remove ntp config and use pdc emulator

Andreas 1,301 Reputation points
2021-11-03T19:24:55.917+00:00

Hi,

I have a customer that has configured the following ntp settings on the Default Domain Policy GPO resulting so that every machine in the domain get this setting. What I want to do (and I guess is best practice also) is to have only the PDC Emulator sync to external ntp server, and have all the machines use the PDC Emulator for time.

My question is then, what happens if I just remove the settings from the GPO, configure manually ntp settings for the PDC Emulator to get time from external source. Will all other machines automatically get the time from the PDC Emulator server ? I know this is default in a domain, but will it go back to default ?

146260-ntp.jpg

One other thing, If I click the registry setting under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters I get the following below. I thought that it should have been NTP and not NT5DS ?

146285-time.jpg

From RSOP I can see that the policy is applied.

146200-default.jpg

Any comments ? :)

Thanks for any reply

/R
Andy

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,083 questions
Windows Server Management
Windows Server Management
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Management: The act or process of organizing, handling, directing or controlling something.
420 questions
0 comments
Accepted answer
  1. Dave Patrick 426K Reputation points MVP
    2021-11-03T19:42:28.697+00:00

    Some general info

    On the domain members

    w32tm /unregister
    net stop w32time
    w32tm /register
    net start w32time
    w32tm /config /syncfromflags:domhier /update
    net stop w32time
    net start w32time
    then check
    w32tm /query /source
    w32tm /query /configuration

    --please don't forget to upvote and 145510-image.png if the reply is helpful--

    2 people found this answer helpful.
    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Dave Patrick 426K Reputation points MVP
    2021-11-04T13:33:59.887+00:00
    1. You could configure them back to NT5DS via group policy System\Windows Time Service\Time Providers
    2. Some ideas here. https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/domain-time-synchronization-in-the-age-of-working-from-home/ba-p/1440820
    3. restarting the time service should do.

    --please don't forget to upvote and 145510-image.png if the reply is helpful--

    1 person found this answer helpful.
    0 comments
  2. Andreas 1,301 Reputation points
    2021-11-04T07:55:05.047+00:00

    Hi,

    Thanks for reply @Dave Patrick

    I have some more questions :)

    1. Do I manually (or script) need to run the commands on every domain member, or will these automatically "revert" back to sync with PDC as long as I stop the GPO setting for NTP ?
    2. Some of the machines are laptops, and these are used locally and mostly on home office with vpn, should these also be configured to sync with PDC, or should i sync these with public ntp since they are offline from local network. Or could I configure it like 1 priority = pdc, 2 priority = ntp ?
    3. And offcourse I noticed that some machines where vm`s (Hyper-v host) and these had both ntp gpo setting and time synce activated on the integrations tools for the vm. So we will remove the Time sync, but do you know if we need to reboot the vms for it to take place ?

    Thanks again for answers.

    /R
    Andy

    0 comments