NTP GPO being applied to certain DC's and not others.


I've set up a group policy which goes into Computer configuration>Admin templates>System>Windows Time Service>Time providers>Enabled both Configure Windows NTP Client, Enable Windows NTP Client and Enable Global configuration settings.

Under Configure Windows NTP Client I have selected Enabled and for NtpServer I have put in 2 DC's which I want the rest of the DC's to sync NTP with.

The hosts example: Core1 and Core2. These are both getting their NTP from:

I want the rest of the DC's in our environment to get their NTP from Core1 and Core2.

Core1 is running WS 2016
Core2 is a cisco switch
The rest of the DC's are running WS 2008 R2

So the problem is some of these dc's are getting the proper NTP servers after a gpupdate /force. I'm getting a few which are not applying the GPO. I've checked the group policy results on these machines and it's neither showing up as Applied or Denied.

 Anyone have any suggestions?
Who is Participating?
kevinhsiehConnect With a Mentor Commented:
Sounds like maybe you are having issues with replication among your domain controllers. run "dcdiag /a" to check all domain controllers for issues.

You shouldn't need a GPO for this purpose. All computers will automatically sync with the PDC emulator role holder. You only need to configure external time source for the PDC emulator, and to disable any hypervisor time sync service for all virtualized DCs.
Shaun VermaakTechnical Specialist/DeveloperCommented:
Other Ds can get time from either PDCe or from other DCs in same site as long as time difference is within permissible limits
Also clients can get time from PDCe or any other DC in same site as long as time difference is within permissible limits
You cannot force other DCs to only get time from PDC server when there are multiple DCs in site
Also as already stated above, you don't need GPO, client will pickup time automatically with peer DCs or from PDC which is the top in hierarchy
Senior IT System EngineerIT ProfessionalCommented:
Only the Root Domain Controller of the Forest Root Domain should have W32TM configured as "NTP". All other member servers and domain controllers should be left per default, ie "NT5DS" (domain hierarchy).

Create the below PDC emulator role only Group Policy to set the NTP to NTP Pool:

Group Policy: Computer Configuration->Administrative Templates->System->Windows Time Service->Time Providers

WMI Filter: Select * from Win32_ComputerSystem where DomainRole = 5

Configure Windows NTP Client: Enabled (policy settings are described below)
Enable Windows NTP Client: Enabled
Enable Windows NTP Server: Enabled

Open in new window

Specify following settings in Configure Windows NTP Client policy:

NtpServer: us.pool.ntp.org.0x1, 1.us.pool.ntp.org.0x1, 2.us.pool.ntp.org.0x1, 3.us.pool.ntp.org.0x1
Type: NTP
CrossSiteSyncFlags: 2
ResolvePeerBackoffMinutes: 15
Resolve Peer BAckoffMaxTimes: 7
SpecilalPoolInterval: 3600
EventLogFlags: 0

Open in new window

As per: https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-simple-time-configuration-in-active-directory/
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.