[ntp:questions] Issues with w32tm on AD network

Ryan Malayter malayter at gmail.com
Fri Feb 29 15:11:07 UTC 2008


On Feb 28, 2:55 am, Martin Burnicki <martin.burni... at meinberg.de>
wrote:

> Of course. However, we must distinguish between DNS domains and Windows
> Active Directory domains which have nothing to do with DNS in the first
> place.

Active Directory is completely dependent on DNS. In fact, an Active
Dfirectory domain requires a DNS server that allows SRV records and
dynamic updates to even function. Active directory is generally not
used for name resolution (with a few exceptions, such as specifying IP
ranges for AD sites to tweak the replication topology). Otherwise, DNS
supplies the name resolution layer for all Windows domain operations.

Most people use Microsoft's DNS server with AD, because it
automatically and reliably replicates data using the same distributed
multi-master replication mechanism that AD uses. But they are actually
separate - you can set up AD domains using BIND or other DNS that
supports the relevand RFCs. I did it for a customer once back around
2002.

That said, based on refIDs reported by member servers, I believe the
Windows Time Service simply contacts the domain controller that the
machine logged into for the time, using DNS to resolve the name. You
can find which domain controller a machine used by using the "echo
%LOGONSERVER%" command. When a Windows domain member loses contact
with its logon server, it does a DNS SRV record lookup (such as
_ldap._tcp.gc._msdcs.exmaple.com) to find another one.

How this affects running the reference ntpd on domain controllers I do
not know. I really don't have the time to set up a lab to test the
behvaior in depth. I run ntpd on other systems, and have our Windows
domain controllers configured to get their time from those stratum-2
systems.




More information about the questions mailing list