My post on Configuring NTP on Windows 2012 gets many hits so it seems like it’s a popular topic. While that post is still valid and correct, sometimes you prefer using GPO in a domain environment instead of w32tm.exe command. And since I couldn’t find a good step-by-step guide out there, I decided to write my own. There’s also a lot of confusion out there how to properly configure NTP using GPO.

As done before, I will start with telling you how to do it and then later I will dive into the details.

In short, here’s how to configure NTP using GPO

In Active Directory, the PDC Emulator should get the time from an external time source and then all member computers of this domain will get the correct time. Since the PDC Emulator can move around, we make sure the GPO is applied only to the current PDC Emulator using a WMI filter.

1. Go to the WMI Filters section in GPMC and create a new filter like the following:

Configuring_NTP_using_WMI-filter

Here’s the query for you to cut’n’paste: Select * from Win32_ComputerSystem where DomainRole = 5

2. Create a GPO and apply it to the Domain Controllers OU with the following settings: Computer Configuration/Policies/Administrative Templates/System/Windows Time Service/Time Providers

Configuring_NTP_using_GPO1

Configuring_NTP_using_GPO2

Configuring_NTP_using_GPO3

 

3. Assign the WMI Filter to the GPO.

Configuring_NTP_using_WMI-filter-apply

That’s done! Happy NTP syncing.

 

NTP GPO details explained

So what all these settings mean.

Configuring Windows NTP Client: Enabled

  • NtpServer: Here you specify which NtpServers to use seperated by a space but also with a special NTP flag. I decided to use the public ntp.org pools:

    0.se.pool.ntp.org,0x1 1.se.pool.ntp.org,0x1 2.se.pool.ntp.org,0x1 3.se.pool.ntp.org,0x1

    The NtpFlags are explained in detail here but 0x1 means: “Instead of following the NTP specification, wait for the interval specified in the SpecialPollInterval entry before attempting to recontact this time source. Setting this flag decreases network usage, but it also decreases accuracy.” where SpecialPollInterval is specified in the GPO (in our, case 3600 seconds)

  • The rest of the settings are explained in the GPO Help.

Enable Windows NTP Client: Enabled

  • Is a must, otherwise the computer will not sync with other NTP serves since it’s disabled by default.

Enable Windows NTP Server: Enabled

  • Is a must, otherwise the computer will not allow other computers to sync with it since it’s disabled by default.

Where is the configuration store

First, never edit the registry for NTP. If something is not working, clear the configration and start from scratch and configure NTP using GPO or W32tm.exe. Do this by running the following commands:

Stop-Service w32time
w32tm /unregister
w32tm /register
Start-Service w32time

Still, you might want to check where the configuration is. When using GPO, the configuration is stored here:

HKLM\SOFTWARE\Policies\Microsoft\W32Time\Parameters

Note that this is different if you’re using w32tm.exe, then the configration is stored here:

HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

Useful tools when troubleshooting NTP

W32tm is still your friend and here are my favorites:

w32tm.exe /resync /rediscover /nowait

Resynchronize the clock as soon as possible, disregarding all accumulated error statistics. It will not wait for resynchronization and will force redetection of sources.

w32tm /query /peers

Displays all configured peers you have configured

w32tm /query /source

Displays the currently used time source. Note that after a restart of the service, it might show Local CMOS Clock until everything has refreshed properly.

w32tm /query /status

Displays the current status

w32tm /query /configuration

Displays the configuration

w32tm /debug /enable /file:C:\Temp\w32tmdebug.log /size:10485760 /entries:0-300

If you really want to get dirty, enable the debug log

Troubleshooting

Many things can go wrong when configuring NTP. Here are some suggestions:

  • Don’t forget to allow NTP traffic (udp/123) in your firewall (see my previous post for details)
  • Enable the debug log and check that the service actually tries to communicate with the NTP serves. You can lower the SpecialPollInterval to 30 seconds to speed up your troubleshooting.
  • Restart the service and maube even the server, sometimes this has solved it.
  • Also monitor the event log since the service logs there too.