1

We have a Linux server that we would like to sync with our domain controllers.

When it syncs with our Primary Domain Controller everything works fine, however it we put the Linux box to sync time with our 2nd Domain Controller then it doesn’t resolve the time.

Are we doing something wrong?

3 Spice ups
2

Time server not configured properly on the second DC?

3

Short answer: you should not sync time with different time servers.

Your servers should all have the same time (check and make sure), if you have the server A and B running time, they both must have the same time authority so that their time is the same. You would only use secondary time server when primary server is not available. This said, check these things first:

  1. time service running on DC 2

  2. time is the same between DC1 and DC2

  3. network connectivity between Linux server and DC2 time service.

4

I guess what I’m thinking is that we should be able to set the IPs of both DCs on the Linux server to sync time too so that if either of the DCs went down, then Linux server would sync with the other DC.

5

you describe failover, this should work by design. BUT you must ensure that time on DC1 and DC2 is the same. Linux ntpd will not update/sync time if the the time slew is too far apart, e.g. a minute or so.

6

The 2 DCs should be in time sync though as that’s integral to the kerberos authentication in AD. So time skew shouldn’t be an issue.

7

Maybe I’m wording this completely wrong or asking the wrong questions.

As far as I know, the two DCs are in sync/the same right now. From what I understand, one of those DCs will act as the main source for NTP throughout the domain, correct?

On the Linux box, if I set the NTP to the non-PDC then the Linux box is not able to sync using NTP to that DC. If I change to the other DC then it does work.

How can I have it setup in the Linux box so that it will sync to either and they will both work?

8

Did you check the ntp server on the second DC? Maybe it’s not running or something.

1 Spice up
9

What Alex said, make sure everything is running and there is no ACL blocking the time protocol port 123

10

Alex, all I’m checking is to see that Windows Time is running correct?

If not, what should I be checking?

11

time service

12

There is no service listed in Windows Services as “time service”.

13

well, I think the full name is “Windows Time service” , here is a quick reference: Configure an authoritative time - Windows Server | Microsoft Learn

1 Spice up
14

Running the following in powershell, on DC2 will show you if then ntp port is open, and by the right process.

netstat -ano -p udp | Select-String 123

That should output:

UDP    0.0.0.0:123            *:*                                    380

The last column is the PID. Feed that into tasklist to get process:

tasklist /FI "PID eq 380"

Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
svchost.exe                    380 Services                   0     12,316 K

If everything is as above, then make sure UDP 123 is open in windows firewall.

The rule is called “Active Directory Domain Controller - W32Time (NTP-UDP-In)” and is in the “Active Directory Domain Services” group.

15

We have a similar setup. Except I did it the other way. I setup a small linux box who’s only role is a NTP server. As soon as it was working properly, I made an image.

EVERYTHING points to it. The phone system, our other linux servers, our windows DCs, printers, everything. Gave it a DNS alias called ‘time’. Gets it’s time from the ntp.org pools.

1 Spice up