Table of Contents
Overview
I like to keep accurate time in my lab for various reasons. The main reasons are for authentication and that I will be using Transport Layer Security (TLS) certificates. Other reasons are that I think it’s the right thing to do and it is simply my compulsion to keep accurate time.
For this service, I am going to use two Fedora Server 38 (at the time of this writing) virtual machines. To properly configure Network Time, I am going to configure each server as a client from two separate Time Servers (higher stratum). Then I will configure my two servers as peers (same stratum). Finally, since most of my lab will consist of Windows Servers and clients, I will configure the domain controller with the Primary Domain Controller (PDC) emulator Functional Single Master Operation (FSMO) role.
Configure the First NTP Server
Fedora Server 38 uses Chrony, which is an implementation of NTP. Chrony can act as a server and a client at the same time and is relatively easy to configure.
Edit the /etc/chrony.conf file. Here I am adding a public pool, pool.ntp.org, as well as it’s peer, even though the peer itself is not yet set up.
According to the documentation, with iburst, chronyd will start with a burst of 4-8 requests in order to make the first update of the clock sooner. It will also repeat the burst every time the source is switched from the offline state to online with the online command in chrony. iburst is not supported with the peer directive.
Remove the comment and alter the subnet, if necessary, to allow this server to be an NTP server itself.
If this network will not connect to the internet but still needs to serve time, remove the comment before the local stratum 10 line.
Save and exit the file.
Restart the service with systemctl restart chronyd.service.
The last part is to allow NTP requests through the firewall.
sudo firewall-cmd --add-service=ntp --permanent sudo firewall-cmd --reload
Once the above is configured, run ntpstat to get a basic output and status of the configuration. I had to install ntpstat as it was not installed by default.
Configure the Second NTP Server
Configure the second NTP server just like the first except the pool and peer need to be altered.
Discover the Primary Domain Controller (PDC) Emulator Domain Controller
When there is more than one domain controller (DC) in the domain, you can query any DC to discover the holders of the roles. In my lab, all the roles belong to a single DC. In production, these roles should be dispersed.
netdom query fsmo
I also recently found that if you type w32tm /monitor, it will also indicate the server with the PDC role.
Configure the Primary Domain Controller (PDC) Emulator Domain Controller to Query Local NTP Sources
I am going to use w32tm /configure for this task.
w32tm /config /update /manualpeerlist:"ntp-92-12.aaronrombaut.com ntp-92-13.aaronrombaut.com" /syncfromflags:MANUAL /reliable:YES
The command completed successfully, so now we can check the time skew (offset) usingw32tm /stripchart /computer:time.cloudflare.com. The /computer directive can be set to internal or external sources. It is just an other time source to compare against. Ideally, the asterisk should be in the middle like the image below. This indicates that the time is not skewed.
Here is the new configuration of the Primary Domain Controller (PDC) Emulator. You can find this using w32tm /query /configuration.
