My post on Configuring NTP on Windows 2012 gets many hits so it seems like it’s a popular topic. While that post is still valid and correct, sometimes you prefer using GPO in a domain environment instead of w32tm.exe command. And since I couldn’t find a good step-by-step guide out there, I decided to write my own. There’s also a lot of confusion out there how to properly configure NTP using GPO.
As done before, I will start with telling you how to do it and then later I will dive into the details.
In short, here’s how to configure NTP using GPO
In Active Directory, the PDC Emulator should get the time from an external time source and then all member computers of this domain will get the correct time. Since the PDC Emulator can move around, we make sure the GPO is applied only to the current PDC Emulator using a WMI filter.
1. Go to the WMI Filters section in GPMC and create a new filter like the following:
Here’s the query for you to cut’n’paste: Select * from Win32_ComputerSystem where DomainRole = 5
2. Create a GPO and apply it to the Domain Controllers OU with the following settings: Computer Configuration/Policies/Administrative Templates/System/Windows Time Service/Time Providers
3. Assign the WMI Filter to the GPO.
That’s done! Happy NTP syncing.
NTP GPO details explained
So what all these settings mean.
Configuring Windows NTP Client: Enabled
- NtpServer: Here you specify which NtpServers to use seperated by a space but also with a special NTP flag. I decided to use the public ntp.org pools:
0.se.pool.ntp.org,0x1 1.se.pool.ntp.org,0x1 2.se.pool.ntp.org,0x1 3.se.pool.ntp.org,0x1
The NtpFlags are explained in detail here but 0x1 means: “Instead of following the NTP specification, wait for the interval specified in the SpecialPollInterval entry before attempting to recontact this time source. Setting this flag decreases network usage, but it also decreases accuracy.” where SpecialPollInterval is specified in the GPO (in our, case 3600 seconds)
- The rest of the settings are explained in the GPO Help.
Enable Windows NTP Client: Enabled
- Is a must, otherwise the computer will not sync with other NTP serves since it’s disabled by default.
Enable Windows NTP Server: Enabled
- Is a must, otherwise the computer will not allow other computers to sync with it since it’s disabled by default.
Where is the configuration store
First, never edit the registry for NTP. If something is not working, clear the configration and start from scratch and configure NTP using GPO or W32tm.exe. Do this by running the following commands:
Stop-Service w32time
w32tm /unregister
w32tm /register
Start-Service w32time
Still, you might want to check where the configuration is. When using GPO, the configuration is stored here:
HKLM\SOFTWARE\Policies\Microsoft\W32Time\Parameters
Note that this is different if you’re using w32tm.exe, then the configration is stored here:
HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
Useful tools when troubleshooting NTP
W32tm is still your friend and here are my favorites:
w32tm.exe /resync /rediscover /nowait
Resynchronize the clock as soon as possible, disregarding all accumulated error statistics. It will not wait for resynchronization and will force redetection of sources.
w32tm /query /peers
Displays all configured peers you have configured
w32tm /query /source
Displays the currently used time source. Note that after a restart of the service, it might show Local CMOS Clock until everything has refreshed properly.
w32tm /query /status
Displays the current status
w32tm /query /configuration
Displays the configuration
w32tm /debug /enable /file:C:\Temp\w32tmdebug.log /size:10485760 /entries:0-300
If you really want to get dirty, enable the debug log
Troubleshooting
Many things can go wrong when configuring NTP. Here are some suggestions:
- Don’t forget to allow NTP traffic (udp/123) in your firewall (see my previous post for details)
- Enable the debug log and check that the service actually tries to communicate with the NTP serves. You can lower the SpecialPollInterval to 30 seconds to speed up your troubleshooting.
- Restart the service and maube even the server, sometimes this has solved it.
- Also monitor the event log since the service logs there too.
I am having an issue at step 2: 2. Create a GPO and apply it to the Domain Controllers OU with the following settings: Computer Configuration/Policies/Administrative Templates/System/Windows Time Service/Time Providers
Under administrative templates, I don’t have a node for System. I’ve tried doing some research to figure out if I have to register something, add a snap -in etc but I can not figure out why it is missing or how to get it to show up.
So this GPO will configure PDCe to get time from ntp.org and provide services for other DCs, severs and workstations. Do we need to create another policy to configure other DCs and other servers and workstations in the domain – to use PDCe as a time source?
Finally found simple instructions written in an easy to understand way.
Thank you very much!