will get the time from local server it's self?

Yanhong Liu 11,320 Reputation points Microsoft Vendor

2024-08-22T06:29:55.3466667+00:00

Hi,

Yes, if the DC in the PDC Emulator role is not configured to synchronize time from an external NTP server, it will use its own clock as the time source.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Active Directory NTP

0 additional answers

Your answer