Intro:
Here is some general information to on the network time synchronization protocol (NTP) topic:
- The Forest PDC Emulator should always sync with an external authorized time source, not CMOS or virtual machine host time clock (applicable to virtual machines)
- Authorized time sources should be accurate by utilizing one of these high precision components at its core: quartz (quartz crystal oscillates at a precise frequency of exactly 32768 times each second) or atomic caesium-133 (9 billion, 192 million, 631 thousand, 770 times)
- PDC emulator in child domain can sync with any domain controller in parent domain
- Domain controllers sync with PDC emulator (one per domain)
- Desktops and member servers sync with any domain controller
- All domain members should use NT5DS domain time
This article advises on the recommended NTP configuration on the Primary Domain Controller, also known as the server with PDC Emulator role. The method here is to dynamically set this config on any server that assumes this role, enabling the role to be transferred without requiring manual reconfiguration of NTP.
Step 1: Create WMI Filter to Target the PDC Emulator
Run Group Policy Management Console (GPMC.msc) > Expand Forest [Domain Name] > Domains > [Domain Name]
Scroll toward the bottom > right-click ‘WMI Filters’ > New > Input name = PDC Emulator Filter > click Add > paste this line: SELECT * FROM Win32_ComputerSystem WHERE DomainRole = 5 > OK > Save
Step 2: Create the Group Policy
Right-click on the ‘Domain Controllers’ OU > Create a GPO in this domain, and link here
Input the GP name (e.g. PDC NTP) > OK
Group Policy Editor window then opens > navigate to Computer Configuration > Polices > Administrative Templates
Expand Windows Time Service > Time Providers
Double-click ‘Configure Windows NTP Client’ > input the following settings
– Enabled: toggled
– NtpServer: 3.us.pool.ntp.org,0x1 2.us.pool.ntp.org,0x1 1.us.pool.ntp.org,0x1 0.us.pool.ntp.org,0x1
– Type: NTP
Click Next toward ‘Enable Windows NTP Client’ > set enabled = True > Next toward ‘Enabled Windows NTP Server’ > set enabled = True > OK
Step 3: Create registry key to disable time sync with Hyper-V Hosts
Navigate to Computer Configuration > Preferences > Windows Settings > right-click Registry > New > Registry Item
Set these values > click OK when ready
- Action = Update
- Key Path =
SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider - Value Name = Enabled
- Value Type = REG_DWORD
- Value data =
00000000 - Base = Hexadecimal
Step 4: Disable GP to Prevent Premature Propagation
Close Group Policy Management Editor > Right-click the newly created GP named ‘PDC NTP’ > select ‘Link Enabled’ to remove the check mark (disable policy)
Step 5: Set GP to Target PDC
select ‘PDC NTP’ > click on the ‘Scope’ tab >click on the down arrow at the bottom to activate the drop down menu > select the previously created ‘PDC Emulator Filter’ > OK
Step 6: Enable GP
At this time, the Group Policy to control NTP of the PDC Emulator of this domain is ready. However, it’s necessary to ensure that egress NTP port 123 is allowed on the Domain Controllers prior to activating this GP. Performing network firewall configuration is beyond the scope of this article.
Here’s a quick demo using portqry (may be installed using ‘choco install portqry -y’) to check whether port UDP/123 is outbound reachable:
[LAX-DC01]: PS C:\Users\Cuilo> portqry -n 1.us.pool.ntp.org -p udp -e 123
Querying target system called:
1.us.pool.ntp.org
Attempting to resolve name to IP address...
Name resolved to 172.98.193.44
querying...
UDP port 123 (ntp service): LISTENING or FILTERED
The sample result above would indicate that NTP traffic is being blocked from LAX-DC01. A more favorable result would show just the output of ‘LISTENING‘.
Once UDP/123 has been allowed on the network zone where Domain Controllers reside, this GP can then be ‘link enabled’ simply by right-clicking the newly created GP named ‘PDC NTP’ > select ‘Link Enabled’ to reactivate the check mark (enable policy).
Next: here’s the article to set NTP for Client Computers (non-PDC machines)