Timeserver on DOMAIN using GPO

Posted on 2012-08-26
Last Modified: 2012-09-25
I've built a server to provide time on the local network, and have been using it with Xen Server pools as I don't like giving the management interface on the hypervisor access the the outside network.  There are currently no VLANs setup, and the time syncs as it should for the hypervisors.  This NTP server is not a domain controller, secondary or otherwise (although I can change this if required, but would like to avoid having it as Primary).

The NTP server is a windows server 2008 R2 standard, with relevant services installed.  I can go the linux route, but I'm not sure if would cause problems in provide time to windows systems (I don't imagine it would).

In any case, I've tested the configuration, and manually sync'd one windows system to it.  What I want to do next is SYNC all the computers that are joined to the domain with this specific server.  I have been unsucessful so far, I'm not sure if it's what I detailed in the GPO.

I essentially have the entry configured in the GPO:

Computer Configuration -> Administrative Templates -> System -> Windows Time Service -> Time Providers -> Windows NTP Configuration

This points to the server

Should I instead have it point to the pdc and have the pdc somehow sync with this server? or use Windows NTP server instead of client?  I'm a little confused.
Question by:metazend
    LVL 20

    Expert Comment

    by:Svet Paperov
    In Windows domain, the time source for all member servers and other domain controllers is the PDC-role holder DC, there is no need of GPO configuration.

    I would synchronize the PDC with a NTP server on a stand-alone machine, Windows or Linux (Linux NTP is easy to setup and it is supported as source for Windows). I would also prefer that the NTP source is a Linux physical machine, in order to eliminate possible loops with the integration services.

    Local Policies can be configured on a stand-alone Windows servers to synchronize the time with the PDC.

    I am sorry, I cannot give more precise instructions because all my notes are in the office, but you can find all necessary information on Internet.

    I hope this helps. If you have more questions I will be able to provide you more detailed info tomorrow.

    Author Comment

    Ok that's a fair suggestion.

    I will rebuild the server with CentOS or FreeBSD, but what bothers me at the moment is that the member servers on the domain aren't syncing with the PDC for time.  Would I need to manually open a port (123) on the firewall for the PDC?

    This implies I would not need to install additional services on the PDC to provide network time?  I can also have the computers joined on the domain to retrieve time from the PDC automatically?
    LVL 20

    Assisted Solution

    by:Svet Paperov
    Detailed steps as promised… Please, consult the links bellow for the explanation of all Registry settings. This setup works in my environment.

    On the PDC Domain Controller:
    - In HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters change Type value from NT5DS to NTP
    - In HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters change NtpServer value to linux.source-ntp-server.local,0x1, where linux.source-ntp-server.local is the single source
    - In HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config change AnnounceFlags decimal value from 10 to 5
    - In HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\ NtpServer make sure that Enable has value 1
    - In HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\ NtpClient change the value of SpecialPollInterval to 900 decimal (15 min.)
    - In HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config change the values of MaxPosPhaseCorrection and MaxNegPhaseCorrection to 3600.

    On the other domain controllers:
    - In HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters change NtpServer value to the-IP-address-of-PDC.

    Restart Windows Time service on all DC:  net stop w32time && net start w32time

    Verify the settings of Default Domain Policy GPO: the state of Enable Windows NTP Client in Computer Configuration | Administrative Templates | System | Windows Time Service | Time Providers must be enabled to allow Windows NTP Client on all domain members to synchronize with the NTP server.

    For step-by-step instructions of how to set up Windows Time Service see the official blog of Windows Time Service and the following TechNet link

    Add some virtualization considerations (Hyper-V):

    On the Linux box, you will have to run ntpd service and do some modifications of /etc/ntp.conf to authorize the PDC IP address.

    Author Comment

    So far, the linux system is setup, and the domain controller I manually synched with it as a test by doing a "net time /set \\linuxserverhostname"

    However, I can't get member servers or workstations to synchronize.

    Strangely, when I do a "net time" in the command line, from any system, it already pops up with the PDC and states the time on the PDC correctly.  If I'm logged in as administrator on the system in question and do "net time /set \\"  it will sync, otherwise as regular domain user it will say that user doesn't have required privileges.

    I have a feeling that a GPO entry I have to prevent users from modifying system time is also preventing the system itself from applying the time sync.  I'll test this out this weekend, and will update.
    LVL 20

    Accepted Solution

    Yes, that could be the case.

    If you want to keep the GPO, you can try changing the account of Windows Time service. By default, it runs under Local Service account which is quite restricted (as a regular user). You could try to set it with an admin account (a domain user, member of local admin group) or with Local System (too powerful, not advisable).  

    Local Service vs. Local System and other accounts:

    Author Comment

    Sorry for the delay, but yes correcting the GPO that prevented users from changing the time on their system made the difference.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    #Citrix #Citrix Netscaler #HTTP Compression #Load Balance
    Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
    This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
    This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now