The Life of Brian

Active Directory, Group Policies, Server Core and the Life of Brian

Email Notifications

Blog Search Form

Go

Recent Posts

Tags

Disclaimer

  • This blog is provided "AS IS" with no warranties, and confers no rights. This blog contains my own views and does not necessarily reflect the view of my employer.
    Locations of visitors to this page
    Add to Technorati Favorites

Sites I Visit

Archives

Must Have Group Policy Setting!

I recently blogged about time and how critical it is in a domain environment. Just this morning I read a post from the Directory Services Team that shows how to configure WMI Filtering through Group Policy to ensure that the PDC Emulator always has the right time configuration.  You need to read through this post really consider implementing a similar policy into your environment.

The only portion that is missing from that post is the location of the W32Time settings in Group Policy.  The policy you will be configuring is located under the Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers\Configure Windows NTP Client

image 

After you enable it you will want to change the default setting from NT5DS (which means find and sync with the PDCe) to NTP.  This is because we are configuring this for our PDCe which should be pointing to a reliable time source (internal or external).  You will also configure the location to that reliable source in the NTPServer dialog box.

I haven’t seen a great tip like this in some time.  This is one of those great little finds and I hope you enjoy it.

Posted: Fri, Nov 14 2008 13:22 by BrianM | with 4 comment(s)
Filed under: , , , ,

Comments

Hilde said:

Excellent!  Perhaps it would be worth the little effort to create another GPO that sets all 'non-PDCEs' to use NT5DS?

# March 19, 2009 1:55 PM

BrianM said:

That is exactly what you will want to do to those other DCs.

# March 19, 2009 2:50 PM

CJH said:

I posted this at the AskDS blog but never got an answer.  Maybe you can shed some light on this question:

If this GPO applies the appropriate time settings (type=NTP, NtpServer=yourtimeserver) if/when the PDCe role is moved, what about the DC the role was moved from?

Doesn't there need to be a GPO in place that will change the Windows Time Service settings back to those appropriate for a non-PDCe?  

# March 22, 2009 7:08 AM

BrianM said:

Yes it would be beneficial for you to have another policy that set the setting back to use NT5DS.  This way you wouldn't have to worry about configuring anything after a transfer/seize.

Brian

# March 22, 2009 11:54 AM