Hello, my name is David. I’m a Principal Engineer with Dell, and today I’m going to talk about configuring the Windows Time service on the PDC Emulator using Group Policy. As you’re most likely aware, the Domain Controller that holds the PDC Emulator role is the authoritative time source for a domain, and therefore it must be configured to obtain its time from an external source, which is just any time source outside the domain. In the forest root domain, this means a source that’s outside the forest, typically a public NTP server.
In a multi-domain forest, only the PDC Emulator at the forest root level must be configured to get time from outside the forest. The other PDC Emulators of the child domains can be configured to sync with the domain hierarchy. In doing so, they’ll obtain time from a Domain Controller in their parent domain. One common way to configure the time service on the PDC Emulator is to use the registry.
This works well, but unfortunately, if the role is moved to a new server, the configuration does not follow the role. There’s a solution for this, and that’s to configure the time service using Group Policy. That’s what I intend to demonstrate here. This domain contains two Domain Controllers named DC1 and DC2. As you can see here, DC1 holds all five FSMO roles. First, I’ll check the registry to see what settings have been configured, and I’ll do so by launching 'regedit', which opens to the correct registry location. That’s 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters'. There are two main values we’re concerned with here: the 'Type' value, which is currently set to 'NTP', and when Type is set to NTP, the 'NTPServer' value a few lines up comes into play.
That’s currently set to 'time.windows.com' and 'pool.ntp.org'. Both of those entries have the '0x8' flag associated with them. I won’t get into the definitions of those flags, but 0x8 is a good one to use on a Domain Controller. You’ll notice those entries are separated by a space. So, if we close Regedit, we can confirm that the settings in the registry are in fact being applied by running 'w32tm /query /configuration'. This just shows the current configuration of the Windows Time service. Here we can see that 'Type' is set to 'NTP' and 'NTPServer' is set to the two values that we saw in the registry. Importantly, we can see 'Local' next to those values, indicating that those values are set on the local machine, i.e., in the registry. So now, let’s look at how to configure this by Group Policy. We’ll launch Group Policy Management, and the first thing we need to do is create a WMI filter. This will cause our configuration to only apply to the PDC Emulator. To do that, we right-click on 'WMI Filters' in the left pane and select 'New'. We can give the filter a name; I’ll call it 'PDC Emulator' and a description (it’s optional). Now we click 'Add' and make sure 'Namespace' is set to 'root\CIMv2', and then type this text to create the filter itself (it’s important to type this exactly as shown): 'Select* from Win32_ComputerSystem where DomainRole = 5'. Then click 'OK', confirm that the text looks correct, and click 'Save'.
So now we have our PDC Emulator WMI filter, and we need to create a GPO to apply that filter to. To do this, we’ll right-click 'Group Policy Objects', select 'New', and give it a name; I’ll call it 'Configure Time on PDC Emulator'. Click 'OK'. You can see the new GPO up there; it has no settings applied, so we’ll right-click that and select 'Edit'. Our location is going to be under 'Policies' > 'Administrative Templates' > 'System'. Scroll down to the bottom and select 'Windows Time Service'. Expand that and select 'Time Providers'. Right-click 'Configure Windows NTP Client', select 'Edit', and the first thing we need to do here is set it to 'Enabled'; otherwise, we can’t configure any settings. Once it’s enabled, you can see a number of settings can be configured. We’re only concerned with 'Type' and 'NTP Server'. We set 'Type' to 'NTP' as shown earlier and then set 'NTP Server' to the same values that we had in the registry. Just change that flag to '0x8' and add 'pool.ntp.org', giving it the same '0x8' flag. Once again, those entries need to be separated by a space. We’ll click 'OK', and then we need to right-click on 'Enable Windows NTP Client', select 'Edit', and set that to 'Enabled' as well.
There are no settings under this one; we just need to enable it. Click 'OK' there and close the Group Policy Editor. Now we have our GPO and our WMI filter. We need to tie the WMI filter to the new GPO. We do that by clicking the GPO in the left pane and then looking way down at the bottom. You’ll see a 'WMI Filtering' section, and in that drop-down list, we just select the WMI filter that we created and click 'Yes' to confirm. So now that filter is associated with that GPO, so the GPO will only be applied to the PDC Emulator. Since the PDC Emulator, like other Domain Controllers, is located in the Domain Controllers OU, that’s where we need to link this GPO. Right-click on the OU and select 'Link an Existing GPO', and then select the GPO that we just created and click 'OK'. The GPO is now being applied to the Domain Controllers OU. So now on our PDC Emulator, we need to run 'gpupdate /force' to refresh Group Policy. When that has completed, we can confirm that the GPO is being applied by running 'gpresult/r'. Scrolling up to the Computer Settings section and under 'Applied Group Policy Objects', we see 'Configure Time on PDC Emulator.' That confirms that the GPO is being applied. Now we’ll confirm that its settings are being applied by once again running 'w32tm /query /configuration'. We can see that 'Type' is set to 'NTP' and the 'NTPServer values are set as expected, but both of them indicate 'Policy' now instead of 'Local.'
That just indicates that those settings are set by Group Policy instead of being set on the local machine’s registry. So now we’ll switch to our other Domain Controller and refresh Group Policy on it as well. When that completes, we’ll run 'gpresult /r' to see if the GPO is being applied here. If we scroll up to the 'Computer Settings' section, we see 'The following GPOs were not applied because they were filtered out' and the 'Configure Time on PDC Emulator' GPO is listed there. It is being denied by a WMI filter, and it’s the filter that we created. So now we’ll check the Windows Time Service settings here with the 'w32tm' command, and we can see that this domain controller is set to sync with the domain hierarchy. That’s what 'NT5DS' means, and that is set on the registry because the Group Policy object is not being applied. So everything appears to be working as intended. Let’s see what happens if we move that PDC Emulator role to the other Domain Controller. There’s a PowerShell command for doing that: 'Move-ADDirectoryServerOperationMasterRole', which I will tab complete. Use the '-Identity' parameter to specify the destination and then the '-OperationMasterRole' parameter to specify the PDC Emulator role. Type 'Y' to confirm, and we got no errors. Let’s update Group Policy on the new Domain Controller, and I forgot to confirm that the role actually moved, so let’s check that.
You can see the 'PDC' role there is owned by 'DC2' now. We’ve already updated Group Policy, so let’s run 'gpresult' and check once again. This time we do see, in fact, that the 'Configure Time on PDC Emulator' GPO is being applied, no longer being filtered out because this is the PDC Emulator. So let’s check the time service settings again, and as expected, we see that 'Type' and 'NTPServers' are both set by policy now. So let’s switch back to DC1. Now that the role has been removed, 'netdom query fsmo' confirms that the PDC role is owned by DC2. So we’re going to update Group Policy here again. That completes, and we'll check the windows time settings here one more time and we see that both settings have the 'Local' indicator now again indicating that they're set on the local registry and not by Group Policy. As intended the Time Service configuration followed the PDC emulator role when it was moved from one Domain Controller to another Once again my name is David. I'm a Principal Engineer at Dell and thank you for watching.
