Configuring time in an Active Directory Domain
How to configure domain wide time sync in an Active Directory domain using group policy.
One of the most important things in an Active Directory (AD) domain is time. It doesn't have to be accurate, but it should be as consistent as possible to avoid issues with communications.
Unfortunately in my career, I've often had to resolve issues with AD being broken due to bad time.
Most admins will leave the time setup for a domain as it exists out of the box. This typically works - if you don't monkey with it. That is, the Primary Domain Controller (PDC) gets the time from the internet, the other DC's get their time from the PDC, and the member servers and workstations get their time from any of the DC's.
Time can become broken if care is not taken to update the settings correctly. I've seen NTP configured on the workstations, but not the DC's. I've seen NTP configured on one DC that doesn't hold the PDC role, and I've seen time simply not configured at all.
Because I like to automate as much as possible to minimise configuration issues, I typically like to configure time via Group Policy Object (GPO). This ensures that no matter which DC holds the PDC role, time will always follow the proper structure.
Create a WMI filter
The first step is to create a WMI filter that allows a policy to apply to only the PDC.
- Open Group Policy Editor
- Expand the policy tree
- Right click on "WMI Filters" and select "New"
- Set the name of the filter to "Is PDC"
- Add a new query:
SELECT * FROM Win32_ComputerSystem WHERE DomainRole = 5
- Click "Save"
Create the PDC Time Policy
Create the policy that configures the PDC to reach out to an NTP server for the time. Don't forget to open the firewall to allow the PDC to connect to an NTP server (UDP port 123)
- Right click on the "Domain Controllers" organisational unit and select "Create a GPO in this domain and link it here"
- Name the new policy "Time Configuration - PDC"
- Click on the new policy to select it
- At the bottom of the policy screen, change the WMI Filter to "Is PDC"
- Right click on the policy name in the left pane and select "Edit"
- From the tree on the left, go to "Computer Configuration" -> "Policies" -> "Administrative Templates" -> "System" -> "Windows Time Service" -> "Time Providers"
- Double click "Configure Windows NTP Client"
- Configure the policy as follows:
NtpServer: pool.ntp.org,0x9
Type: NTP
Leave the rest of the settings as default
- Click OK
- Enable the "Enable Windows NTP Client" policy
- Enable the "Enable Windows NTP Server" policy
- Close the policy editor
This policy will now only apply to servers in the Domain Controllers OU that hold the PDC FSMO role.
Create the Global Time Policy
This policy will apply to all other DC's, servers, and workstations in the domain to enforce using the domain hierarchy for time.
- Right click on the root of your domain and select "Create a GPO in this domain and link it here"
- Name the new policy "Time Configuration - Common"
- Right click on the policy name in the left pane and select "Edit"
- From the tree on the left, go to "Computer Configuration" -> "Policies" -> "Administrative Templates" -> "System" -> "Windows Time Service" -> "Time Providers"
- Double click "Configure Windows NTP Client"
- Configure the policy as follows:
NtpServer: ad.mrgtech.net,0x9 (where ad.mrgtech.net is the FQDN of your AD domain)
Type: NT5DS
Leave the rest of the settings as default
- Click OK
- Close the policy editor