You need to keep the time consistent across your machines for a number of reasons – not the least is basic sanity. AD needs the time consistent as otherwise Kerberos won’t work. Standard practice is to use the DC as the time source. Fortunately NTP makes it pretty easy.

Install NTP:

ntp-pkg:
  pkg.installed:
    - name: ntp

Comment out the existing server pool:

ntp-remove-debian-pools:
  file.comment:
    - name: /etc/ntp.conf
    - regex: '^(server [0-9].debian.pool.ntp.org iburst)$'

Add in the DCs as NTP servers by modifying the default configuration file.

Note that we use start and end markers in the file with the file.blockreplace state module. This allows us to use SaltStack to update the configuration. The alternative would be to add lines to the end of the file using file.append and this would work – but only once. As soon as we changed those lines the first version would stay there and we’d also have our new version – probably not what we want.

ntp-add-nist:
  file.blockreplace:
    - name: /etc/ntp.conf
    - marker_start: '# SALTSTACK-CONTROLLED-START: common.ntp.ntp: Do not edit!'
    - marker_end: '# SALTSTACK-CONTROLLED-END: common.ntp.ntp'
    - append_if_not_found: True
    - content: |
        # Get the time from the DC
        # If there are more DCs then add them here
        server {{ pillar['ad_dc'] }}

Make sure the service gets restarted when the configuration file changes:

ntp-daemon:
  service.running:
    - name: ntp
    - enable: True
    - require:
      - ntp-add-nist
      - ntp-remove-debian-pools
    - watch:
      - file: /etc/ntp.conf