On Wed, 13 Jun 2018 08:36:36 +0200 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Hai, > > https://docs.microsoft.com/en-us/windows-server/networking/windows-time-service/how-the-windows-time-service-works > > Look in the above link, search for "Time Synchronization in an AD DS > Hierarchy". There you find the PDC Emulator role. In the > piramide. ;-) This one explains even better then the technet link. > > It also explains Alexei's question i believe. >Yes it shows that the PDC emulator DC is the one that gets the time from an external time server. The other DC's get their time from the PDC emulator DC, but it quite clearly says a workstation (and I quote) 'Can synchronize with any domain controller in its own domain' So, by my reading, workstations do not have to use the PDC emulator DC, they can use any DC. DC's MUST use the PDC emulator DC as their time server, but can be set up to take over the PDC emulator role. If we can agree, I will alter the wiki page again. Rowland
On Wed, 2018-06-13 at 07:48 +0100, Rowland Penny via samba wrote:> On Wed, 13 Jun 2018 08:36:36 +0200 > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > > Hai, > > > > https://docs.microsoft.com/en-us/windows-server/networking/windows-time-service/how-the-windows-time-service-works > > > > Look in the above link, search for "Time Synchronization in an AD DS > > Hierarchy". There you find the PDC Emulator role. In the > > piramide. ;-) This one explains even better then the technet link. > > > > It also explains Alexei's question i believe. > > > > Yes it shows that the PDC emulator DC is the one that gets the time > from an external time server. The other DC's get their time from the > PDC emulator DC, but it quite clearly says a workstation (and I quote) > 'Can synchronize with any domain controller in its own domain' > > So, by my reading, workstations do not have to use the PDC emulator DC, > they can use any DC. > DC's MUST use the PDC emulator DC as their time server, but can be set > up to take over the PDC emulator role. > > If we can agree, I will alter the wiki page again.Thanks. I agree that time selection text is problematic, each workstation should (and does, as far as I understand it) talk to it's local DC for time. I also agree that the DCs should be tied togeather for time, but a strict hierarchy could also have problems in that if that DC goes down, time could drift apart. One challenge is that because neither ntpd from ntp.org nor chrony support any authenticated time protocol as a client, the major advantage to DCs talking to DCs for time is lost. It may be better to instead have good diversity of time sources. I realise this doens't present a clear solution, but I provide it for thought and refinement. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
On Wed, 13 Jun 2018 10:40:46 +0200 Andrew Bartlett <abartlet at samba.org> wrote:> On Wed, 2018-06-13 at 07:48 +0100, Rowland Penny via samba wrote: > > On Wed, 13 Jun 2018 08:36:36 +0200 > > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > > > > Hai, > > > > > > https://docs.microsoft.com/en-us/windows-server/networking/windows-time-service/how-the-windows-time-service-works > > > > > > Look in the above link, search for "Time Synchronization in an AD > > > DS Hierarchy". There you find the PDC Emulator role. In the > > > piramide. ;-) This one explains even better then the technet > > > link. > > > > > > It also explains Alexei's question i believe. > > > > > > > Yes it shows that the PDC emulator DC is the one that gets the time > > from an external time server. The other DC's get their time from the > > PDC emulator DC, but it quite clearly says a workstation (and I > > quote) 'Can synchronize with any domain controller in its own > > domain' > > > > So, by my reading, workstations do not have to use the PDC emulator > > DC, they can use any DC. > > DC's MUST use the PDC emulator DC as their time server, but can be > > set up to take over the PDC emulator role. > > > > If we can agree, I will alter the wiki page again. > > Thanks. I agree that time selection text is problematic, each > workstation should (and does, as far as I understand it) talk to it's > local DC for time. > > I also agree that the DCs should be tied togeather for time, but a > strict hierarchy could also have problems in that if that DC goes > down, time could drift apart. > > One challenge is that because neither ntpd from ntp.org nor chrony > support any authenticated time protocol as a client, the major > advantage to DCs talking to DCs for time is lost. It may be better to > instead have good diversity of time sources. > > I realise this doens't present a clear solution, but I provide it for > thought and refinement. > > Andrew Bartlett >I think the best thing to do, from a Samba point of view, is to set up the DC's time servers to use the same external time servers and remove all mention of the 'PDC emulator role' Rowland