In Active Directory, time is extremely important. Active Directory is a multi-master system with each writable domain controller able to make changes to the directory. There are however 5 Operations Master roles that are responsible for performing tasks that are not suitable for multiple masters. In this post we are going to focus on the PDC Emulator. All other domain controllers, member servers and client workstations will sync their time automatically with the PDCE. The PDCE in the root forest is used by the PDCs in other domains in the forest to synchronise the time.
Given that this server is the source of time for all the clients in the domain, it’s worth making sure the PDC is configured to sync its time from an external source. Group Policy is a very powerful way to configure computers and also control what users can and cannot do. The first rule of group policy is:
Do not edit the default policies (domain and domain controllers)
Way back when, editing the default policy was the only way to set your password policy. Now you have Fine Grained Password Policies which are stored within AD. You can apply these policies to the domain users groups and use precedence settings to enforce different requirements for different users. Anyway, that is out of the scope of the time sync so lets move on.
We are going to use GPO so that should we decide in future to move the PDCE Operations Master role, the GPO will automatically re-apply and we don’t have to manually configure the new PDCE. The best way to ensure that this policy only ever applies to the PDCE is to use a WMI filter. Within the Group Policy Management Console (GPMC), open your WMI Filters node (it’ll be empty). Right click the pane on the right and select New … Give it a name and a description. Click Add on the right and enter the following Query:
Select * from Win32_ComputerSystem where DomainRole = 5
Next, we can proceed to create the GPO itself. On the Group Policy Objects node, right click and select New. Give your GPO a name and leave the template set to none. Now you can enter the Group Policy Object node, double click the GPO and it will open the scope page. Here, at the bottom, you can select the WMI filter we created earlier. It will prompt to confirm the change, so click Yes if it was the filter you created.
On the left hand side, you can now right click the GPO and select Edit to allow us to start editing it. As this is a computer based GPO we are going to stop it being processed by users. In the Group Policy Management Editor (GPME), right click the name of the GPO and select Properties. Put a tick in the box next to Disable User Configuration Settings, confirm the disable and then Apply/OK. Next we configure the settings for this. On the left, navigate through the tree to the following location:
Computer Configuration\Policies\Administrative Templates\System\Windows NTP service\Time Providers
Double click the Configure Windows NTP Client and select Enabled, change the following:
- NtpServer address: pool.ntp.org,0x1
- Type: NTP
Click Apply and then OK.
Double click the Enable Windows NTP Client and select Enabled, Apply, OK
You can now close the Group Policy Management Editor, this will save the GPO. The last step is to link this GPO to the Domain Controllers OU. From within Group Policy Management, navigate through the tree to the Domain Controllers OU. Right click the OU and select “Link an Existing GPO..”. Select the GPO you just created and then click OK. Thats it, the GPO is linked. The PDCE will then pick up and apply the GPO or you can force an update by right clicking the Domain Controllers OU and select “Group Policy Update…” then clicking yes.
1 thought on “Our first GPO – Time Sync”