ntp wiki page

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

ntp wiki page

Samba - General mailing list
Hi,

Further to the time sync wiki page:
  https://wiki.samba.org/index.php/Time_Synchronisation
i have some questions/remarks.

What I gather from the page above: without any configuration, the
windows domain members will use the DC with the PDC Emulator fsmo role
as a time source.

So, as a minimum, you *have* to configure the DC with the PDC Emulator
role as a time source (config according to to wiki page) and your
clients will sync with it.

Doing this is mandatory.

And your other two options are:

1) configure (and enable) the default settings with a GPO, in which case
windows will sync with time.windows.com,0x9

or

2) use your own DCs as time source, in which case some DCs (or all of
them) have to be configured according to the aforementioned page.

If you choose this option 2, it might be a good idea to include in the
wiki page that it is possible to use MULTIPLE DCs as time source, and
you need to space-seperate them.

Alternatively, perhaps it is clever to use the samba domain dns name, as
that should also give you all DCs, and thus redundancy..?

(and these last details are not on the page, so if they are good ideas,
perhaps they can be added?)

MJ

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: ntp wiki page

Samba - General mailing list
Hi,

Am 02.11.2017 um 15:21 schrieb mj via samba:
> So, as a minimum, you *have* to configure the DC with the PDC Emulator
> role as a time source (config according to to wiki page) and your
> clients will sync with it.
>
> Doing this is mandatory.

The domain works without a time source. However, it is recommended that
all DCs and domain members synchronize their time. If the time of your
DCs/servers/clients differs more than 5 minutes, access is denied. For
details, search for Kerberos + replay attack.



> And your other two options are:
>
> 1) configure (and enable) the default settings with a GPO, in which case
> windows will sync with time.windows.com,0x9
> or
>
> 2) use your own DCs as time source, in which case some DCs (or all of
> them) have to be configured according to the aforementioned page.

You can use any NTP server even without signing. You just need to append
the right flags to the NTP server name in the GPO.



> If you choose this option 2, it might be a good idea to include in the
> wiki page that it is possible to use MULTIPLE DCs as time source, and
> you need to space-seperate them.

I added the information.



> Alternatively, perhaps it is clever to use the samba domain dns name, as
> that should also give you all DCs, and thus redundancy..?

I think this should not be recommended. Not all DCs may have an NTP
service configured.

If I am correct, then Windows tries the first entry of the list, then
the second, ... However, if you set the domain name, then this is only
one entry. Windows clients would only try the first IP that is returned.
If this fails, the NTP client won't try others in this round, because
there is only one entry (even if it resolves to multiple IPs).

Anyway, this is an advanced usage and users who are interested in more
details, should look at the MS documentation. In our docs, we should
focus on our software, and not document other companies software in
detail. :-)


Regards,
Marc

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba