Each and every domain should be timesynced to the realworld, outside stockholm where I live. Sorry old joke from the old Swedish Comedy series.

Well all domains should have a reliable time provider, I suggest using an internet source or a GPS source. Also All domains should have a easy to understand time sync tree. I want the PDC to own the time for the domain. But since that role might move, smarts is required. I create a WMI filter and a GPO that I link into the Domain Controllers OU. Please dont move the domain controllers from there..

Lets start with the WMI query:

Select * from Win32_ComputerSystem where DomainRole = 5

What this does is all systems that has the PDC role (5) will get this policy.

Lets do the policy then:

• Create a new GPO
• Disable Users Configuration Settings on the new Policy
• Edit the policy
  • Go into Computer Configuration
  • Policies
  • Administrative Templates
  • System
  • Windows Time Service
  • Time Provider
    • Enable the Windows NTP Client
    • Configure Windows NTP Client
      • Set a NtpServer, leave the 0x9 I suggest using pool.ntp.org,0x9
      • Set Type to NTP
• Link the GPO to the Domain Controllers OU
• Go a gpupdate /target:computer /force on the PDC

There you go, a NTP settings that will follow your PDC, so you don’t have to remember. If you have a bad configuration on a domain controller, don’t forget to reset it to default domain hierarchy.