I want to configure the Time Service using only GP in a Server 2008 R2 domain. I have created a GP as follows:
Computer Config, Policies, Administrative Templates, System, Windows Time Policy:
=Global Configuration Settings -Enabled w/ default settings.
Computer Config, Policies, Administrative Templates, System, Windows Time Policy,Time Providers:
=Configure Windows NTP Client -Enabled w/ default settings.
=Enable Windows NTP Client -Enabled w/ default settings.
=Enable Windows NTP Server -Enabled w/ default settings.
The policy is linked, enforced and applied to Domain Controllers OU. The GP modeling results shows the policy is in effect on the DC (Single DC domain) and the DC is recognized as the PDC emulator. I have run gpupdate /force and logged off/on.
The issue is that the DC shows the time source as internal. I understand I can force this at the cmd line using w32tm to set the peer but I would like to understand what is missing in the GP. The default NTP Client GP setting includes time.windows.com,0x9 as the source but it does not appear to be taking effect.
EDIT: Requested output:
C:\Users\xxxxx>w32tm /query /configuration
[Configuration]
EventLogFlags: 2 (Policy)
AnnounceFlags: 10 (Policy)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 6 (Policy)
MaxPollInterval: 10 (Policy)
MaxNegPhaseCorrection: 172800 (Policy)
MaxPosPhaseCorrection: 172800 (Policy)
MaxAllowedPhaseOffset: 300 (Policy)
FrequencyCorrectRate: 4 (Policy)
PollAdjustFactor: 5 (Policy)
LargePhaseOffset: 50000000 (Policy)
SpikeWatchPeriod: 900 (Policy)
LocalClockDispersion: 10 (Policy)
HoldPeriod: 5 (Policy)
PhaseCorrectRate: 1 (Policy)
UpdateInterval: 100 (Policy)
[TimeProviders]
NtpClient (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
CrossSiteSyncFlags: 2 (Policy)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Policy)
ResolvePeerBackoffMaxTimes: 7 (Policy)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 0 (Policy)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Policy)
Type: NT5DS (Policy)
NtpServer (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombinations: 1 (Local)
VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
EDIT: GP Results
System/Windows Time Service
Policy Setting Winning GPO
Global Configuration Settings Enabled FIT DC Time Policy
Clock Discipline Parameters
FrequencyCorrectRate 4
HoldPeriod 5
LargePhaseOffset 50000000
MaxAllowedPhaseOffset 300
MaxNegPhaseCorrection 172800
MaxPosPhaseCorrection 172800
PhaseCorrectRate 1
PollAdjustFactor 5
SpikeWatchPeriod 900
UpdateInterval 100
General Parameters
AnnounceFlags 10
EventLogFlags 2
LocalClockDispersion 10
MaxPollInterval 10
MinPollInterval 6
ChainEntryTimeout 16
ChainMaxEntries 128
ChainMaxHostEntries 4
ChainDisable 0
ChainLoggingRate 30
System/Windows Time Service/Time Providers
Policy Setting Winning GPO
Configure Windows NTP Client Enabled FIT DC Time Policy
NtpServer time.windows.com,0x9
Type NT5DS
CrossSiteSyncFlags 2
ResolvePeerBackoffMinutes 15
ResolvePeerBackoffMaxTimes 7
SpecialPollInterval 3600
EventLogFlags 0
Policy Setting Winning GPO
Enable Windows NTP Client Enabled FIT DC Time Policy
Enable Windows NTP Server Enabled FIT DC Time Policy
Best Answer
Ok. Thanks for the data. I see that you have GPOs for both client and server. The notion of NTP client and NTP server are different than Windows servers and clients. So, first, I recommend getting rid of the server settings. These are used for a machine that will serve NTP requests. In a domain, time is provided to clients using Windows Time Service, NOT NTP.
In your situation, your DC is the NTP client, as it is receiving its data from an external NTP server. So the policy should only be defined for client settings.
Next, change your time providers GPO setting to type NTP, instead of NT5DS.
Do a gpupdate and run the w32tm configuration query again.
To summarize:
- Enable Windows NTP Client Enabled
- Enable Windows NTP Server Not Configured
- Configure Windows NTP Client | Ntp Server (NTP Server Name),0x9 (The 0x9 is a flag that designates the NTP Server as being primary.
- Configure Windows NTP Client | Type NTP
I tested this on our lab domain and it appears to work. When you run the w32tm configuration query, it should show Type: NTP and NtpServer: (NTP Server Name) in the [Time Providers] section.