Setting Up NTP Properly via Group Policy

Setting up Time Server can seem pretty straight forward in group policy, however it's a bit trickier that one might imagine.  Essentially there are two parts to the puzzle, the DC, which gives the time of day :) to the domain, and the clients who receive time data.  By default clients joined to a domain will sync their clocks with the PDC of the domain, so normally getting the time sorted correctly on the PDC will fix any domain time issues.

Let's go:

Part 1:

Create a WMI Filter to filter the PDC only, in Group Policy Management, create a new WMI Filter:

Click on the Add Button, and past in this query:

Select * from Win32_ComputerSystem where DomainRole = 5

Then click OK then Save on the next window.

The PDC Filter will now appear in the WMI Filter section:

Part 2:

We'll now create a new GPO to apply the time settings to the Domain Controllers OU:

Input the following setting under Configure Windows NTP Client

NtpServer: time.windows.com,0x1

Type: NTP

CrossSiteSyncFlags: 2

ResolvePeerBackoffMinutes: 15

Resolve Peer BAckoffMaxTimes: 7

SpecilalPoolInterval: 3600

EventLogFlags: 0

Click OK to save, and then also enable:

• Enable Windows NTP Client
• Enable Windows NTP Server

Then close the GPO window.

Now link the policy PDC Time to the Domain Controllers OU:

Finally run a group policy update on the PDC to enforce the new policy:

The time on your PDC should now display correctly, which will set the time for the entire domain.  Running gpupdate /force on any domain member should update their time as well, otherwise they will automatically get the corrected time when they refresh domain policy.