This message was deleted.

I didn't think it was possible for someone to say that relying on the internet for time sync was "better" than a hardened device, but it happened. The reasons I cited are we've already experienced unreliability in the current setup, providers have outages outside our control all the time, and in event of a cyber attack, internet infrastructure is probably going to be #1 target.

point the DCs to the local NTP.org pool, punch a hole in the firewall and call it a day

Both, right now our Windows machines point to the DC's, which point to the core switches, which point to an NIST or pool publicly accessible NTP server

the issue with the network stuff is you still need people to point it to your new hardware and you could spend $$$ on a nice unit and be unable to make anyone switch from time.windows.com

well I could point our DCs at the local hardware, as well as all our virtualization/storage/backup platforms, and if they want to continue being lame and having NTP problems for their stuff well...

just set up a port forward in the core firewalls and route it all to the new thing I guess if you really want to stop people using their own

But preferably, everything points to the same time source, obviously. I see no reason why internet is preferable to dedicated hardware with redundant time sync methods, other than being a vendor fanboy control freak.

Yeah, losing battle there I think

ntp.org all day/everyday. The folks behind NTP.org having been providing good / accurate time forever (time pun intended) Shameless plug, on my VMWare quick inventory PowerCLI script, I actually specifically tag any NTP config NOT set to ntp.org https://github.com/getvpro/Get-VMware-QuickInventory

It depends on your industry and requirements for reliability and accuracy. Having your own GPS/GNSS devices gives you the highest levels of accuracy and reliability. You can still have both, and point your NTP clients to 4+ sources, including ntp.org. The NTP Client uses algorithms to determine the most accurate to sync from. So in the case where your firewall is mal-transforming the packets, the NTP Client will have other choices and keep your time in sync, which is more important for the business than anyone's Ego :-)