NTP via GPO

[joepc]

I'm having trouble getting NTP to work on my network. For some reason this doesn't seem to be as straight forward as I would like. I have a Windows 2003 sp2 server and Windows XP SP3 clients. Below is what I have done so far to try and get this going.

I created a GPO for the clients in group policy management console. Under computer config/admin temp/system/windows time/time providers, I enabled NTP Client and I configured NTP Client. For the config I removed the default NTP address time.windows.com with the IP address of our PDC emulator. NOTE: I left all the other settings as defualt but I did adjust the specialpollinterval to 60sec for troubleshooting.

Next I created a 2nd GPO for the PDC emulator and enabled the NTP server.

I ran gpupdate /force on the server and a test client machine, rebooted them just to be safe, ran the gpresults wizard and confirmed the settings took effect on the clients and the server.

Then I changed the time on the test client machine so it was a few minutes off from the server. Since I configured the poll interval for 60sec I waited 5min for time to sync but it never did.

Am I taking the right steps to get this working? Am I missing something. I would like all the workstations to sync with the server every hour.

 

[karlisi]

By default all domain members synchronises time with AD. Also DCs by default are configured to serve as NTP servers.

===
Karlis
ECDL; MCSA

 

[itsp1965]

As per what Karlisi said, the domain controller running the PDC emulator FSMO role will need to synch with an external time source over the internet or a localized NTP server. Your clients/member servers rely on the DC in turn for their own time synch. You don't need to enable NTP lookups for all your clients.

 

[joepc]

where do i find these settings though? in the registry? the reason for me wanting to do this is because the time on some of the workstations were off a bit. this tells me something is not right somewhere. i would like them to to sync every hr.

thanks

 

[karlisi]

If these workstations are domain members, you should check connectivity with DCs. You can try to synchronise the time by restarting Windows Time service on workstation. After restart check System Event Log for events from source W32Time.

More about Windows Time in AD environment in this article.

===
Karlis
ECDL; MCSA

 

[ADB100]

I messed up time synchronisation for domain members on my domain a while ago by mistakenly configuring this GPO and enabling NTP. I reconfigured the GPO and set it to Enabled, set the Type to NT5DS and left the other settings at default. Time sync now works perfectly. My PDC emulator syncs to an edge Cisco router that syncs to a public NTP server.

Andy

 

[JackCarver]

here is a great article that breaks down all the GPO NTP settings for you.

http://blogs.msdn.com/b/w32time/archive/2009/02/02/group-policy-settings-explained.aspx

i just went through this, but didnt use GPO, i set my PDC as the NTP server to sync to external time servers, then ran this on my member servers
w32tm /config /syncfromflags:domhier /update
net stop w32time
net start w32time

this command basically tells the member server to sync time from the domain hierarchy, so it will look to the PDCe as the authoritive time server. this command also changes the reg entries to make sure the member servers are set for NT5DS

 

[58sniper]

Technically, the PDC emulator does NOT need to sync to an external time source. BUT, machines in your domain need to sync to it.

An external time source is only desired if you want to keep the PDC emulator in sync with an external time source. That's generally desired, but not absolutely necessary.

Do you have your Tek-Tips.com Swag? I've got mine!.

Stop by the new Tek-Tips group at LinkedIn.