GPO to Set NTP on Domain Joined Computers and Servers

As a precursor, please review this article to set NTP for PDC Emulator prior to proceeding.

Step 1: Create WMI Filter to Target Computers without PDC Emulator role

Run Group Policy Management Console (GPMC.msc) > Expand Forest [Domain Name] > Domains > [Domain Name] > Scroll toward the bottom > right-click ‘WMI Filters’ > New > Input name = Non-PDC Filter > click Add > paste this line: SELECT * FROM Win32_ComputerSystem WHERE DomainRole <> 5 > OK > Save

Example 1: all Windows Computers, excluding PDC

Example 2: Windows 10/2016 Filter

Example 3: all computers, exclude Domain Controllers
SELECT * FROM Win32_ComputerSystem Where DomainRole <> 4 AND DomainRole <> 5

Step 2: Disable the Policy to Prevent Unintended Propagation

Right-click on the OU where targeted workstations, servers, or laptops reside > Create a GPO in this domain, and link here > Name the new GP as ‘NTP Client’ > right-click GP > uncheck ‘Link Enabled’ > right-click GP again > Edit

Step 3: Create registry key to disable time sync with Hyper-V Hosts

Navigate to Computer Configuration > Preferences > Windows Settings > right-click Registry > New > Registry Item

Set these values > click OK when ready

  • Action = Update
  • Key Path = SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider
  • Value Name = Enabled
  • Value Type = REG_DWORD
  • Value data = 00000000
  • Base = Hexadecimal
Step 4: Set NTP Client to use DOMHIER with external fall-back time sources

Navigate to Computer Configuration > Polices > Administrative Templates > System > Windows Time Service > Time Providers > double-click ‘configure Windows NTP Client’ > set these values shown below > click Apply when ready > click next to enable the next 2 items > OK when done

  • Enabled = True
  • NtpServer = LAX-DC01.hooli.com,0x9 3.us.pool.ntp.org,0x2 2.us.pool.ntp.org,0x2 1.us.pool.ntp.org,0x2 0.us.pool.ntp.org,0x2
  • Type = AllSync (recommended)

The config above means that Windows machines will:

  • First, use Domain Hierarchy to contact its closest NTP
  • Second, contact PDC as primary NTP
  • Third, fallback to the external sources (ntp.org) if first and second activities have resulted in failures
  • Forth, use local CMOS or VM Host clock as the last resort

Here are some explanations per source https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/configure-authoritative-time-server

  • NoSync- Windows uses CMOS as time source
  • NTP – the NTP server is synchronized with external time servers, which are specified in the NtpServer registry parameter (this is the default behavior on a stand-alone computer)
  • NT5DS – the NTP server performs synchronization according to the domain hierarchy (used by default on domain-joined computers)
  • AllSync – uses the domain hierarchy first and will fall back to the value set for the NTP server if the domain hierarchy is not available. If both avenues are blocked, then local CMOS time would be considered.
  • 0x0 – Timeserv_Announce_No, Reliable_Timeserv_Announce_No. The domain controller does not advertise time service
  • 0x1 – option to use SpecialPollInterval, Timeserv_Announce_Yes. The domain controller always advertises time service
  • 0x2 – use as fallback only, Timeserv_Announce_Auto. The domain controller automatically determines whether it should advertise time service
  • 0x4 – SymmatricActive, Reliable_Timeserv_Announce_Yes. The domain controller will always advertise reliable time service
  • 0x5 – meaning 0x1 + 0x4, “The domain controller always advertises time service” and “The domain controller will always advertise reliable time service”
  • 0x8 – instructs Windows to send requests to this external server in client mode, Reliable_Timeserv_Announce_Auto. The domain controller automatically determines whether it should advertise reliable time service
  • 0x9 – combines 0x1 + 0x8. Announce external source as NTP server.
  • 0xA – if you configure your authoritative time server to synchronize with an upstream NTP server at a fixed interval that is specified in SpecialPollInterval, set the AnnounceFlag value to 0xA instead of 0x5
Step 5: Enable GP When Ready

Once the GP is ready to be applied, right-click it to  put a check market next to ‘Link Enabled’ to enable it.

Leave a Reply

Your email address will not be published. Required fields are marked *