Config Time Service on Server 2008 DC using Group Policy Only

windows-server-2008 group-policy time time-synchronization
41,126

Solution 1

Ok. Thanks for the data. I see that you have GPOs for both client and server. The notion of NTP client and NTP server are different than Windows servers and clients. So, first, I recommend getting rid of the server settings. These are used for a machine that will serve NTP requests. In a domain, time is provided to clients using Windows Time Service, NOT NTP.

In your situation, your DC is the NTP client, as it is receiving its data from an external NTP server. So the policy should only be defined for client settings.

Next, change your time providers GPO setting to type NTP, instead of NT5DS.

Do a gpupdate and run the w32tm configuration query again.

To summarize:
- Enable Windows NTP Client Enabled
- Enable Windows NTP Server Not Configured
- Configure Windows NTP Client | Ntp Server (NTP Server Name),0x9 (The 0x9 is a flag that designates the NTP Server as being primary.
- Configure Windows NTP Client | Type NTP

I tested this on our lab domain and it appears to work. When you run the w32tm configuration query, it should show Type: NTP and NtpServer: (NTP Server Name) in the [Time Providers] section.

Solution 2

By default, all domain clients will look to the domain controllers for authoritative time. There is no need to set up a GPO to do this.

I don't recommend that you set each client to go directly to an NTP server for time. Kerberos authentication is dependent on your DCs and clients being in sync with each other, so it's better that clients get their time from the DCs themselves.

Now, if you want your domain to be sync'd to an external calibrated source using NTP, you should configure this at the DC that holds the PDC emulator role. See http://technet.microsoft.com/en-us/library/cc786897(WS.10).aspx which gives you instructions on how to peer the PDC to an NTP service.

We do this with our domain, connected to some internal Symmetricom NTP servers. Average error on clients runs +/-0.1 s. If you need higher precision than this, you'll need specialized third party software on the clients.

Solution 3

Have you checked whether your firewall has port 123 outbound opened. I was having the same kind of issues and it turned out to the firewall was blocking the DC from contacting the NIST servers.

Share:
41,126

Related videos on Youtube

Ed Fries
Author by

Ed Fries

Updated on September 17, 2022

Comments

  • Ed Fries
    Ed Fries almost 2 years

    I want to configure the Time Service using only GP in a Server 2008 R2 domain. I have created a GP as follows:

    Computer Config, Policies, Administrative Templates, System, Windows Time Policy:
    =Global Configuration Settings -Enabled w/ default settings.

    Computer Config, Policies, Administrative Templates, System, Windows Time Policy,Time Providers:
    =Configure Windows NTP Client -Enabled w/ default settings.
    =Enable Windows NTP Client -Enabled w/ default settings. =Enable Windows NTP Server -Enabled w/ default settings.

    The policy is linked, enforced and applied to Domain Controllers OU. The GP modeling results shows the policy is in effect on the DC (Single DC domain) and the DC is recognized as the PDC emulator. I have run gpupdate /force and logged off/on.

    The issue is that the DC shows the time source as internal. I understand I can force this at the cmd line using w32tm to set the peer but I would like to understand what is missing in the GP. The default NTP Client GP setting includes time.windows.com,0x9 as the source but it does not appear to be taking effect.

    EDIT: Requested output:

    C:\Users\xxxxx>w32tm /query /configuration [Configuration]

    EventLogFlags: 2 (Policy)
    AnnounceFlags: 10 (Policy)
    TimeJumpAuditOffset: 28800 (Local)
    MinPollInterval: 6 (Policy)
    MaxPollInterval: 10 (Policy)
    MaxNegPhaseCorrection: 172800 (Policy)
    MaxPosPhaseCorrection: 172800 (Policy)
    MaxAllowedPhaseOffset: 300 (Policy)

    FrequencyCorrectRate: 4 (Policy)
    PollAdjustFactor: 5 (Policy)
    LargePhaseOffset: 50000000 (Policy)
    SpikeWatchPeriod: 900 (Policy)
    LocalClockDispersion: 10 (Policy)
    HoldPeriod: 5 (Policy)
    PhaseCorrectRate: 1 (Policy)
    UpdateInterval: 100 (Policy)

    [TimeProviders]

    NtpClient (Local)
    DllName: C:\Windows\system32\w32time.dll (Local)
    Enabled: 1 (Local)
    InputProvider: 1 (Local)
    CrossSiteSyncFlags: 2 (Policy)
    AllowNonstandardModeCombinations: 1 (Local)
    ResolvePeerBackoffMinutes: 15 (Policy)
    ResolvePeerBackoffMaxTimes: 7 (Policy)
    CompatibilityFlags: 2147483648 (Local)
    EventLogFlags: 0 (Policy)
    LargeSampleSkew: 3 (Local)
    SpecialPollInterval: 3600 (Policy)
    Type: NT5DS (Policy)

