Configuring NTP for all domain servers using GPO best practice

Hi All,

I'd like to implement the Group Policy modification so that I can enter the NTP setting for my PDC emulator to be the primary source of time for all network devices and servers.

here's my list of NTP:
server 0.oceania.pool.ntp.org
server 1.oceania.pool.ntp.org
server 2.oceania.pool.ntp.org
server 3.oceania.pool.ntp.org

Open in new window


1. how do I input those four servers into the text boxes in
Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers
because it is just one lineTextbox and which flag format do I need to use?

2. Can I just simply modify the Default Domain Controllers Policy because I only want to target this to the PDC role holder ? or do I have to create new one and then perform WMI filter  
Select * from Win32_ComputerSystem where DomainRole = 5

Open in new window

LVL 9
Senior IT System EngineerIT ProfessionalAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

it_saigeDeveloperCommented:
You will have to create a new Policy set that is applied with the WMI filter you specified.  If you apply the filter to the Default Domain Controllers Policy, then only your PDC Emulator will apply the policies therein, all of you other domain controllers will not apply the policy set.

-saige-
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
ah I see.
So what I need to do is to create new GPO object and change just single line "Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers" ?

what about the 4 values to be entered into the textbox ?
0
it_saigeDeveloperCommented:
Here is an example of using WMI Filtering with regards to PDC Emulator and Time Services:

http://blogs.technet.com/b/askds/archive/2008/11/13/configuring-an-authoritative-time-server-with-group-policy-using-wmi-filtering.aspx

As for the values to be entered, don't set the settings in the policy you referenced, create registry entries as shown here:

http://www.xenappblog.com/2012/time-server-group-policy/

-saige-
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Seth SimmonsSr. Systems AdministratorCommented:
if you're using the server with the PDC emulator role for the time source, why use GPO?
by default domain members will look to that server for time so as long as that server is configured properly for an external time source, you shouldn't need to do anything else

How to configure an authoritative time server in Windows Server
https://support2.microsoft.com/kb/816042/en-us
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Senior IT System EngineerIT ProfessionalAuthor Commented:
ok, so in this case the PDC emulator server itself can be reconfugured using the registry entry ?
is that correct rather than using GPO to point the PDC emulator to the 4x NTP Pool servers above ?
0
Seth SimmonsSr. Systems AdministratorCommented:
yeah...GPO isn't necessary
configure those registry values, restart NTP service and the system log should show entries saying it is receiving good time from one of the providers you specified
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
Cool, I was confused myself reading the book from Amazon "Virtualizing Microsoft Business Critical Applications on VMware vSphere (VMware Press Technology)" which says that I need to perform the GPO method in setting one PDC role in my single domain to be the time server.

and when i started to do the implementation on my GP console, i confused myself and lucky that I didn't edit the Default DC GPO :-)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.