NTP GPO being applied to certain DC's and not others.
Hi,
I've set up a group policy which goes into Computer configuration>Admin templates>System>Windows Time Service>Time providers>Enabled both Configure Windows NTP Client, Enable Windows NTP Client and Enable Global configuration settings.
Under Configure Windows NTP Client I have selected Enabled and for NtpServer I have put in 2 DC's which I want the rest of the DC's to sync NTP with.
The hosts example: Core1 and Core2. These are both getting their NTP from:
time-a.nist.gov
time-b.nist.gov
time-nist.gov
I want the rest of the DC's in our environment to get their NTP from Core1 and Core2.
Core1 is running WS 2016
Core2 is a cisco switch
The rest of the DC's are running WS 2008 R2
So the problem is some of these dc's are getting the proper NTP servers after a gpupdate /force. I'm getting a few which are not applying the GPO. I've checked the group policy results on these machines and it's neither showing up as Applied or Denied.
Anyone have any suggestions?
I've set up a group policy which goes into Computer configuration>Admin templates>System>Windows Time Service>Time providers>Enabled both Configure Windows NTP Client, Enable Windows NTP Client and Enable Global configuration settings.
Under Configure Windows NTP Client I have selected Enabled and for NtpServer I have put in 2 DC's which I want the rest of the DC's to sync NTP with.
The hosts example: Core1 and Core2. These are both getting their NTP from:
time-a.nist.gov
time-b.nist.gov
time-nist.gov
I want the rest of the DC's in our environment to get their NTP from Core1 and Core2.
Core1 is running WS 2016
Core2 is a cisco switch
The rest of the DC's are running WS 2008 R2
So the problem is some of these dc's are getting the proper NTP servers after a gpupdate /force. I'm getting a few which are not applying the GPO. I've checked the group policy results on these machines and it's neither showing up as Applied or Denied.
Anyone have any suggestions?
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
You only apply NTP to PDCe. You can do it dynamically with this process
https://blogs.technet.microsoft.com/askds/2008/11/13/configuring-an-authoritative-time-server-with-group-policy-using-wmi-filtering/
https://blogs.technet.microsoft.com/askds/2008/11/13/configuring-an-authoritative-time-server-with-group-policy-using-wmi-filtering/
Other Ds can get time from either PDCe or from other DCs in same site as long as time difference is within permissible limits
Also clients can get time from PDCe or any other DC in same site as long as time difference is within permissible limits
You cannot force other DCs to only get time from PDC server when there are multiple DCs in site
Also as already stated above, you don't need GPO, client will pickup time automatically with peer DCs or from PDC which is the top in hierarchy
Also clients can get time from PDCe or any other DC in same site as long as time difference is within permissible limits
You cannot force other DCs to only get time from PDC server when there are multiple DCs in site
Also as already stated above, you don't need GPO, client will pickup time automatically with peer DCs or from PDC which is the top in hierarchy
Only the Root Domain Controller of the Forest Root Domain should have W32TM configured as "NTP". All other member servers and domain controllers should be left per default, ie "NT5DS" (domain hierarchy).
Create the below PDC emulator role only Group Policy to set the NTP to NTP Pool:
Group Policy: Computer Configuration->Administrat
WMI Filter: Select * from Win32_ComputerSystem where DomainRole = 5
Specify following settings in Configure Windows NTP Client policy:
As per: https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-simple-time-configuration-in-active-directory/
Create the below PDC emulator role only Group Policy to set the NTP to NTP Pool:
Group Policy: Computer Configuration->Administrat
WMI Filter: Select * from Win32_ComputerSystem where DomainRole = 5
Configure Windows NTP Client: Enabled (policy settings are described below)
Enable Windows NTP Client: Enabled
Enable Windows NTP Server: Enabled
Specify following settings in Configure Windows NTP Client policy:
NtpServer: us.pool.ntp.org.0x1, 1.us.pool.ntp.org.0x1, 2.us.pool.ntp.org.0x1, 3.us.pool.ntp.org.0x1
Type: NTP
CrossSiteSyncFlags: 2
ResolvePeerBackoffMinutes: 15
Resolve Peer BAckoffMaxTimes: 7
SpecilalPoolInterval: 3600
EventLogFlags: 0
As per: https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-simple-time-configuration-in-active-directory/
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ntp
From novice to tech pro — start learning today.
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
You shouldn't need a GPO for this purpose. All computers will automatically sync with the PDC emulator role holder. You only need to configure external time source for the PDC emulator, and to disable any hypervisor time sync service for all virtualized DCs.