remove ntp config and use pdc emulator

Question

Hi,

I have a customer that has configured the following ntp settings on the Default Domain Policy GPO resulting so that every machine in the domain get this setting. What I want to do (and I guess is best practice also) is to have only the PDC Emulator sync to external ntp server, and have all the machines use the PDC Emulator for time.

My question is then, what happens if I just remove the settings from the GPO, configure manually ntp settings for the PDC Emulator to get time from external source. Will all other machines automatically get the time from the PDC Emulator server ? I know this is default in a domain, but will it go back to default ?

One other thing, If I click the registry setting under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters I get the following below. I thought that it should have been NTP and not NT5DS ?

From RSOP I can see that the policy is applied.

Any comments ? :)

Thanks for any reply

/R
Andy

Answer 1

Some general info

• All domain members should use NT5DS domain time.
• Desktops and member servers sync with any domain controller.
• Domain controllers sync with PDC emulator (one per domain)
• PDC emulator in child domain can sync with any domain controller in parent domain.
• PDC emulator in parent domain syncs with either a hardware clock or possibly an external source.
  https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-simple-time-configuration-in-active-directory/

On the domain members

w32tm /unregister
net stop w32time
w32tm /register
net start w32time
w32tm /config /syncfromflags:domhier /update
net stop w32time
net start w32time
then check
w32tm /query /source
w32tm /query /configuration

--please don't forget to upvote and if the reply is helpful--

Answer 2

1. You could configure them back to NT5DS via group policy System\Windows Time Service\Time Providers
2. Some ideas here. https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/domain-time-synchronization-in-the-age-of-working-from-home/ba-p/1440820
3. restarting the time service should do.

--please don't forget to upvote and if the reply is helpful--

Answer 3

Hi,

Thanks for reply @Anonymous

I have some more questions :)

1. Do I manually (or script) need to run the commands on every domain member, or will these automatically "revert" back to sync with PDC as long as I stop the GPO setting for NTP ?
2. Some of the machines are laptops, and these are used locally and mostly on home office with vpn, should these also be configured to sync with PDC, or should i sync these with public ntp since they are offline from local network. Or could I configure it like 1 priority = pdc, 2 priority = ntp ?
3. And offcourse I noticed that some machines where vm`s (Hyper-v host) and these had both ntp gpo setting and time synce activated on the integrations tools for the vm. So we will remove the Time sync, but do you know if we need to reboot the vms for it to take place ?

Thanks again for answers.

/R
Andy