Primary Domain Controller as NTP server with no connection to external WAN

Question

Here's the background: Creating a new sandbox environment that is HIGHLY SECURE (No connection whatsoever to the outside network)

Windows Server (GUI) 2012 R2 virtual machine (VMware, not Hyper-V, don't think it matters tho?)

Small environment, so domain controller, DNS and DHCP all in one..

So the issue at hand is, this primary DC needs to also act as the NTP server for the entire environment..

Now, since there is no connection to the outside world, I cannot sync the time with a time server such as time.windows.com or pool.ntp.org so I need to manually configure the time on DC1 and then let all other member computers sync their time with mine so we have consistent time throughout the network even though it might be off in respect to real-time.

Sounds easy enough, but as my username suggests, I'm a total noob, so how do I do it??

Some Microsoft articles (like this one: https://support.microsoft.com/en-us/kb/816042 ) suggest that in order to configure the internal clock as the source for our NTP server on the domain controller requires changes to the registry.. I would honestly hope that a server as advanced as 2012 R2 should be able to do make something like this happen without needing to get into regedit. 

Also, in the article above, will it work if my DC is a VM or is it only regarding physical machines?

And once I accomplish this task, the question of domain member client computers pops up... the following thoughts come to mind:

- Will I need to go into every single member computer and manually point it to my DC to tell it that its also the NTP?

- What about new servers that I join to the domain?

- Is there perhaps a GPO I can create in order to do this for me? And if so, how? (GPO Noob too =P )

Thank you so much for helping out a young windows apprentice be able to perform him job and not get fired! =)

Regards,

knowNoob

Answer 1

Here is a great article on the Windows time service architecture

https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/get-started/windows-time-service/how-the-windows-time-service-works

If your DC (The DC that hold the PDC FSMO role) cannot synchronize his time with an external source, you will have to follow the steps provided in the article you mentioned (https://support.microsoft.com/en-us/kb/816042). Under the section "To configure the PDC master without using an external time source"

But, if the DC annot sync his time with an external time source, the DC will log warning and error events in the system event log.

For other domain members, their will be no issue and you don't have to modify anything.

In the registry of the computer HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

there is a REG_SZ entry called Type

When you join a domain, the value should be set to NT5DS which mean that the computer will contact any DC in the domain (See in the KB816042 under Domain Hierarchy-Based Synchronization)

hth

---

This posting is provided AS IS without warranty of any kind

Answer 2

Hello,

The TechNet Sandbox forum is designed for users to try out the new forums functionality. Please be respectful of others, and do not expect replies to questions asked here.

As it's off-topic here, I am moving the question to the Where is the forum for... forum.

Karl

---

When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer.
My Blog: Unlock PowerShell
My Book: Windows PowerShell 2.0 Bible
My E-mail: -join('6D73646E5F6B61726C406F75746C6F6F6B2E636F6D'-split'(?<=\G.{2})'|%{if($_){[char][int]"0x$_"}})

Answer 3

Hello,

I'd ask in one of the Windows Server forums.

Karl

---

When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer.
My Blog: Unlock PowerShell
My Book: Windows PowerShell 2.0 Bible
My E-mail: -join('6D73646E5F6B61726C406F75746C6F6F6B2E636F6D'-split'(?<=\G.{2})'|%{if($_){[char][int]"0x$_"}})