Timeserver on DOMAIN using GPO

I've built a server to provide time on the local network, and have been using it with Xen Server pools as I don't like giving the management interface on the hypervisor access the the outside network.  There are currently no VLANs setup, and the time syncs as it should for the hypervisors.  This NTP server is not a domain controller, secondary or otherwise (although I can change this if required, but would like to avoid having it as Primary).

The NTP server is a windows server 2008 R2 standard, with relevant services installed.  I can go the linux route, but I'm not sure if would cause problems in provide time to windows systems (I don't imagine it would).

In any case, I've tested the configuration, and manually sync'd one windows system to it.  What I want to do next is SYNC all the computers that are joined to the domain with this specific server.  I have been unsucessful so far, I'm not sure if it's what I detailed in the GPO.

I essentially have the entry configured in the GPO:

Computer Configuration -> Administrative Templates -> System -> Windows Time Service -> Time Providers -> Windows NTP Configuration

This points to the server  non-pdc-server.server_on_domain.ads

Should I instead have it point to the pdc and have the pdc somehow sync with this server? or use Windows NTP server instead of client?  I'm a little confused.
Who is Participating?
Svet PaperovIT ManagerCommented:
Yes, that could be the case.

If you want to keep the GPO, you can try changing the account of Windows Time service. By default, it runs under Local Service account which is quite restricted (as a regular user). You could try to set it with an admin account (a domain user, member of local admin group) or with Local System (too powerful, not advisable).  

Local Service vs. Local System and other accounts: http://social.msdn.microsoft.com/Forums/en/sqlsecurity/thread/31d57870-1faa-4e14-8527-ce77b1ff40e4
Svet PaperovIT ManagerCommented:
In Windows domain, the time source for all member servers and other domain controllers is the PDC-role holder DC, there is no need of GPO configuration.

I would synchronize the PDC with a NTP server on a stand-alone machine, Windows or Linux (Linux NTP is easy to setup and it is supported as source for Windows). I would also prefer that the NTP source is a Linux physical machine, in order to eliminate possible loops with the integration services.

Local Policies can be configured on a stand-alone Windows servers to synchronize the time with the PDC.

I am sorry, I cannot give more precise instructions because all my notes are in the office, but you can find all necessary information on Internet.

I hope this helps. If you have more questions I will be able to provide you more detailed info tomorrow.
metazendAuthor Commented:
Ok that's a fair suggestion.

I will rebuild the server with CentOS or FreeBSD, but what bothers me at the moment is that the member servers on the domain aren't syncing with the PDC for time.  Would I need to manually open a port (123) on the firewall for the PDC?

This implies I would not need to install additional services on the PDC to provide network time?  I can also have the computers joined on the domain to retrieve time from the PDC automatically?
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Svet PaperovIT ManagerCommented:
Detailed steps as promised… Please, consult the links bellow for the explanation of all Registry settings. This setup works in my environment.

On the PDC Domain Controller:
- In HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters change Type value from NT5DS to NTP
- In HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters change NtpServer value to linux.source-ntp-server.local,0x1, where linux.source-ntp-server.local is the single source
- In HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config change AnnounceFlags decimal value from 10 to 5
- In HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\ NtpServer make sure that Enable has value 1
- In HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\ NtpClient change the value of SpecialPollInterval to 900 decimal (15 min.)
- In HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config change the values of MaxPosPhaseCorrection and MaxNegPhaseCorrection to 3600.

On the other domain controllers:
- In HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters change NtpServer value to the-IP-address-of-PDC.

Restart Windows Time service on all DC:  net stop w32time && net start w32time

Verify the settings of Default Domain Policy GPO: the state of Enable Windows NTP Client in Computer Configuration | Administrative Templates | System | Windows Time Service | Time Providers must be enabled to allow Windows NTP Client on all domain members to synchronize with the NTP server.

For step-by-step instructions of how to set up Windows Time Service see the official blog of Windows Time Service http://blogs.msdn.com/w32time/default.aspx and the following TechNet link http://technet.microsoft.com/en-us/library/cc773263%28WS.10%29.aspx.

Add some virtualization considerations (Hyper-V): http://blogs.msdn.com/b/virtual_pc_guy/archive/2010/11/19/time-synchronization-in-hyper-v.aspx

On the Linux box, you will have to run ntpd service and do some modifications of /etc/ntp.conf to authorize the PDC IP address.
metazendAuthor Commented:
So far, the linux system is setup, and the domain controller I manually synched with it as a test by doing a "net time /set \\linuxserverhostname"

However, I can't get member servers or workstations to synchronize.

Strangely, when I do a "net time" in the command line, from any system, it already pops up with the PDC and states the time on the PDC correctly.  If I'm logged in as administrator on the system in question and do "net time /set \\PDC.domain.ads"  it will sync, otherwise as regular domain user it will say that user doesn't have required privileges.

I have a feeling that a GPO entry I have to prevent users from modifying system time is also preventing the system itself from applying the time sync.  I'll test this out this weekend, and will update.
metazendAuthor Commented:
Sorry for the delay, but yes correcting the GPO that prevented users from changing the time on their system made the difference.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.