Recommendations for GPOS in Domain Controllers OU?

I am trying to implement this as it is not built into the FSMO transfer for whatever reason...

http://blogs.technet.com/b/askds/archive/2008/11/13/configuring-an-authoritative-time-server-with-group-policy-using-wmi-filtering.aspx

But when it comes to creating or messing with existing GPOs attached to the Domain Controllers OU, I am a bit trepidatious.  Perhaps I am being overly cautious.  In any case, what are the best practices for interacting with the Domain Controllers OU?

For example, in implementing the above link, should I attach this WMI filter to the default domain controllers GPO that is already attached to the domain controllers OU, or should I create a new GPO just for the purposes of this (As the article seems to do in its scenario)?  Then attach that GPO to the domain controllers OU and attach the WMI filter to the newly created GPO?  What are the ramifications of doing this?  

As with most networks, they are inherited from one IT person to the next, I am unsure of all of the modification done to the current domain controllers GPO so I am wondering what creating a new GPO at the same level would do in terms of possible conflicting settings and taking precedence?

My opinion is that I should simply attach this WMI filter to the pre-existing domain controllers GPO, but am wondering if this is not a good idea?

I am just trying to avoid messing things up and mitigating complexity as much as possible, if it is not required.

Thanks
CnicNVAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Neadom TuckerCommented:
My suggestion would be to run a RSPO and GPRESULT /R on a Server so you can see what policies are applying:
https://technet.microsoft.com/en-us/library/bb496348.aspx?f=255&MSPPError=-2147217396

The RSOP will give you the information on the individual policy and see if it is applied already.  If it is not applied I would suggested applying a separate GPO for this.  I try and use something like C_AuthorativeTimeServers.

if it is applied you will have to look at each GPO and find where the setting is at.  You can use GPRESULT /R to show you what policies are applying to the server.

I hope that helps.
0
Will SzymkowskiSenior Solution ArchitectCommented:
My opinion is that I should simply attach this WMI filter to the pre-existing domain controllers GPO,

When you are referencing anything related to WMI it would be in your best interest to only apply this where necessary. That being said I would recommend that you create a new GPO and link it to the appropriate OU's where you want this applied.

WMI taxes the processing so you want to target this to a specific OU and not at a top level OU, if you can help it.

Will.
0
tigermattCommented:
In this specific case, the policy should certainly be linked to the Domain Controllers OU, and a WMI filter must be used to ensure it only applies to the DC holding the PDC Emulator role; any other configuration is going to break the manner in which Windows uses the domain hierarchy to find a server to sync time with. (Blog post with all the gory details.)

I like the idea to use a Group Policy Object to achieve the time sync configuration when the PDCe role moves elsewhere. Yes, I am also extremely cautious applying GPOs to the DCs OU -- for good reason -- but that doesn't mean to say you cannot apply a policy if you have an overwhelmingly good reason to do so, and it satisfies your corporate policies regarding these circumstances. It behooves any good administrator to test and maintain good backups, so you hopefully have get-out cards if anything goes wrong.

Stepping back slightly, I would question how frequently the PDCe role changes in your organisation, such that this is required? Roles are generally moved infrequently, to the point that I typically make it part of the written policy for moving ops roles to ensure time sync is reconfigured; somebody then does it manually.
If you have many domain admins who may move the role, then again, a written policy approach might be best to ensure the configuration is done correctly and to ensure the old box has its time settings properly reset to use the domain hierarchy; you at least want some checks and balances to ensure the GPO does its job correctly. Having it written down in the policy and training the team to do this manually makes it a valuable learning opportunity for those with less understanding of time in an AD environment to get to grips with WHY they are doing this configuration, WHY only the PDCe should be configured in this way etc, rather than finding out when the GPO breaks that nobody understands what's going on and all hell breaks loose...
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

CnicNVAuthor Commented:
Any idea on how to "manually" do this?  IE a command that can be executed on the new PDC to say hit these public NTP servers?  Then a command to tell other non PDCs to follow domain hierarchy (IE the PDC being the final say)?  I don't have many DCs so its not a big deal to manually configure this.

I am guessing once this is done, work stations and regular servers will also round robin various DCs to pull this info?
0
DrDave242Commented:
On the PDC Emulator:
w32tm /config /manualpeerlist:"<peer_list>" /syncfromflags:MANUAL /update

In the command above, <peer_list> is a list of the FQDNs or IP addresses of the NTP servers you want to use, separated by spaces. Note that the list must be enclosed in quotes if you're specifying more than one NTP server.

