NTP Service Auto-Discovery

Question

Are there any methods I could use to provide auto-discovery for NTP? I recently moved to a new job that has a parent company that recently started providing Active Directory. I've been implementing SSSD & other stuff authenticating against AD and setting up NTP. However, they have a large number of Active Directory servers (I have to point directly at the servers) and they can sometimes change.

Is there any method such as LDAP discovery or multicast like ActiveMQ and other applications have that I can setup? If not any suggestions besides trying to get the parent company to maintain a better list of servers and what domains they function for?

Thanks!

I don't understand this question, are you asking how to make all domain member servers to able to discover and use same NTP server as AD? That is builtin. If your AD environment wasn't customized in this regard, all member servers by default sync time from one of DCs, which in turn sycn from domain PDC -> forest PDC-> externel NTP, . You only need to set up manual NTP once on root domain PDC, and all others will follow in hierarchy. No DHCP options required. — strongline, Nov 17 '17 at 19:24
The recommended solution by Premier Field Engineering is to use Group Policy. You can read about how to do it here. I'd note that you need to validate it before you simply trust that it's working. Ensure communication of NTP from your root pdce and so on as suggested above. https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-simple-time-configuration-in-active-directory/ — Kyp, Nov 18 '17 at 05:55
sssd and ntpd implies Linux or other non Windows NTP clients. The operating system of the clients should be added to the question. — John Mahowald, Nov 18 '17 at 14:47
Just the AD FQDN as the NTP-Server. Every DC is a (S)NTP, usually. — bjoster, Dec 01 '17 at 13:50

score 25 · Accepted Answer · answered Nov 17 '17 at 17:12

25

You can specify an NTP server via DHCP, or Group Policy, or DNS SRV records.

DHCP:

GPO:

SRV Record:

If your client is unable to leverage any of those mechanisms... you can also pretty safely assume that all Active Directory domain controllers are also NTP servers. Which means that you should be able to find one simply by resolving the name of the domain itself, e.g. company.com or ad.company.com and you'll likely hit an NTP server, without the need to specify individual hostnames.

answered Nov 17 '17 at 17:12

Ryan Ries

55,011
9
138
197

1

I'm embarrassed I never thought of the domain name as NTP server host name trick myself. Very nice. +1. – Todd Wilcox Nov 17 '17 at 17:15
Service records WOAH! – Jacob Evans Nov 17 '17 at 17:17
FWIW there seem to be very few clients that respect either the SRV record or the DHCP option. – hobbs Nov 18 '17 at 07:14
Can/should the SRV record advertise the domain name to use all DCs not just one? – John Mahowald Nov 18 '17 at 14:48
I'm afraid, that sssd means Linux world so only the last chapter is actually valid. – Jaroslav Kucera Nov 22 '17 at 10:02

NTP Service Auto-Discovery

1 Answers1