3

I've read this nice article from Gareth Hooper regarding Domain Controller syncing to external time sources. In essence, he wrote that although Microsoft don't actually condone the practice, it's a good idea to pre-configure all DCs (especially the ones that are most likely to get the PDC Emulator FSMO Role transferred to) to sync with an external time source and be marked as "Reliable".

Now, my question is:

We have one RODC in each branch location. If a locally reliable (external) time source is available for a branch, should I configure the RODC to sync to that time source? Or should I just cross my fingers and hope that time sync -- even if the WAN link to Head Office gets interrupted for a significant amount of time -- will somehow be maintained and/or restored with the DCs in Had Office?

pepoluan
  • 4,918
  • 3
  • 43
  • 71
  • I just read that article three times. Where does the author recommend having all of the DCs sync from an external time source? – MDMarra Apr 03 '14 at 04:16
  • @MDMarra it is implied in the paragraph beginning with "Yes you should.", and also implied by his answers on the question regarding DCs syncing to different time sources. He did not explicitly _recommend_ the practice, it's just my interpretation. He did, though refer to other authors actually recommending such practice. – pepoluan Apr 03 '14 at 05:17
  • Sorry, I'm not seeing it. I think you're reading into something that isn't there. He even explicitly states that Microsoft doesn't recommend it. I'm not sure why you'd want to configure your environment in a way that Microsoft doesn't recommend/support, but to each their own. The "yes you should" line is in reference to whether or not you should configure a new PDCe for external time sync prior to transferring the role. That's very different than the main office/branch office scenario you're describing. – MDMarra Apr 03 '14 at 11:15
  • In fact, he even says `"3) Revert the original PDC Emulator back to using domain hierarchy for time synchronization using the following commands."` and he provides the w32tm command to reset the old PDCe so that it no longer uses the external time source. – MDMarra Apr 03 '14 at 11:20
  • @MDMarra perhaps you're right. But anyways, the author also doesn't see any problems having more than one Reliable Time Sources, as long as they are synced to time sources that differ no more than 5 minutes. – pepoluan Apr 04 '14 at 11:05

1 Answers1

1

My attitude would be that if you do decide based on your own research and knowledge about your WAN link reliability, etc. to sync those RODCs with a reliable external time source that you would sync them to the SAME external NTP source that the PDC Emulator is currently using. This would help ensure that there isn't any discrepancies based on any external NTP issues since they'll be syncing from the same source.

TheCleaner
  • 32,352
  • 26
  • 126
  • 188
  • Hmm... after mulling about your answer, I think I'll just let the RODCs to sync with the DCs at Head Office... just in case the time source at the branch offices go haywire. Because the branch offices have no Internet connection on their own; all traffic must go through the Head Office. Thanks! Marking yours as the answer. – pepoluan Apr 01 '14 at 03:25