NTP server migration to new DC

Question

I have stood up a Windows Server 2012 R2 server to act as a replacement Domain Controller for an old Windows 2008 server in an enclave domain I support. I'm taking my sweet time in demoting the old one because I want to minimize anything I might have missed, and one of the things I was asked about was whether the new server was ready to take over as the NTP server. Logging in to a couple of production servers in this domain and running "w32tm /query /source", sure enough they're still spitting back the old DC server name.

I figured it would be a quick and easy process to see where they're getting this information from and update it, but for the life of me I cannot find where they are getting their NTP source information from! I assumed it would be something in DNS, or a Role/Feature I needed to install, or maybe Group Policy, but everywhere I look I can't find where this setting is and I can't imagine it'd be as complicated to update as having to log in to every server and make a registry change?

I'm going to keep poking around on Google to see if I can suss this out, but in the meantime I figured I'd ask the smart kids in the class... how do I roll out a new NTP server for my domain and have all the clients recognize it as the new Source?

Answer 1

checked 3 different servers in our enclave domain, and each of them was pointing to a different DC

Assuming member servers that shouldn't be a problem.

Some general info

• All domain members should use NT5DS domain time.
• Desktops and member servers sync with any domain controller.
• Domain controllers sync with PDC emulator (one per domain)
• PDC emulator in child domain can sync with any domain controller in parent domain.
• PDC emulator in parent domain syncs with either a hardware clock or possibly an external source.
  https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-simple-time-configuration-in-active-directory/

--please don't forget to upvote and Accept as answer if the reply is helpful--

Answer 2

You can follow along here to transfer the PDC emulator
https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/transfer-or-seize-fsmo-roles-in-ad-ds
https://learn.microsoft.com/en-us/powershell/module/activedirectory/move-addirectoryserveroperationmasterrole?view=windowsserver2019-ps#example-1--move-a-pdc-emulator-to-a-domain-controller

then to configure the time source.

w32tm /unregister
net stop w32time
w32tm /register
net start w32time
w32tm /config /manualpeerlist:<ntp ip address> /syncfromflags:manual /reliable:yes /update
net stop w32time
net start w32time
then check
w32tm /query /source
w32tm /query /configuration
https://tf.nist.gov/tf-cgi/servers.cgi

--please don't forget to upvote and Accept as answer if the reply is helpful--

Answer 3

I have to update; I have randomly checked 3 different servers in our enclave domain, and each of them was pointing to a different DC as it's Source when I ran the command "w32tm /query /source". I logged out of each server and logged back in 3 times, and in all three cases each one consistently gave me the same Source it gave me the previous time... but each different from each other.

Basically in this domain we currently have 3 DC's up and running... DC01, DC02, and DC11. DC01 and DC02 are Win2008 servers and DC11 is a 2012 R2 server. For the three servers I checked, this is what they responded with for their time Source:
Server1 = DC11
Server2 = DC01
Server3 = DC02

I am just confused as to how each server determines what to use as a time Source and how that can be changed, or if it's even necessary to change it? If I just demote and remove DC01 like I want, will any server using that as a Source simply pivot over and start using one of the other DC's? I'm also confused that when I run "w32tm /query /configuration", it shows everything as being "Local", even the "NtpClient" value. I expected to at least see the Source listed in there somewhere.