On the other DCs:
w32tm /config /syncfromflags:DOMHIER /update

Please note that, if you've already configured a GPO to do this, the GPO will override the settings on the next policy refresh.
0
tigermattCommented:
I've documented various details about the process of configuring DCs (and, in fact, workstations and member servers) for time sync here:
https://tigermatt.wordpress.com/2009/08/01/windows-time-for-active-directory/

The cardinal rule is that only the PDC emulator should have a manual NTP peer list configured. All others should sync with the domain hierarchy. The settings are stored in the registry (look in HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters -- you're looking for NT5DS, which means a server to sync with is one of the DCs and is automatically located. A setting of NTP means a manual sync with an NTP server someplace; only the PDCe should have "NTP".

The commands DrDave242 provides are precisely what you want; don't forget you can also use w32tm /unregister and w32tm /register to flush out ALL the configuration of the time service and reset it to "out-of-the-box", which can be useful if you do not know how reliable it is, or if it has been tweaked extensively.

Workstations and regular servers, by default, will use the domain hierarchy to sync time; but their time services can be misconfigured and set to use another NTP server in the same way as a DC can. It's generally less of an issue with a workstation, since it just won't work or won't be reliable if its time goes out of kilter, unlike a DC where misconfigured time can spiral to more major issues across the enterprise.

The GPO you were proposing configuring notwithstanding, there's generally no need to use GPOs to manage the time service. There's a wealth of settings relating to sync parameters and clock precision settings and various others which you can play with; unless there is a specific, demonstrable reason to configure these, don't. They're not necessary for proper time sync, and if configured they typically cause problems.

Also, don't forget to verify any freebie online NTP servers satisfy any SLA requirements you are required to meet; many mid-to-large-scale outfits use an on-site clock synced to a global time source (e.g. a GPS source) for this reason.
0
CnicNVAuthor Commented:
I have two more questions when running these commands, especially the "w32tm /config /manualpeerlist:"<peer_list>" /syncfromflags:MANUAL /update".

1.  To configure the NTP servers, can I put multiple DNS entries for time servers in here?  So that there is some redundancy.  If so, what is the delimiter format, semicolon?  What is the precedence level, first entry is hit first?

2.  I vaguely remember that after you enter the w32tm command to set the NTP servers on the PDCE, you had to enter a second command to say that these are trusted sources and that it's ok to sync with them, otherwise I am guessing the PDCE will not bother without it.  Do you know what that command is?

Thanks :-)
0
tigermattCommented:
To configure the NTP servers, can I put multiple DNS entries for time servers in here?  So that there is some redundancy.  If so, what is the delimiter format, semicolon?  What is the precedence level, first entry is hit first?
Space; wrap a list of multiple servers in double quotes. The behaviour when a server cannot be reached depends on the flags you set after the server name. TechNet has a good blog post regarding recommended flags for adding redundant NTP sources to the peer list. The flags also have formal documentation.

I vaguely remember that after you enter the w32tm command to set the NTP servers on the PDCE, you had to enter a second command to say that these are trusted sources and that it's ok to sync with them, otherwise I am guessing the PDCE will not bother without it.  Do you know what that command is?
I suspect you are thinking about the /reliable switch to the w32tm command, to declare the server a reliable source of time. The command would be as follows (/update instructs the time service the configuration has changed and should be reloaded):
w32tm /config /reliable:yes /update

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DrDave242Commented:
1.  To configure the NTP servers, can I put multiple DNS entries for time servers in here?  So that there is some redundancy.  If so, what is the delimiter format, semicolon?  What is the precedence level, first entry is hit first?
Yes, you can specify multiple NTP servers in the command. If you do so, enclose the entire list in quotes and separate the individual entries (which can be DNS names or IP addresses) with spaces, like so:

w32tm /config /manualpeerlist:"time-a.nist.gov time-b.nist.gov time.windows.com" /syncfromflags:MANUAL /update

2.  I vaguely remember that after you enter the w32tm command to set the NTP servers on the PDCE, you had to enter a second command to say that these are trusted sources and that it's ok to sync with them, otherwise I am guessing the PDCE will not bother without it.  Do you know what that command is?
I'm not aware of another command. The /update switch lets the Windows Time service know that the configuration has changed, so it should attempt to sync immediately after the w32tm command is issued. There is a /reliable:YES switch that can be appended to the w32tm command, but this lets other servers know that the server that issued the command is a reliable time source - it doesn't relate to that server's time sources at all (and it's not necessary in this case; the PDC Emulator is considered a reliable time source by default).
0
DrDave242Commented:
Sorry tigermatt, I got caught up in something else and didn't post my reply until well after you did.
0
tigermattCommented:
No worries; two is better than zero!
0
CnicNVAuthor Commented:
Thanks guys for the help, you have answered all of my question well :-)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.