NTP GPO being applied to certain DC's and not others.


I've set up a group policy which goes into Computer configuration>Admin templates>System>Windows Time Service>Time providers>Enabled both Configure Windows NTP Client, Enable Windows NTP Client and Enable Global configuration settings.

Under Configure Windows NTP Client I have selected Enabled and for NtpServer I have put in 2 DC's which I want the rest of the DC's to sync NTP with.

The hosts example: Core1 and Core2. These are both getting their NTP from:

I want the rest of the DC's in our environment to get their NTP from Core1 and Core2.

Core1 is running WS 2016
Core2 is a cisco switch
The rest of the DC's are running WS 2008 R2

So the problem is some of these dc's are getting the proper NTP servers after a gpupdate /force. I'm getting a few which are not applying the GPO. I've checked the group policy results on these machines and it's neither showing up as Applied or Denied.

 Anyone have any suggestions?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sounds like maybe you are having issues with replication among your domain controllers. run "dcdiag /a" to check all domain controllers for issues.

You shouldn't need a GPO for this purpose. All computers will automatically sync with the PDC emulator role holder. You only need to configure external time source for the PDC emulator, and to disable any hypervisor time sync service for all virtualized DCs.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Shaun VermaakTechnical Specialist/DeveloperCommented:
Other Ds can get time from either PDCe or from other DCs in same site as long as time difference is within permissible limits
Also clients can get time from PDCe or any other DC in same site as long as time difference is within permissible limits
You cannot force other DCs to only get time from PDC server when there are multiple DCs in site
Also as already stated above, you don't need GPO, client will pickup time automatically with peer DCs or from PDC which is the top in hierarchy
Senior IT System EngineerIT ProfessionalCommented:
Only the Root Domain Controller of the Forest Root Domain should have W32TM configured as "NTP". All other member servers and domain controllers should be left per default, ie "NT5DS" (domain hierarchy).

Create the below PDC emulator role only Group Policy to set the NTP to NTP Pool:

Group Policy: Computer Configuration->Administrative Templates->System->Windows Time Service->Time Providers

WMI Filter: Select * from Win32_ComputerSystem where DomainRole = 5

Configure Windows NTP Client: Enabled (policy settings are described below)
Enable Windows NTP Client: Enabled
Enable Windows NTP Server: Enabled

Open in new window

Specify following settings in Configure Windows NTP Client policy:

NtpServer: us.pool.ntp.org.0x1, 1.us.pool.ntp.org.0x1, 2.us.pool.ntp.org.0x1, 3.us.pool.ntp.org.0x1
Type: NTP
CrossSiteSyncFlags: 2
ResolvePeerBackoffMinutes: 15
Resolve Peer BAckoffMaxTimes: 7
SpecilalPoolInterval: 3600
EventLogFlags: 0

Open in new window

As per: https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-simple-time-configuration-in-active-directory/
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.