Each and every domain should be timesynced to the realworld, outside stockholm where I live. Sorry old joke from the old Swedish Comedy series.
Well all domains should have a reliable time provider, I suggest using an internet source or a GPS source. Also All domains should have a easy to understand time sync tree. I want the PDC to own the time for the domain. But since that role might move, smarts is required. I create a WMI filter and a GPO that I link into the Domain Controllers OU. Please dont move the domain controllers from there..
Lets start with the WMI query:
Select * from Win32_ComputerSystem where DomainRole = 5
What this does is all systems that has the PDC role (5) will get this policy.
Lets do the policy then:
- Create a new GPO
- Disable Users Configuration Settings on the new Policy
- Edit the policy
- Go into Computer Configuration
- Policies
- Administrative Templates
- System
- Windows Time Service
- Time Provider
- Enable the Windows NTP Client
- Configure Windows NTP Client
- Set a NtpServer, leave the 0x9 I suggest using
pool.ntp.org,0x9
- Set Type to
NTP
- Set a NtpServer, leave the 0x9 I suggest using
- Link the GPO to the Domain Controllers OU
- Go a gpupdate /target:computer /force on the PDC
There you go, a NTP settings that will follow your PDC, so you don’t have to remember. If you have a bad configuration on a domain controller, don’t forget to reset it to default domain hierarchy.