    NtpServer (Local)
    DllName: C:\Windows\system32\w32time.dll (Local)
    Enabled: 1 (Local)
    InputProvider: 0 (Local)
    AllowNonstandardModeCombinations: 1 (Local)

    VMICTimeProvider (Local)
    DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
    Enabled: 1 (Local)
    InputProvider: 1 (Local)

    EDIT: GP Results

    System/Windows Time Service
    Policy Setting Winning GPO
    Global Configuration Settings Enabled FIT DC Time Policy
    Clock Discipline Parameters
    FrequencyCorrectRate 4
    HoldPeriod 5
    LargePhaseOffset 50000000
    MaxAllowedPhaseOffset 300
    MaxNegPhaseCorrection 172800
    MaxPosPhaseCorrection 172800
    PhaseCorrectRate 1
    PollAdjustFactor 5
    SpikeWatchPeriod 900
    UpdateInterval 100
    General Parameters
    AnnounceFlags 10
    EventLogFlags 2
    LocalClockDispersion 10
    MaxPollInterval 10
    MinPollInterval 6
    ChainEntryTimeout 16
    ChainMaxEntries 128 ChainMaxHostEntries 4
    ChainDisable 0
    ChainLoggingRate 30

    System/Windows Time Service/Time Providers
    Policy Setting Winning GPO
    Configure Windows NTP Client Enabled FIT DC Time Policy
    NtpServer time.windows.com,0x9
    Type NT5DS
    CrossSiteSyncFlags 2
    ResolvePeerBackoffMinutes 15
    ResolvePeerBackoffMaxTimes 7
    SpecialPollInterval 3600
    EventLogFlags 0

    Policy Setting Winning GPO
    Enable Windows NTP Client Enabled FIT DC Time Policy
    Enable Windows NTP Server Enabled FIT DC Time Policy

  • Ashmeet Singh
    Ashmeet Singh over 13 years
    Whenever time services are sync'd on a domain, it happens gradually. The clocks drift closer to the time source until they are in sync. This is due to the nature of the NTP protocol itself, as well as ensuring that time deltas remain within the 5 minute window required by Kerberos. I have first hand experience on setting up this type of configuration, so if you have any trouble along the way, add a comment to this question as I will be monitoring it.
  • Ed Fries
    Ed Fries over 13 years
    Thx for the response, however that link has nothing about GP's and is Server 2003 documentation, although it is similar to the doc's for Server 2008. I concur re. clients, DC, kerberos & time sync, however the question is how to setup the DC to sync to external source using GP only.
  • Ashmeet Singh
    Ashmeet Singh over 13 years
    To use GP to peer the DC, you would need to create a GPO specifically for the PDC DC and configure the Windows NTP Client settings for that machine. Since you only need to do this setting change once... we just went in and set it using w32tm. We use 2008 DCs and the 2003 commands in the link work the same. Only the PDC should be set to an external source, all the other DCs will automatically sync to it.
  • Ed Fries
    Ed Fries over 13 years
    Yes, the GP is what I did, & described in the question, not working.
  • Ashmeet Singh
    Ashmeet Singh over 13 years
    Now, please understand I have never done this using a GP. That's because the setting only needs to be applied once, to only one machine, so I'm not sure it's worth the trouble to define a GPO for it. Don't get me wrong, I love Group Policy, but it may be overkill in this situation. For some reason, the PDC is not applying the policy. Do you have the policy assigned to ONLY the PDC (can't be assigned to any other DC). Is it set with the correct NTP server name, and is the type set to NTP. What does running w32tm /query /computer:<PDC> /configuration show?
  • Ed Fries
    Ed Fries over 13 years
    See inline for /configuration and GP Results output. As stated, policy is applied to the Domain Controller OU & this is a single DC domain.
  • Ed Fries
    Ed Fries over 13 years
    Working nicely now, thanks very much for your help and for going to the lab to confirm!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Why are my servers clock out of sync?
Stop sync windows 2008 r2 clock
Configuring group policy to bypass proxy server for local addresses and adding a domain to trusted root certificate authorities
Exclude site from Compability View policy
Remove delete permission for active directory group in Microsoft 2008 Server R2
Task Scheduler : Logon as Batch Job Rights
Show Mail Control Panel item from Outlook 2010 (32-bit)on Windows 2008R2 Terminal Server
Default Domain Policy Overriding Custom GPO even though Custom GPO is Enforced
Folder Redirection does not sync files back to share folders
Creating Group Policy defined shortcuts to local programs