In this guide we are involved on the right configuration of time-sync in a Windows domain eviroment . Our goal is force clients time syncing with the PDC and set the PDC to sync to an external public NTP server.
So, open the command prompt and issue this command to see the situation on a PC or a server…
w32tm /query /status
As we can see in this case this pc/server is using a “free” source to sync time.
Now before start, we have to create a GPO to force domain’s client to sync with the PDC’s role holder.
netdom query fsmo
The PDC is where we need to forse clients to sync…
GPO for CLIENTS setting
Open Group Policy Management create and link to root tree a new GPO called “Time-Sync-to-DC”
Edit it and go to Computer Configuration >Administrative Templates>System>Windows Time Service>Time Providers
Enable the Windows NTP Client and edit “configure Windows NTP Client” like this :
GPO for PDC Server setting
Now we need to enable the server-side configuration and, to do this, we need to create another GPO linked to “Domain Controllers” OU .
But before, we need do create a WMI filter to apply to identify and filter only the server that has the DomainRole property is set to 5 (Primary Domain Controller)
these are the possibility :
0 (0x0) Standalone Workstation
1 (0x1) Member Workstation
2 (0x2) Standalone Server
3 (0x3) Member Server
4 (0x4) Backup Domain Controller
5 (0x5) Primary Domain Controller <<<<=== this!!
Now the WMI filer with this “query”command :
Select * from Win32_ComputerSystem where DomainRole = 5
Now we can go back to our DC’s Time policy and select
Now Edit it and go to Computer Configuration >Administrative Templates>System>Windows Time Service>Time Providers
Now, because this is the only server that need to sync with an external time source, we need to set an NTP server an the “type” of protocol on NTP.
In my case i use an italian’s NTP server “ntp.inrim.it”.
Now if i issue an w32tm /query /status on the PDC, we can see :
Now if i issue an GPOUPDATE /FORCE on the server or pc and…