Recommended NTP sources for DCs

[Mike Leone]

Here's a question. We have a root-subdomain structure here. For the sub-domain, the DCs will get their time from the root PDC, right?

What is the recommendation for where the root PDC get's it's time from? I thought it used to be us.pool.ntp.org, but there's some disagreement about that here.Some think we have to explicitly list a specific server (i.e., 0.us.pool.ntp.org).

Where do you set your DCs to get their time from?

Oh, and do you do it via a GPO specific setting? If so, how do you limit it to the PDC? Since that role can be moved around? Or am I just missing something blindingly simple?

Thanks

--

Mike. Leone, <mailto:tur...@mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

[Kurt Buff]

If you have the option, use a GPS-based network time clock. The biggest obstacle for that is placement of an antenna, and a cheap and reliable node can be built using spare hardware or a Raspberry PI, though there are commercial units available with more features.

If that's not feasible, time.microsoft.com or USNO are both good sources, and there's nothing wrong with using us.pool.ntp.org.

According to https://www.ntppool.org/en/zone/north-america

"In most cases it's best to use pool.ntp.org to find an NTP server (or 0.pool.ntp.org, 1.pool.ntp.org, etc if you need multiple server names). The system will try finding the closest available servers for you."

But, as a caution, roughly 20 years ago, I ran into a bad server in the pool, which was emitting incorrect time, and it threw the clocks on the DC off by hours, which led to a very fun few hours while I figured it out, so that's always a risk when using a tier 2 (internet-based) time source.

Kurt

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BiYfAwEwv83O%2Br2-HgKXsLtNcqsOgXrdJuACMW7_RozKg%40mail.gmail.com.

[James Iversen]

Create some pointers in DNS (ntp1.your.domain.prv) and you can use your core switch as a time source. Other devices can also use it as not all devices are getting matching orders from domheir. Set the source on your roots, trusted DCs should get their orders from the roots. Passing on good time to clients. 

Sent from my iPhone

On Sep 29, 2025, at 9:55 AM, Mike Leone <tur...@mike-leone.com> wrote:



[Kurt Buff]

Where does the core switch get its time?

Kurt

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/D31C36DE-5989-4298-8A3B-D923B503A8AF%40gmail.com.

[Mike Leone]

On Mon, Sep 29, 2025 at 10:28 AM Kurt Buff <kurt...@gmail.com> wrote:

Where does the core switch get its time?

Beats me, I ain't the network guy for that. LOL I'll ask ...

We're in the process of replacing DCs, so I plan on setting the root PDC NTP to

0.us.pool.ntp.org

1.us.pool.ntp.org

pool.ntp.org

I'm just not sure how to know (be alerted to remember) to set the same, if the PDC moves from its current home to the other DC (we will have 2 - 1 for each site).

The rest of the domain(s) can get it from the root PDC.

 

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce7%2BnpY1%2BymMP7KcH75tgUKMbXy2LDid1RDGqjvuN%3DEK1w%40mail.gmail.com.

[Kurt Buff]

Use a GPO with a WMI filter to ensure the PDCe gets set up correctly:

https://theitbros.com/configure-ntp-time-sync-group-policy/

Kurt

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BhfTOPAZ%2BNKw4DLj-Oq3cQXmfZV1MkVrVZRUe1FdUN3%2Bw%40mail.gmail.com.

[Mike Leone]

On Mon, Sep 29, 2025 at 10:42 AM Kurt Buff <kurt...@gmail.com> wrote:

Use a GPO with a WMI filter to ensure the PDCe gets set up correctly:

https://theitbros.com/configure-ntp-time-sync-group-policy/

AH HA! That's the part I didn't know you could do:

WMI query in the root\CIMv2 namespace Select * from Win32_ComputerSystem where DomainRole = 5

So if I do that, and link it specifically to my Domain controller container, then it should get set as needed ....

 

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce4m%2BoSPabt0LsY19G%2BkChjrwRD8kTcSL1KMFfPbnaKuCg%40mail.gmail.com.

[Kurt Buff]

Yes - that's exactly what I have done.

Kurt

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BhLp2rzAdBLXbjhAVQ2Z25nRYbqmNaPJYZh7si-ZbuXBQ%40mail.gmail.com.

[Philip Elder]

We use all of the geographically located NTP.Org servers for the PDCe to poll.

 

This is the method we use for all managed domains:

https://blog.mpecsinc.ca/2014/09/hyper-v-vm-set-up-pdce-ntp-time-server.html

 

No Group Policy required.

 

Philip Elder MCTS

Senior Technical Architect

Microsoft High Availability MVP

MPECS Inc.

E-mail: Phili...@mpecsinc.ca

Phone: +1 (780) 458-2028

Web: www.mpecsinc.com

Blog: blog.mpecsinc.com

Twitter: Twitter.com/MPECSInc

Teams: Phili...@MPECSInc.Cloud

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.

--

[James Iversen]

Our network team says they point the core switch to the hsrp. Which in turn gets it from time2.google.com. A lot of hoops to jump through but it’s all sorted after several years of finagling. 

Sent from my iPhone

On Sep 29, 2025, at 11:56 AM, Philip Elder <Phili...@mpecsinc.ca> wrote:



To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/88e7b9022ae041269ef622a4d6e0ac13%40MPECSInc.Ca.