Avatar of Fveng
Fveng
Flag for United States of America asked on

NTP GPO being applied to certain DC's and not others.

Hi,

I've set up a group policy which goes into Computer configuration>Admin templates>System>Windows Time Service>Time providers>Enabled both Configure Windows NTP Client, Enable Windows NTP Client and Enable Global configuration settings.

Under Configure Windows NTP Client I have selected Enabled and for NtpServer I have put in 2 DC's which I want the rest of the DC's to sync NTP with.

The hosts example: Core1 and Core2. These are both getting their NTP from:
time-a.nist.gov
time-b.nist.gov
time-nist.gov

I want the rest of the DC's in our environment to get their NTP from Core1 and Core2.

Core1 is running WS 2016
Core2 is a cisco switch
The rest of the DC's are running WS 2008 R2

So the problem is some of these dc's are getting the proper NTP servers after a gpupdate /force. I'm getting a few which are not applying the GPO. I've checked the group policy results on these machines and it's neither showing up as Applied or Denied.

 Anyone have any suggestions?
* ntpWindows OSCiscoRESTActive Directory

Avatar of undefined
Last Comment
Albert Widjaja

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
kevinhsieh

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Shaun Vermaak

Mahesh

Other Ds can get time from either PDCe or from other DCs in same site as long as time difference is within permissible limits
Also clients can get time from PDCe or any other DC in same site as long as time difference is within permissible limits
You cannot force other DCs to only get time from PDC server when there are multiple DCs in site
Also as already stated above, you don't need GPO, client will pickup time automatically with peer DCs or from PDC which is the top in hierarchy
Albert Widjaja

Only the Root Domain Controller of the Forest Root Domain should have W32TM configured as "NTP". All other member servers and domain controllers should be left per default, ie "NT5DS" (domain hierarchy).

Create the below PDC emulator role only Group Policy to set the NTP to NTP Pool:

Group Policy: Computer Configuration->Administrative Templates->System->Windows Time Service->Time Providers

WMI Filter: Select * from Win32_ComputerSystem where DomainRole = 5

Configure Windows NTP Client: Enabled (policy settings are described below)
Enable Windows NTP Client: Enabled
Enable Windows NTP Server: Enabled

Open in new window



Specify following settings in Configure Windows NTP Client policy:

NtpServer: us.pool.ntp.org.0x1, 1.us.pool.ntp.org.0x1, 2.us.pool.ntp.org.0x1, 3.us.pool.ntp.org.0x1
Type: NTP
CrossSiteSyncFlags: 2
ResolvePeerBackoffMinutes: 15
Resolve Peer BAckoffMaxTimes: 7
SpecilalPoolInterval: 3600
EventLogFlags: 0

Open in new window



As per: https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-simple-time-configuration-in-active-directory/
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck