I like having a centralized time source for my clients. In a Windows based domain 99.9999999% of the time you will configure your domain controller(s) as the NTP server.
In other words, your time source for everything in your network/domain.
And this is how you do it...
First you need to enable the server to be the NTP Server, by default this is disabled for good reason.
- Start up Powershell as an administrator
- Enter the following commands in order:
- Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\w32time\TimeProviders\NtpServer” -Name “Enabled” -Value 1
- Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\services\W32Time\Config” -Name “AnnounceFlags” -Value 5
- Restart-Service w32Time
The second command sets the registry key so that the server will recieve it's time source externally, by default this is time.windows.com
If you prefer to use a different time source, this is possible by using the following command:w32tm /config /manualpeerlist:"0.nl.pool.ntp.org,0x1 1.nl.pool.ntp.org,0x1 2.nlpool.ntp.org,0x1 3.nl.pool.ntp.org,0x1"
The example uses the pool from https://www.pool.ntp.org but feel free to use anything.
Your server is now an NTP server, do this for every server that needs to be an NTP server.
Now for the next part, how do you make sure clients use your NTP server as the centralized time server?
There are several ways to do this depending on the hardware/software.
Windows Clients:
By default, clients already get the time from Active Directory servers within the domain.
However you can overwrite this if needed by using GPO
You can find the setting under Computer Configuration > Administrative Templates > System > Windows Time Service > Time Providers > Configure Windows NTP ClientMake sure the settings are set as follows:
- NtpServer = (name of your time server),0x9 (for example AD01.mydomain.com,0x9)
- Type = NT5DS
You want it at NT5DS because this settings makes sure windows clients sync the time according to the domain hierachy.
Setting this to NTP allows you to bypass the domain controllers and use external sources
AllSync is just that, it uses ALL available options.
NoSync doesn't mean it will never get the time at all from anywhere, it means the time will be syncronized with the CMOS clock.
Non-Windows clients:
For things like mobile devices, you probally depend on DHCP to give out IP addresses.
Using a DHCP server you can leverage option 042 NTP Server to make sure even non-windows clients that can't use GPO's get the time from your domain controllers!
Static IP non-Windows clients:
In my case this is mostly linux based servers. To check if NTP is enabled on the server use the command timedatectl status
To configure the NTP server sync, use the following command sudo nano /etc/systemd/timesyncd.conf
In the text file, append the following line under [Time] Servers=AD01.mydomain.com AD02.mydomain.com
If your NTP Server was not enabled, enable it using: timedatectl set-ntp true
Check the status again to see if everything is running correctly