samba - Jan 2024 - Joining Windows 10 Domain Member to Samba AD/DC

I've added a Windows 10 domain member to my Domain. I'm now following
the
procedure in
https://wiki.samba.org/index.php/Time_Synchronisation#Configuring_Time_Synchronisation_on_a_Windows_Domain_Member.

I've created the Group Policy for the "Time Sources". This
doesn't seem to be
working. This did work fine with my old 4.8.2 DC, so I know it works in
principle.

I have additional notes and have tried (on the Windows member):

net stop w32time
w32tm /unregister
w32tm /register
net start w32time

I've rebooted both the DC and the Windows member. On the Windows member I
still
get:
> w32tm /query /source
Local CMOS Clock

whereas I expect the return to be "dc1.hprs.locl"

I have confirmed that the Group Policy exists and is configured correctly.

What's going wrong here?

Thanks --Mark

On Thu, Jan 4, 2024 at 7:46?PM Mark Foley via samba
<samba at lists.samba.org> wrote:
> I've added a Windows 10 domain member to my Domain. I'm now
following the
> procedure in
https://wiki.samba.org/index.php/Time_Synchronisation#Configuring_Time_Synchronisation_on_a_Windows_Domain_Member.
> What's going wrong here?
Is there some reason you need a GPO for this? By default the system
should get its time from the DC.
>From the page you refer to:
"Windows AD domain members will use any DC as their default time
source. If you have set up ntp on the DC as described on this page,
you usually do not need to reconfigure the clients. Alternative
configuration options for the clients are described below."

I've only used a GPO to point to a different time server when the DC
is incapable of providing the time service (older DC running in a
container).
Chris

On 05.01.2024 1:28, Mark Foley via samba wrote:
> I've added a Windows 10 domain member to my Domain. I'm now
following the
> procedure in
https://wiki.samba.org/index.php/Time_Synchronisation#Configuring_Time_Synchronisation_on_a_Windows_Domain_Member.
>
> I've created the Group Policy for the "Time Sources". This
doesn't seem to be
> working. This did work fine with my old 4.8.2 DC, so I know it works in
> principle.
>
> I have additional notes and have tried (on the Windows member):
>
> net stop w32time
> w32tm /unregister
> w32tm /register
> net start w32time
>
> I've rebooted both the DC and the Windows member. On the Windows member
I still
> get:
>
>> w32tm /query /source
> Local CMOS Clock
>
> whereas I expect the return to be "dc1.hprs.locl"
>
> I have confirmed that the Group Policy exists and is configured correctly.
>
> What's going wrong here?
>
> Thanks --Mark
>
Hi Mark,

If you're using ntpsec on the DC, that wont work. You must use chrony. I 
had the same problem some half year ago.

Also, no need to use a GPO for this. The domain members get their time 
from a DC anyway.

HTH,

Peter

On Thu Jan  4 19:46:02 2024 Mark Foley via samba <samba at
lists.samba.org> wrote:
>
> I've added a Windows 10 domain member to my Domain. I'm now
following the
> procedure in
https://wiki.samba.org/index.php/Time_Synchronisation#Configuring_Time_Synchronisation_on_a_Windows_Domain_Member.
>
> [deleted]
The above references the first in a long thread I started having to do with
getting a Windows domain member to time-sync with a new DC, Samba 4.18.9. 

None of my Windows domain members sync with the new domain controller.

None of these same Windows workstation had any problem syncing with the previous
Samba 4.8.2 DC which ran for the past 10-ish years. 

On th DC I've tried both chrony and ntp-4.2.8.  In the ntp case I used the
same
4.8.2 version on the old DC; in both cases built with --enable-ntp-signd. 

One possible issue was that these Windows domain members were unjoined from the
4.8.2 domain, rejoined to the new 4.18.9, and had Profwiz.exe run on each member
to migrate the domain user's profile.  None of that was done when they were
first joined to the old 4.8.2 domain.  One participant in this thread suggested
I try joining a "virgin" Windows computer.  I did that today with a
scratch
install of Windows 10. 

After joining the domain I got:

w32tm /query /source
Local CMOS Clock

I hoping for the FQDN of the DC: 'mail.hprs.local', like I used to get
with
Samba 4.8.2.

This is the same thing I have been getting from the beginning with the new
4.18.9 DC.  Several thread participants said I shouldn't need to do any
group
policies or anything special.  Apparently in my case this is not true. 

Everything configured is strictly "vanilla". The DC was provisioned
as:

samba-tool domain provision --use-rfc2307 --realm=HPRS.LOCAL --domain=HPRS \
  --server-role=dc --dns-backend=SAMBA_INTERNAL \
  --option=interfaces="lo eth0" --option="bind interfaces
only=yes"

Nothing else was done on the DC.  The "test" Windows 10 computer was
clean
installed today, nothing left over from any previous domain joins or old domain
user profiles. 

I've tried with and without a "Time Sources" GPO. At the moment, I
have a GPO
configured.

There are only two differences I can identify between when this worked and when
it did not:

1. It worked with Samba 4.8.2 and does not work with Samba 4.18.9.

2. Samba 4.8.2 was provisioned with --dns-backend=BIND9_FLATFILE and Samba
4.18.9 was provisioned with --dns-backend=SAMBA_INTERNAL.

Those, I believe, are the only differences. Something must not be working
correctly with Samba 4.18.9.

As time-sync among domain members is supposed to be critical, I am about to get
Microsoft involved.

Before I do that (and before I retry a bunch of the w32tm commands), I'd
like to
see if any of the experts on this list have any additional suggestion.

Thanks --Mark