Special NTP GPO for the PDC

Each and every domain should be timesynced to the realworld, outside stockholm where I live. Sorry old joke from the old Swedish Comedy series.

Well all domains should have a reliable time provider, I suggest using an internet source or a GPS source. Also All domains should have a easy to understand time sync tree. I want the PDC to own the time for the domain. But since that role might move, smarts is required. I create a WMI filter and a GPO that I link into the Domain Controllers OU. Please dont move the domain controllers from there..

Lets start with the WMI query:

Select * from Win32_ComputerSystem where DomainRole = 5

What this does is all systems that has the PDC role (5) will get this policy.

Lets do the policy then:

  • Create a new GPO
  • Disable Users Configuration Settings on the new Policy
  • Edit the policy
    • Go into Computer Configuration
    • Policies
    • Administrative Templates
    • System
    • Windows Time Service
    • Time Provider
    1. Enable the Windows NTP Client
    2. Configure Windows NTP Client
      • Set a NtpServer, leave the 0x9 I suggest using pool.ntp.org,0x9
      • Set Type to NTP
  • Link the GPO to the Domain Controllers OU
  • Go a gpupdate /target:computer /force on the PDC

There you go, a NTP settings that will follow your PDC, so you dont have to remember. If you have a bad configuration on a domain controller, dont forget to reset it to default domain hierarchy.

Leave a Reply