asked on NTP GPO being applied to certain DC's and not others.
Hi,
I've set up a group policy which goes into Computer configuration>Admin templates>System>Windows Time Service>Time providers>Enabled both Configure Windows NTP Client, Enable Windows NTP Client and Enable Global configuration settings.
Under Configure Windows NTP Client I have selected Enabled and for NtpServer I have put in 2 DC's which I want the rest of the DC's to sync NTP with.
The hosts example: Core1 and Core2. These are both getting their NTP from:
time-a.nist.gov
time-b.nist.gov
time-nist.gov
I want the rest of the DC's in our environment to get their NTP from Core1 and Core2.
Core1 is running WS 2016
Core2 is a cisco switch
The rest of the DC's are running WS 2008 R2
So the problem is some of these dc's are getting the proper NTP servers after a gpupdate /force. I'm getting a few which are not applying the GPO. I've checked the group policy results on these machines and it's neither showing up as Applied or Denied.
Anyone have any suggestions?
I've set up a group policy which goes into Computer configuration>Admin templates>System>Windows Time Service>Time providers>Enabled both Configure Windows NTP Client, Enable Windows NTP Client and Enable Global configuration settings.
Under Configure Windows NTP Client I have selected Enabled and for NtpServer I have put in 2 DC's which I want the rest of the DC's to sync NTP with.
The hosts example: Core1 and Core2. These are both getting their NTP from:
time-a.nist.gov
time-b.nist.gov
time-nist.gov
I want the rest of the DC's in our environment to get their NTP from Core1 and Core2.
Core1 is running WS 2016
Core2 is a cisco switch
The rest of the DC's are running WS 2008 R2
So the problem is some of these dc's are getting the proper NTP servers after a gpupdate /force. I'm getting a few which are not applying the GPO. I've checked the group policy results on these machines and it's neither showing up as Applied or Denied.
Anyone have any suggestions?
* ntpWindows OSCiscoRESTActive Directory
Last Comment
Albert Widjaja
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Other Ds can get time from either PDCe or from other DCs in same site as long as time difference is within permissible limits
Also clients can get time from PDCe or any other DC in same site as long as time difference is within permissible limits
You cannot force other DCs to only get time from PDC server when there are multiple DCs in site
Also as already stated above, you don't need GPO, client will pickup time automatically with peer DCs or from PDC which is the top in hierarchy
Also clients can get time from PDCe or any other DC in same site as long as time difference is within permissible limits
You cannot force other DCs to only get time from PDC server when there are multiple DCs in site
Also as already stated above, you don't need GPO, client will pickup time automatically with peer DCs or from PDC which is the top in hierarchy
Only the Root Domain Controller of the Forest Root Domain should have W32TM configured as "NTP". All other member servers and domain controllers should be left per default, ie "NT5DS" (domain hierarchy).
Create the below PDC emulator role only Group Policy to set the NTP to NTP Pool:
Group Policy: Computer Configuration->Administrat
WMI Filter: Select * from Win32_ComputerSystem where DomainRole = 5
Specify following settings in Configure Windows NTP Client policy:
As per: https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-simple-time-configuration-in-active-directory/
Create the below PDC emulator role only Group Policy to set the NTP to NTP Pool:
Group Policy: Computer Configuration->Administrat
WMI Filter: Select * from Win32_ComputerSystem where DomainRole = 5
Configure Windows NTP Client: Enabled (policy settings are described below)
Enable Windows NTP Client: Enabled
Enable Windows NTP Server: Enabled
Specify following settings in Configure Windows NTP Client policy:
NtpServer: us.pool.ntp.org.0x1, 1.us.pool.ntp.org.0x1, 2.us.pool.ntp.org.0x1, 3.us.pool.ntp.org.0x1
Type: NTP
CrossSiteSyncFlags: 2
ResolvePeerBackoffMinutes: 15
Resolve Peer BAckoffMaxTimes: 7
SpecilalPoolInterval: 3600
EventLogFlags: 0
As per: https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-simple-time-configuration-in-active-directory/
https://blogs.technet.microsoft.com/askds/2008/11/13/configuring-an-authoritative-time-server-with-group-policy-using-wmi-filtering/