Configuring an Authoritative Time Server with Group Policy Using WMI Filtering

Hello everyone, Brian Singleton here. Here’s a question I often get from customer regarding Windows Time:

“Is there a way I can configure the Windows Time settings via Group Policy and have it only apply to the domain controller that holds the PDC FSMO role?”

This is a wonderful question to pose and there are very good reasons why this should be done:

  1. If you decide to move the PDC emulator role to another domain controller, you do not want to have to go through the trouble of making all of the registry changes again.
  2. If the PDC emulator fails, and you have to bring up a new server, you may forget to add the settings back, resulting in a time sync issue in your domain.

We have a feature in Group Policy to help us that you may have read about on this blog, and that is WMI filtering.

Windows Management Instrumentation (WMI) is a powerful feature in Windows that we can leverage to provide us very detailed information about computers in our environment. We can use WMI via a script to remotely manage machines, as well as gather information about machines in our domain for inventory purposes.

The main reason why I have brought this feature up is that we can provide an additional layer of filtering for Group Policy application using WMI.

We can configure a GPO on the domain controller OU for our W32Time settings to configure the authoritative time server, but instead of using security filtering and explicitly securing it for the domain controller that has the PDC emulator role; WMI filtering can be used instead. It is important to state here before continuing is that WMI filtering will only work with computers running Windows XP/Windows Server 2003 and later. That means that you cannot use WMI filtering with Windows 2000.

Below is an example:

The domain I configure this policy on is Windows Server 2003, but the same applies to Windows Server 2008 as well. I am also using Group Policy Management Console (GPMC) which can be downloaded from here. For those of you who are using Windows Vista you can get GPMC by downloading the Microsoft Remote Server Administration Tools (RSAT).

First I will create my WMI filter:

clip_image002

The next part is me adding my query:

clip_image004

clip_image006

In the above image I added the following query:

Select * from Win32_ComputerSystem where DomainRole = 5

You can use WMIC to verify the current value of the DomainRole property. This can be a helpful way to get a sanity check on the value to make sure the filtering will achieve the desired result.

To view the DomainRole value locally:

wmic computersystem get domainrole

To view the DomainRole value remotely (where M1 is the remote computer):

wmic /node:”M1” computersystem get domainrole

In WMI we break up the various components of the OS and actual machine into classes. The Win32_ComputerSystem class is for computers running a Windows OS. Have a look at the following MSDN link for this class as well as other WMI classes:

WMI Classes
https://msdn.microsoft.com/en-us/library/aa394554(VS.85).aspx

The Win32_ComputerSystem class has a lot of methods that can used in scripting as well as filtering for Group Policy but for the purposes of this post we will focus on the DomainRole:

From the MSDN website:

DomainRole

Role of a computer in an assigned domain workgroup. A domain workgroup is a collection of computers on the same network. For example, a DomainRole property may show that a computer is a member workstation. This property is inherited from CIM_ManagedSystemElement.

Value

Meaning

0

Standalone Workstation

1

Member Workstation

2

Standalone Server

3

Member Server

4

Backup Domain Controller

5

Primary Domain Controller

As you can see from the above chart 5 means Primary Domain Controller. So the query, Select * from Win32_ComputerSystem where DomainRole = 5, means select a machine whose DomainRole is 5, Primary Domain Controller. For those of you who would like to create a Windows Time GPO for all the other domain controllers you would just change it to DomainRole=4.

Now I am going to link my WMI filter to my already configured Authoritative Time Server GPO:

clip_image008

At the end what I have just accomplished is that the Authoritative Time Server GPO will only apply to the domain controller who holds the PDC emulator FSMO role. By configuring the policy in this fashion, I can transfer the PDC role to any domain controller and the policy will follow the role. Also, if the PDC fails and I bring up a new domain controller and seize the PDC emulator role to the new domain controller, the policy will apply on the next policy refresh or by forcing a group policy refresh.

I hope that you have learned a little more on how powerful WMI Filters are and how they can be leveraged to apply Group Policies based on a WMI Filter.

Additional Resources

Windows Management Instrumentation
https://msdn.microsoft.com/en-us/library/aa394582(VS.85).aspx

WMI Classes
https://msdn.microsoft.com/en-us/library/aa394554(VS.85).aspx

WMI filtering using GPMC
https://technet.microsoft.com/en-us/library/cc779036.aspx

Windows Management Instrumentation Command-line
https://technet.microsoft.com/en-us/library/cc784189.aspx

- Brian Singleton