I am working on a plan towards overhauling how time synchronization is handled on our network. Currently our network is predominantly Windows-based, in a fairly standard AD domain broken up into various sites. However we are starting to utilize Linux-based servers in our environment as well, with the thought that this balance will continue to shift towards that direction.
In such a mixed environment I am trying to figure out where NT5DS is used, if at all. Is it a better idea to have the Windows infrastructure respect the domain hierarchy for time synchronization and have the Linux servers pull time from the domain, or should an NTP server be spun up and have everything (Windows or Linux) pull its time from it?
I see both avenues as being functional, but am concerned that I am overlooking obvious gotcha's down the road. On one hand, it seems silly to have a (proposed) fleet of Linux servers getting their time from a Windows domain. On the other hand, having every host on the network pull from one NTP server on the local network feels like a comparatively flat solution.
Best Answer
NT5DS Is the client protocol for Windows systems to retrieve time from a DC. Using this on your Windows machines does not prevent you from also enabling the NTP server on your Windows DCs, and configuring your Linux clients to use your DCs as a source of time using the NTP protocol. I configure my DCs using group policy to enable NTP so I can point my Linux systems at them. Enabling NTP on the Windows servers also allows me to use check_ntp from my nagios box to monitor time.
Your PDC emulator really should be pointed at a good sources of time. For the best results you should be configured to use at least 3 low stratum servers.
It partly depends on your Windows DC. If you aren't running at least 2008r2 on all your DCs I wouldn't trust them to keep time accurate at all. Earlier versions of the Windows time service did SNTP only. Many people will swear by the reference implementation of NTP and say it is the only true NTP, but recent versions of Windows seem to do a relatively good job at keeping the time accurate enough.
I monitor time on all my servers (Linux&Windows) using nagios, and the Windows boxes are usually within ~2-6ms with respect to the monitoring system, which is certainly accurate enough for my usage. If you have higher accuracy requirements you may need to setup an internal NTP servers running on Linux. You could setup a Linux box as an NTP server and use that in addition to your Windows DCs.
Honestly, I would just start with the Windows DCs, and setup time monitoring. If your time isn't kept accurate enough, then add additional NTP servers or making changes as required.